Arch Linux

grimor

Member

From: Spain

Registered: 2023-10-27

Posts: 21

[SOLVED] grub fails with luks encryption

My partition table:

/dev/sda1  #Windows EFI Boot (100 MB)
/dev/sda2  #Microsoft Reserved (16 MB)
/dev/sda3  #Windows 11 (200 GB)
/dev/sda4  #no formatted (780 GB)

My minimal installation:

# cryptsetup luksFormat -v -s 512 -h sha512 /dev/sda4
# cryptsetup open /dev/sda4 luks_root
# mkfs.ext4 /dev/mapper/luks_root
# mount /dev/mapper/luks_root /mnt
# mkdir /mnt/efi
# mount /dev/sda1 /mnt/efi

- Essential packages and /etc/fstab:

# pacstrap /mnt base base-devel linux linux-firmware openssh nano man-db man-pages texinfo git intel-ucode
# genfstab -U /mnt >> /mnt/etc/fstab

- chrooting:

# arch-chroot /mnt

- Installing GRUB boot:

# pacman -S grub efibootmgr os-prober

- Uncomment "#GRUB_DISABLE_OS_PROBER=false" and "#GRUB_ENABLE_CRYPTODISK=y":

# nano /etc/default/grub

- Adding GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda4:luks_root":

# nano /etc/default/grub

- Adding "encrypt" to line "HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)" before "filesystems":

# nano /etc/mkinitcpio.conf

- Creating "initramfs" image:

# mkinitcpio -p linux

- Installing GRUB to EFI directory:

# grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --removable

- Creating GRUB configuration file:

# grub-mkconfig -o /boot/grub/grub.cfg

- Adding root password:

# passwd

- Exit and reboot:

# exit
# reboot

- And finally...:

Enter passphrase for hd0,gpt4 (493de316-8b05-45ab-9052-3e91ae4c7567):
error: Invalid passphrase.
error: disk `cryptouuid/493de3168b0545ab90523e91ae4c7567' not found.
Entering rescue mode...
grub rescue>

NOTE: my passphrase is correct.

Last edited by grimor (2023-10-28 14:42:57)

frostschutz

Member

Registered: 2013-11-15

Posts: 1,647

Re: [SOLVED] grub fails with luks encryption

grub does not support luks2 argon2 keys, you'll have to add a pbkdf2 key instead. (e.g. using luksConvertKey)

alternatively, provide an unencrypted /boot filesystem for kernel+initramfs.

grimor

Member

From: Spain

Registered: 2023-10-27

Posts: 21

Re: [SOLVED] grub fails with luks encryption

grub does not support luks2 argon2 keys, you'll have to add a pbkdf2 key instead. (e.g. using luksConvertKey)

alternatively, provide an unencrypted /boot filesystem for kernel+initramfs.

Thanks for your answer.

# cryptsetup luksFormat -v -s 512 -h sha512 /dev/sda4
# cryptsetup luksConvertKey --pbkdf pbkdf2 /dev/sda4

but after installing same problem.

In the other hand, I think creating a /boot filesystem it won't work because UEFI boots from first EFI partition (/dev/sda1: EFI Windows boot).

seth

Member

From: Won't reply 2 private help req

Registered: 2012-09-03

Posts: 76,070

Re: [SOLVED] grub fails with luks encryption

The boot partition and ESP are two different things, they /can/ be the same partition but don't have to.
And right now you seem to have /boot on /dev/sda4 ?

Sanity check: you can open the device from the arch install iso?
The passphrase is qwerty-safe?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

grimor

Member

From: Spain

Registered: 2023-10-27

Posts: 21

Re: [SOLVED] grub fails with luks encryption

The boot partition and ESP are two different things, they /can/ be the same partition but don't have to.
And right now you seem to have /boot on /dev/sda4 ?

Sanity check: you can open the device from the arch install iso?
The passphrase is qwerty-safe?

Thanks for your answer.

Yes, I can open the device from the arch install ISO. My passphrase has letters, numbers and punctuation marks; in total, 18 characters.

But I have managed to solve the problem, thanks to you and frostschutz:

/dev/sda1  #Windows EFI Boot (100 MB)
/dev/sda2  #Microsoft Reserved (16 MB)
/dev/sda3  #Windows 11 (200 GB)
/dev/sda4  #no formatted (1 GB)
/dev/sda5  #no formatted (779 GB)

# cryptsetup luksFormat -v -s 512 -h sha512 /dev/sda5
# cryptsetup open /dev/sda5 luks_root
# mkfs.ext4 /dev/mapper/luks_root
# mkfs.ext4 /dev/sda4
# mount /dev/mapper/luks_root /mnt
# mkdir /mnt/boot
# mount /dev/sda4 /mnt/boot
# mkdir /mnt/boot/efi
# mount /dev/sda1 /mnt/boot/efi

# grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --removable

After finishing installation, GRUB boots correctly with Arch Linux and Windows.

Many thanks for your help, seth and frostschutz.

Last edited by grimor (2023-10-28 14:45:51)