You are not logged in.

#1 2024-03-31 20:25:45

D3vil0p3r
Member
Registered: 2022-11-05
Posts: 177

[SOLVED] Erroneously asking for LUKS passphrase before GRUB boot

I have a VMware VM where I installed Arch Linux environment on a /dev/sda disk. This disk is partitioned in two partitions: grub legacy boot and root one.

I encrypted by LUKS only the root partition by following Arch wiki https://wiki.archlinux.org/title/dm-cry … _partition ,

When I reboot, BEFORE GRUB bootloader, I get a passphrase prompt, that is not related to the LUKS partition I previously set. Indeed, any string I type, I get an error but I proceed to GRUB bootloader. This first passphrase prompt is:
firstpassphrase

Then, on GRUB Bootloader, I choose my Arch Linux entry, and then I get the correct passphrase prompt for my LUKS partition, I type the correct passphrase and I land correctly to the OS.

My question is: why am I getting that first nonsense passphrase prompt if I set as LUKS only the root partition? How can I remove it in order to go directly to the GRUB bootloader when I reboot the system?

"lsblk -o+uuid":

NAME            MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS UUID
sda               8:0    0   50G  0 disk              
├─sda1            8:1    0  511M  0 part  /boot       ff6c4cb4-86f2-4043-b3e4-b74a47b7301a
└─sda2            8:2    0 49.5G  0 part              d72fbf89-8f41-4c6d-a421-64d9c3047f96
  └─sda2crypted 254:0    0 49.5G  0 crypt /           038cfef7-b223-4f66-8665-3ee7c6c7a26c
sr0              11:0    1  1.8G  0 rom               2024-03-21-14-33-27-00

"cat /etc/default/grub"

# GRUB boot loader configuration

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="rd.luks.name=d72fbf89-8f41-4c6d-a421-64d9c3047f96=sda2crypted root=/dev/mapper/sda2crypted quiet loglevel=3 audit=0 nvme_load=yes zswap.enabled=0 fbcon=nodefer nowatchdog"
GRUB_CMDLINE_LINUX=""

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y

# Set to 'countdown' or 'hidden' to change timeout behavior,
# press ESC key to display menu.
#GRUB_TIMEOUT_STYLE=menu

# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console

# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `videoinfo'
GRUB_GFXMODE=auto

# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep

# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true

# Uncomment and set to the desired menu colors.  Used by normal and wallpaper
# modes only.  Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"

# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/path/to/wallpaper"
GRUB_THEME="/usr/share/grub/themes/athena/theme.txt"

# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"

# Uncomment to make GRUB remember the last selection. This requires
# setting 'GRUB_DEFAULT=saved' above.
#GRUB_SAVEDEFAULT=true

# Uncomment to disable submenus in boot menu
#GRUB_DISABLE_SUBMENU=y

# Probing for other operating systems is disabled for security reasons. Read
# documentation on GRUB_DISABLE_OS_PROBER, if still want to enable this
# functionality install os-prober and uncomment to detect and include other
# operating systems.
GRUB_DISABLE_OS_PROBER=false

HOOKS:

HOOKS=(base systemd autodetect modconf kms keyboard sd-vconsole block sd-encrypt lvm2 filesystems fsck)

I tested also by using EFI boot but I get the same behavior. Tested by btrfs and ext4 as root partition.

Last edited by D3vil0p3r (2024-03-31 21:02:11)

Offline

#2 2024-03-31 20:35:50

frostschutz
Member
Registered: 2013-11-15
Posts: 1,416

Re: [SOLVED] Erroneously asking for LUKS passphrase before GRUB boot

If your boot, kernel, initrd are not encrypted, there is no need for GRUB_ENABLE_CRYPTODISK=y.

You have to re-run grub-install for any changes that affect grub's core image.

Offline

#3 2024-03-31 21:01:43

D3vil0p3r
Member
Registered: 2022-11-05
Posts: 177

Re: [SOLVED] Erroneously asking for LUKS passphrase before GRUB boot

After some analysis, the issue was caused by the fact that, GRUB needs to search for GRUB THEME that is inside the encrypted root partition. So it cannot access to it and it causes that additional first passphrase request. By moving the GRUB theme to the unencrypted /boot partition, it solves the issue.

Offline

Board footer

Powered by FluxBB