You are not logged in.
- Topics: Active | Unanswered
#1 2024-08-11 18:20:36
- xylo
- Member
- Registered: 2024-08-11
- Posts: 3
Grub 'invalid passphrase' error with encrypted /boot without LVM
Hello.
I am trying to set up a new arch installation using full system encryption, with everything encrypted except for the EFI system partition /efi (so, /boot should be encrypted as well).
However, I would like to avoid using LVM, which seems to be a use case not covered on the examples for encrypting an entire system, because the example for "Encrypted boot partition" is based off of the "LVM on LUKS" example.
Everything seems to go well, but right after finishing all the installation steps and rebooting, grub asks me for the passphrase, and when I enter it, it seems to be wrong. It tells me "Invalid passphrase" and "error: disk 'cryptouuid/XXXXXXXXXXXXX' not found", and then it enters rescue mode:
I have been trying to get this to work for a couple of days. I am aware of the fact that grub uses the US keymap, and I have an italian keyboard, so it could really just be that I am typing the wrong characters. However, when entering the passphrase, for special characters, I simply enter the corresponding key that would be on a US keyboard, even if on my italian keyboard the character is different. And I can verify that I am typing the correct characters by typing into the grub rescue prompt afterward. So it's unlikely that that is the issue.
I know that if I followed the "8 Encrypted boot partition (GRUB)" example it would work. But that uses LVM, which is an extra layer of abstraction that I do not need and would like to do without. Is it not possible at all to avoid LVM? What could be missing in my installation process? What am I doing wrong?
For the most part, I followed the installation guide. Some particularities for my installation are:
I have an italian keyboard, so for steps "1.5 Set the console keyboard layout and font" and "3.4 Localization", I set the key layout with the command for italian keyboards:
# loadkeys itAnd also set in /etc/vconsole.conf:
KEYMAP=itThough, in /etc/locale.conf, I leave the locale to the default of "LANG=en_US.UTF-8" , just like in the installation guide
For step "1.9 Partition the disks", I use parted to partition my drive, following the "4.2.1 UEFI/GPT examples" for 2 partitions (EFI system partition and root partition):
# parted /dev/sda (parted) mklabel gpt (parted) mkpart "EFI system partition" fat32 1MiB 1025MiB (parted) set 1 esp on (parted) mkpart "root partition" ext4 1025MiB 100% (parted) type 2 4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709
For step "1.10 Format the partitions", instead of following the normal installation step, I follow "2 LUKS on a partition":
# cryptsetup -v luksFormat /dev/sda2 # cryptsetup open /dev/sda2 root # mkfs.ext4 /dev/mapper/root # mount /dev/mapper/root /mnt # mkfs.fat -F32 /dev/sda1 # mount --mkdir /dev/sda1 /mnt/efiI also added the "encrypt" hook to my /etc/mkinitcpio.conf so that it looks like the following line, and of course after that, I regenerated the initramfs with "mkinitcpio -P" as per step "3.6 Initramfs" of the installation guide:
HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt filesystems fsck)
For the final step "3.8 Boot loader", while arch-chrooted into the new system, I installed grub for UEFI systems as per "2.1 Installation":
# pacman -S grub efibootmgrAfter installing those 2 packages with pacman, before doing anything else, first I retrieve the UUID of the LUKS block device:
# blkid | grep sda2Then, as per "2.6 Configuring the boot loader", I set up the following kernel parameter on /etc/default/grub using the UUID I retrived with the previous command:
GRUB_CMDLINE_LINUX="cryptdevice=UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX:root root=/dev/mapper/root"Also on /etc/default/grub, as per "4.1.7 Encrypted /boot", I uncomment the following line :
GRUB_ENABLE_CRYPTODISK=yFinally, I install grubx64.efi and the grub modules to the appropriate directories:
# grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB
Any help that anyone can provide is greatly appreciated!
Offline
#2 2024-08-11 21:06:47
- macromal
- Member
- Registered: 2024-08-03
- Posts: 26
Re: Grub 'invalid passphrase' error with encrypted /boot without LVM
As explained in Encrypted boot partition (GRUB), GRUB's support for LUKS2 is limited; see GRUB#Encrypted /boot for details. Use LUKS2 with PBKDF2 (cryptsetup luksFormat --pbkdf pbkdf2) for partitions that GRUB will need to unlock.
Offline
#3 2024-08-12 12:19:30
- xylo
- Member
- Registered: 2024-08-11
- Posts: 3
Re: Grub 'invalid passphrase' error with encrypted /boot without LVM
As explained in Encrypted boot partition (GRUB), GRUB's support for LUKS2 is limited; see GRUB#Encrypted /boot for details. Use LUKS2 with PBKDF2 (cryptsetup luksFormat --pbkdf pbkdf2) for partitions that GRUB will need to unlock.
Hey macromal, thanks for your response. So it seems that when executing "cryptsetup -v luksFormat /dev/sda2", luks2 is used by default, which I was not aware of. So now I have changed that command to the following:
# cryptsetup -v luksFormat --pbkdf pbkdf2 /dev/sda2And after finishing the installation and rebooting, it no longer gives me the 'invalid passphrase' error. Instead, it hangs for a few seconds, doing nothing, and then it goes straight to the grub prompt, no errors or anything happens in between:
I've yet to do some research as to what could be the solution to this new problem, but if you or someone else already knows the answer, it would be greatly appreciated if you could please share it!
Offline
#4 2024-08-13 11:55:44
- macromal
- Member
- Registered: 2024-08-03
- Posts: 26
Re: Grub 'invalid passphrase' error with encrypted /boot without LVM
Maybe you forgot a step.
Did you generate GRUB's configuration file?
grub-mkconfig -o /boot/grub/grub.cfgOffline
#5 2024-08-14 14:36:06
- xylo
- Member
- Registered: 2024-08-11
- Posts: 3
Re: Grub 'invalid passphrase' error with encrypted /boot without LVM
Maybe you forgot a step.
Did you generate GRUB's configuration file?grub-mkconfig -o /boot/grub/grub.cfg
It seems like that was indeed the issue. The new system boots correctly now! Thanks a lot!
Offline