Arch Linux

Anon_a

Member

Registered: 2020-02-01

Posts: 21

LUKS/GRUB preboot password doesn't work sometimes

So this is a really odd issue. I've been using the current install for around 6 months without any issues, but a few weeks ago I started having trouble getting past the preboot password. First I thought it was just me making a mistake, but later it kept refusing for up to 20 times before it finally worked. The average is currently around 3 times, with it only working on the first try once in the past week.

I'm not sure if saying it's the LUKS preboot password is correct, but I've specified the unlock options given to cryptsetup to the grub config file which handles the decryption on boot.

I really have no idea where to start troubleshooting this. At first I thought it was just a faulty keyboard, but I've tried 3 different ones and all of them result in the same behavior. I also tried reinstalling GRUB, but the issue doesn't resolve. Boot logs look the same from 6 months ago, but I have no idea what to look at here. Is there any way to enable a preview of the password so that I can at least see if it is actually correct? I would really like to understand what's happening here.

Any advice on where to start looking would be greatly appreciated.

twelveeighty

Member

Registered: 2011-09-04

Posts: 1,290

Re: LUKS/GRUB preboot password doesn't work sometimes

Your journal is always the first place to look. After you manage to log in, check your journal for the startup messages.

qu@rk

Member

Registered: 2021-07-28

Posts: 89

Re: LUKS/GRUB preboot password doesn't work sometimes

Did you use some high resolution mode for that screen? I remember I played with that at some point and made for missed keyboard inputs. Had to slowly type the password.

Anon_a

Member

Registered: 2020-02-01

Posts: 21

Re: LUKS/GRUB preboot password doesn't work sometimes

So the issue seems to have been hardware related. After moving the drive to another port and switching out the cable, it works again on the first try.

Where would I find the logs for the preboot password? I couldn't see anything when running journalctl that resembles the debug output I get before entering the password. It starts with the "BOOT_IMAGE=" line with the decrypt options for cryptsetup.
I'm worried that I might damage the drive or something and would like to understand why this happened. There is also the possibility that I just entered the password wrong, but I'd like to have some way to check if this is the case in the future, so is there any way to enable a password preview or at least have some user feedback on the password entry screen?

I am working on a dell laptop with a 3840x2160 display, so not sure if this could have an impact.

Scimmia

Fellow

Registered: 2012-09-01

Posts: 12,527

Re: LUKS/GRUB preboot password doesn't work sometimes

Where would I find the logs for the preboot password?

If we're talking about grub, there is none.

Last edited by Scimmia (2025-03-21 15:49:32)

Anon_a

Member

Registered: 2020-02-01

Posts: 21

Re: LUKS/GRUB preboot password doesn't work sometimes

So the issue seems to be back again after around 3 days with the password working on the first try. Spent around 40 minutes today just retyping and trying the password with it refusing to work.

Is there no way to enable a password preview or debug options for GRUB to troubleshoot this? This is really messing with my sanity at the moment.

frostschutz

Member

Registered: 2013-11-15

Posts: 1,524

Re: LUKS/GRUB preboot password doesn't work sometimes

Does the keyboard work reliably without missing anything in the Grub console / shell / editor? (Select any menu entry and press 'e', or just Esc the Grub menu into the shell).

In Grub there is `set debug=all` but I don't know what (if anything) it would do for a password. You might have to add your own debug messages by patching and compiling Grub yourself.

If this is about GRUB_ENABLE_CRYPTODISK (early password prompt before Grub menu) you won't even have a chance to set debug before the prompt appears. You'd have to modify the embedded load.cfg which involves some hoop jumping (example https://unix.stackexchange.com/a/782975/30851 ).

Also debug tends to be too verbose so messages would just scroll off screen. Usually combined with `set pager=1`.

If you can reproduce issues in a VM that sometimes makes debugging easier (and you could receive debug messages via serial console) but might not be possible in this case. Not sure.

Best solution is to not encrypt /boot at all. Skip the password prompt in Grub entirely...

Anon_a

Member

Registered: 2020-02-01

Posts: 21

Re: LUKS/GRUB preboot password doesn't work sometimes

The keyboard works reliably in the rescue console after failing the password, which I then use to reboot. Menu entries also work. I'll try the 'e' or Esc keys next time to see if that also works. I'll also look into the 'set debug=all' option.

To clarify I haven't encrypted the boot partition, only the main OS partition is encrypted using cryptsetup, so I can edit the GRUB files if I need to or boot from a separate drive.

frostschutz

Member

Registered: 2013-11-15

Posts: 1,524

Re: LUKS/GRUB preboot password doesn't work sometimes

If /boot, grub.cfg, kernel, initrd etc. is not encrypted, then why ask for a password in Grub at all? Set GRUB_ENABLE_CRYPTODISK=n, redo the grub-install and done?

Is it a wireless keyboard? Try hitting Shift key three times before you start typing the passphrase, sometimes it's a sleep/wakeup thing.

You could also try reverting Grub version to https://archive.archlinux.org/packages/ … kg.tar.zst (or similar) just in case it's update related.

Anon_a

Member

Registered: 2020-02-01

Posts: 21

Re: LUKS/GRUB preboot password doesn't work sometimes

Just to clarify since I still haven't been able to identify the cause of the issue, it's still recurring and going away at times. I used the information here (https://wiki.archlinux.org/title/Dm-cry … ire_system) to set up an encrypted disk , but I did not use the encrypted GRUB boot.

So after going through everything again the issue doesn't seem to be with the boot loader itself, since you only need to specify the kernel parameters there. Therefore, I think the issue is with the kernel that does the decryption of the disk from /boot, since that isn't encrypted. So what handles the section to decrypt the disk? If the option is specified in the kernel then I assume it's kernel related?

Is there then a way to show some sort of password preview or give better feedback on when keys are pressed in this prompt?

kermit63

Member

Registered: 2018-07-04

Posts: 324

Re: LUKS/GRUB preboot password doesn't work sometimes

the option to decrypt /boot is on /etc/default/grub, specifically the line

#GRUB_ENABLE_CRYPTODISK=y

It should only be set to y if /boot is encrypted.

---

Never argue with an idiot, they will drag you down to their level and then beat you with experience.
It is better to light a candle than curse the darkness.
A journey of a thousand miles begins with a single step.

Succulent of your garden

Member

Registered: 2024-02-29

Posts: 214

Re: LUKS/GRUB preboot password doesn't work sometimes

If you really think is the kernel, you can launch the system with a usb stick with the iso of arch, and then

cryptsetup open /dev/yourEncryptedParittiion <TheSameNameThatYouAppliedToYourEncryptedVolumeTheFirstTime>

It's no mandatory to set the same name of the partition, you can see the name when grub is asking for password, but if you are going to reinstall grub probably is mandatory, not sure if you need to regenerate fstab if you are going to do that with changing the name of the encrypted partition, probably it is.

But if only it's the kernel, then just mount the partition after being opened, and  arch-chroot in it. Then install Linux-LTS, I never have problems with that, and I can tell you that in current LTS version root encryption just works fine.

EDIT: Since during kernel installation you run mkinitcpio, maybe you should update your grub to detect the new kernel, if that's the case probably it's a good idea to use the same name applied to your encrypted partition before.  I'm not sure if grub just detects the drives and partition by UUID, and the name is just a comfy thing for the user.

Last edited by Succulent of your garden (2025-03-29 10:44:26)

Anon_a

Member

Registered: 2020-02-01

Posts: 21

Re: LUKS/GRUB preboot password doesn't work sometimes

I already tried to open the drive with cryptsetup on a usb stick, which works. I also checked the drive for errors, so there also doesn't seem to be any issues with the drive.

The issue seems to be with the prompt screen for the password. I also tried reinstalling GRUB, which doesn't seem to have helped. The system didn't have any issues for 6 months prior, I also tried downgrading to previous snapshots/version of all packages, which also didn't help.

My only guess is that something with the input is wrong, but I can't sort that out if I can't see what the prompt sees as input.

Scimmia

Fellow

Registered: 2012-09-01

Posts: 12,527

Re: LUKS/GRUB preboot password doesn't work sometimes

To clarify I haven't encrypted the boot partition, only the main OS partition is encrypted using cryptsetup, so I can edit the GRUB files if I need to or boot from a separate drive.

Then why do you keep talking about grub? If the kernel and initramfs aren't encrypted, grub has nothing to do with this, it's all happening in the initramfs.

Succulent of your garden

Member

Registered: 2024-02-29

Posts: 214

Re: LUKS/GRUB preboot password doesn't work sometimes

I already tried to open the drive with cryptsetup on a usb stick, which works. I also checked the drive for errors, so there also doesn't seem to be any issues with the drive.

The issue seems to be with the prompt screen for the password. I also tried reinstalling GRUB, which doesn't seem to have helped. The system didn't have any issues for 6 months prior, I also tried downgrading to previous snapshots/version of all packages, which also didn't help.

My only guess is that something with the input is wrong, but I can't sort that out if I can't see what the prompt sees as input.

Have you ever tried to switch the ssd and see if it works fine in another computer ? just be sure that the cpu it's from the same manufacture and architecture. If that's works, I should be cautious in checking the hardware, bios/uefi and cpu integrity.

Some cpus does have an internal unit to do the AES decryption more faster. So one idea to consider is to check if you can disable that if it is possible. But I'm not sure about this, just throwing new ideas to try to help you.

Last edited by Succulent of your garden (Yesterday 21:50:22)