You are not logged in.
- Topics: Active | Unanswered
#1 2019-01-05 00:30:43
- f1she3
- Member
- Registered: 2019-01-05
- Posts: 8
[SOLVED] LUKS + UEFI - grub asking passphrase twice
Hello !
I have a dual boot installation, a windows one and a Linux one using windows' efi partition and grub :
|--- /dev/sda2 : efi partition
HDD---
|--- /dev/sda3 : windows partition
SSD--- /dev/sdb1 : luks encrypted partition
I have read the several wiki pages to encrypt my root partition, and after many tries it almost works, but I have to enter the passphrase twice : once before the grub menu appears (the unexpected one : https://imgur.com/9mBq9iU), and a second time when i choose to boot on linux, wich is the expected behaviour.
I had to set
GRUB_ENABLE_CRYPTODISK=yin /etc/default/grub because
grub-install --target=x86_64-efi --efi-directory=/boot/esp --bootloader-id=GRUBgave me the following error :
grub-install: error: attempt to install to encrypted disk without cryptodisk enabled. Set `GRUB_ENABLE_CRYPTODISK=y' in file `/etc/default/grub'.I think I shouldn't need this parameter which is required only for encrypted /boot, is that right ?
So do you know guys how I can fix it and where the problem is ?
Thanks !
PS : Grub takes also much longer than usual to load
Last edited by f1she3 (2019-01-13 21:19:45)
-- fishe3 - Fool me once --
Offline
#2 2019-01-06 07:59:05
- its4nitya
- Member
- Registered: 2018-12-15
- Posts: 5
- Website
Re: [SOLVED] LUKS + UEFI - grub asking passphrase twice
The first time, it is grub that asks you for the password to decrypt the boot partition. The second time, it is the encrypt hook which asks you for the root partition's password. From your partition table, I infer that you have a single partition setup and boot and root are located on the same partition. If you do not want to be asked for your root partition password again, you will have to embed the keyfile in the initramfs and configure it to be used on system boot to decrypt and mount the root partition.
The following wiki post will help you configure the same.
https://wiki.archlinux.org/index.php/Dm … on_at_boot
Offline
#3 2019-01-09 13:37:06
- f1she3
- Member
- Registered: 2019-01-05
- Posts: 8
Re: [SOLVED] LUKS + UEFI - grub asking passphrase twice
Hi, and thanks for your answer
In fact my arch linux (on my SSD) uses the windows' efi partition (on my HDD), wich is not encrypted, I just have one root partition on my SSD wich is encrypted.
So I think I shouldn't be asked to decrypt my boot ?
-- fishe3 - Fool me once --
Offline
#4 2019-01-09 21:10:54
- respiranto
- Member
- Registered: 2015-05-15
- Posts: 479
- Website
Re: [SOLVED] LUKS + UEFI - grub asking passphrase twice
Your ESP (unencrypted) seems to be mounted at /boot/esp. Hence /boot/* are on the root partition, which is encrypted. You *might* want to mount your ESP at /boot to remove the necessity for GRUB to deal with decryption.
Offline
#5 2019-01-10 04:04:16
- its4nitya
- Member
- Registered: 2018-12-15
- Posts: 5
- Website
Re: [SOLVED] LUKS + UEFI - grub asking passphrase twice
Hi, and thanks for your answer
In fact my arch linux (on my SSD) uses the windows' efi partition (on my HDD), wich is not encrypted, I just have one root partition on my SSD wich is encrypted.
So I think I shouldn't be asked to decrypt my boot ?
Your efi partition just contains the grub efi stub used to load the kernel and the initramfs. The kernel and the initramfs themselves are located on the /boot partition which is, in your case, located as a directory and not a partition, on the root partition itself. Thus, grub will ask you for your root partition password to decrypt boot. If you don't want grub to ask you for the password, you must create a separate boot partition and mount it to /boot at system startup.
Last edited by its4nitya (2019-01-10 04:04:59)
Offline
#6 2019-01-13 21:18:06
- f1she3
- Member
- Registered: 2019-01-05
- Posts: 8
Re: [SOLVED] LUKS + UEFI - grub asking passphrase twice
Your ESP (unencrypted) seems to be mounted at /boot/esp. Hence /boot/* are on the root partition, which is encrypted. You *might* want to mount your ESP at /boot to remove the necessity for GRUB to deal with decryption.
Your efi partition just contains the grub efi stub used to load the kernel and the initramfs. The kernel and the initramfs themselves are located on the /boot partition which is, in your case, located as a directory and not a partition, on the root partition itself. Thus, grub will ask you for your root partition password to decrypt boot. If you don't want grub to ask you for the password, you must create a separate boot partition and mount it to /boot at system startup.
Oh ok I understand now.
Thanks guys ! 
f1she3
-- fishe3 - Fool me once --
Offline