You are not logged in.
- Topics: Active | Unanswered
#1 2024-12-02 06:22:34
- ohdonjohnson
- Member
- Registered: 2024-12-02
- Posts: 6
[SOLVED] Issues with GRUB config & USB keyfile on LUKS2 partition
Hello! I am having issues with configuring GRUB to read from a USB that contains a keyfile.
For context, I have followed the arch dm-crypt Encrypted /boot Partition guide through step 8.5, with no issue. When not using the GRUB image that attempts to look for a keyfile on the USB, Arch boots perfectly fine after being prompted once for the LUKS2 password.
I've opted to use a btrfs file system for my root and home partitions within the LUKS2 partition, while my USB is formatted with an exfat filesystem. I have an EFI system, and my efi partition is separate from the LUKS partition. I'm also using a systemd based initramfs instead of busybox based.
I've ensured that all 3 of my LUKS2 keys use PBKDF2, as opposed to Argon2ID, since GRUB2 doesn't support Argon2ID. (1st key is password, 2nd key is made from step 8.5, and 3rd key is the usb key).
Within /etc/default/grub, I have GRUB_ENABLE_CRYPTODISK=y uncommented, and GRUB_DISABLE_LINUX_UUID=true commented out.
Here is what I have inside my grub-pre.cfg file, which is located within /boot/grub/grub-pre.cfg:
set crypto_uuid=[UUID of /dev/nvme0n1p2]
set key_disk=[UUID of usb drive]
cryptomount -u $crypto_uuid -k ($key_disk)/Desktop/cryptlvm-usb.key
set root=[UUID of MyVolGroup-root]
set prefix=($root)/boot/grub
insmod normal
normalI'm in the arch install live environment. Within arch-chroot /mnt, I make the grub image with:
grub-mkimage -p /boot/grub -O x86_64-efi -c /boot/grub/grub-pre.cfg -o /tmp/grubx64.efi part_gpt part_msdos luks2 cryptodisk gcry_rijnadel gcry_sha512 lvm ext2 exfat fat ntfs Then I install with:
install -v /tmp/grubx64.efi /efi/EFI/GRUB/grubx64.efi When I exit chroot and reboot, I'm presented with the grub rescue screen, and the following errors:
error: disk '[UUID of usb]' not found.
error: disk '[UUID of MyVolGroup-root]' not found.
Unknown command 'normal'.
error: disk '[UUID of MyVolGroup-root]' not found.
Entering rescue mode...What I believe is happening is that the USB isn't found, which leads to not being able to cryptomount, leading to not finding the MyVolGroup-root UUID, which leads to not setting root and prefix correctly.
Within rescue mode, typing in 'ls' shows all drives attached, including the USB, which is hd0,gpt1. Typing in 'ls (hd0,gpt1)/' shows all folders on the drive, which tells me GRUB recognizes the USB, just not by UUID.
Here are things I've tried which had no effect:
Replaced the luks2 grub module in the image creation with luks
Replaced the gcry_sha512 grub module in the image creation with gcry_sha256
Changed the file system type of the USB, then recopying the key over to the USB
Added 'UUID=' in front of the UUIDs of the grub-pre.cfg file (key_disk=UUID=[UUID of usb disk], then re-making the image and reinstalling to /etc/ETC/GRUB/grubx64.efi
Added quotation marks around the UUIDs in grub-pre.cfg (), then re-making and reinstalling GRUB
Regenerating the usb key file and adding the new file to the list of LUKS2 keys
The only thing I've tried which had any effect was replacing the UUIDs in grub-pre.cfg with the corresponding GRUB style hdX,gptY entries. This leads to a different grub rescue error: 'No such cryptodisk found'
I am at my wits end. Any help would be much appreciated! Thank you!
Last edited by ohdonjohnson (Today 00:02:24)
Offline
#2 2024-12-03 05:35:12
- seth
- Member
- Registered: 2012-09-03
- Posts: 62,803
Re: [SOLVED] Issues with GRUB config & USB keyfile on LUKS2 partition
When I exit chroot and reboot, I'm presented with the grub rescue screen, and the following errors:
Is the entire /boot on that usb key or only the keyfile?
If you want to boot from a usb key I'd suggest to install grub there and boot from the usb key, not to boot grub from some internal drive and then have it collect its stuff from an external drive.
Although
Within rescue mode, typing in 'ls' shows all drives attached, including the USB, which is hd0,gpt1. Typing in 'ls (hd0,gpt1)/' shows all folders on the drive, which tells me GRUB recognizes the USB, just not by UUID.
So… what if you address the partitions by that syntax instead of the UUID?
Also https://askubuntu.com/questions/228031/ … ub2-prompt
Online
#3 2024-12-03 06:52:37
- Head_on_a_Stick
- Member
- From: The Wirral
- Registered: 2014-02-20
- Posts: 8,842
- Website
Re: [SOLVED] Issues with GRUB config & USB keyfile on LUKS2 partition
I make the grub image with:
grub-mkimage -p /boot/grub -O x86_64-efi -c /boot/grub/grub-pre.cfg -o /tmp/grubx64.efi part_gpt part_msdos luks2 cryptodisk gcry_rijnadel gcry_sha512 lvm ext2 exfat fat ntfs
I think you might need the btrfs module as well.
Jin, Jîyan, Azadî
Offline
#4 2024-12-03 14:46:27
- ohdonjohnson
- Member
- Registered: 2024-12-02
- Posts: 6
Re: [SOLVED] Issues with GRUB config & USB keyfile on LUKS2 partition
Is the entire /boot on that usb key or only the keyfile?
/boot is on the same lvm as root and /swap space. Its in the same lvm partition as root. Since my machine is UEFI, I have an /efi partition completely seperate from the LUKS2. It follows an identical disk layout to this chart , save for the disk being on an nvme drive, not a sata drive
So... what if you address the partitions by that syntax instead of the UUID?
I'm assuming you mean within grub-pre.cfg? In that case, it leads to a 'No such cryptodisk found' error on reboot. I would also prefer referencing by UUID if possible, as it would prevent trying to read from the wrong USB if multiple thumb drives are plugged in at boot time.
I would think its possible, since this step in the wiki states to use UUID's, and not the hdX,gptY grub syntax.
I think you might need the btrfs module as well
I added this, good catch! But it still gives the original grub error of "disk [UUID of USB] not found..."
Offline
#5 2024-12-18 02:22:53
- boatloaddisplacement
- Member
- Registered: 2024-12-18
- Posts: 1
Re: [SOLVED] Issues with GRUB config & USB keyfile on LUKS2 partition
Having the same issue. I'm wondering if anyone found a solution.
Offline
#6 2025-04-07 09:01:50
- ohdonjohnson
- Member
- Registered: 2024-12-02
- Posts: 6
Re: [SOLVED] Issues with GRUB config & USB keyfile on LUKS2 partition
UPDATE: I have tried adding the usb keyfile to /etc/mkinitcpio.conf file, with a busybox based mkinitcpio. I've also added the USB to automount within fstab, as well as a cryptkey parameter in /etc/default/grub that points to the mount point, but I'm still prompted for a password. There is no accompanying error however. Relevant file contents and luksDump are shown below:
/etc/mkinitcpio.conf :
# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run. Advanced users may wish to specify all system modules
# in this array. For instance:
# MODULES=(usbhid xhci_hcd)
MODULES=(vfat)
# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image. This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()
# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way. This is useful for config files.
FILES=(/etc/cryptsetup-keys.d/cryptlvm.key /key_usb/Laptop/cryptlvm-usb.key)
# This is the most important setting in this file. The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added. Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
## This setup specifies all modules in the MODULES setting above.
## No RAID, lvm2, or encrypted root is needed.
# HOOKS=(base)
#
## This setup will autodetect all modules for your system and should
## work as a sane default
# HOOKS=(base udev autodetect modconf block filesystems fsck)
#
## This setup will generate a 'full' image which supports most systems.
## No autodetection is done.
# HOOKS=(base udev modconf block filesystems fsck)
#
## This setup assembles a mdadm array with an encrypted root file system.
## Note: See 'mkinitcpio -H mdadm_udev' for more information on RAID devices.
# HOOKS=(base udev modconf keyboard keymap consolefont block mdadm_udev encrypt filesystems fsck)
#
## This setup loads an lvm2 volume group.
# HOOKS=(base udev modconf block lvm2 filesystems fsck)
#
## This will create a systemd based initramfs which loads an encrypted root filesystem.
# HOOKS=(base systemd autodetect modconf kms keyboard sd-vconsole block sd-encrypt lvm2 filesystems fsck)
#
## This will create a busybox based initramfs which loads an encrypted root filesystem.
HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems fsck)
#
## NOTE: If you have /usr on a separate partition, you MUST include the
# usr and fsck hooks.
# HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block filesystems fsck)
# COMPRESSION
# Use this to compress the initramfs image. By default, zstd compression
# is used for Linux ≥ 5.9 and gzip compression is used for Linux < 5.9.
# Use 'cat' to create an uncompressed image.
#COMPRESSION="zstd"
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"
# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()
# MODULES_DECOMPRESS
# Decompress loadable kernel modules and their firmware during initramfs
# creation. Switch (yes/no).
# Enable to allow further decreasing image size when using high compression
# (e.g. xz -9e or zstd --long --ultra -22) at the expense of increased RAM usage
# at early boot.
# Note that any compressed files will be placed in the uncompressed early CPIO
# to avoid double compression.
#MODULES_DECOMPRESS="no"/etc/fstab :
# /dev/mapper/ArchSystem-root
UUID=c17f32da-feae-4b0d-9333-1e85c75d9fbb / btrfs rw,relatime,ssd,space_cache>
# /dev/mapper/ArchSystem-root
UUID=c17f32da-feae-4b0d-9333-1e85c75d9fbb /home btrfs rw,noatime,ssd,space_cache=>
# /dev/nvme0n1p8
UUID=b36e0c85-305c-4caf-acd3-1f8ade00f967 /home/Gibby/Steam_Games ext4 rw,relatime 0 2
# /dev/mapper/ArchSystem-root
UUID=c17f32da-feae-4b0d-9333-1e85c75d9fbb /opt btrfs rw,noatime,ssd,space_cache=>
# /dev/mapper/ArchSystem-root
UUID=c17f32da-feae-4b0d-9333-1e85c75d9fbb /var btrfs rw,relatime,ssd,space_cache>
# /dev/nvme0n1p1
UUID=C3D6-3126 /efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,ioch>
# /dev/sda1
UUID=2284-5CBE /key_usb vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,ioch>/etc/default/grub :
# GRUB boot loader configuration
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet"
GRUB_CMDLINE_LINUX="cryptdevice=UUID=3ad82450-c363-4fd0-b7d5-df2c70e8d565:cryptlvm cryptkey=rootfs:/key_usb/Laptop/cryptlvm-usb.key"
# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos btrfs"
# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y
# Set to 'countdown' or 'hidden' to change timeout behavior,
# press ESC key to display menu.
GRUB_TIMEOUT_STYLE=menu
# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console
# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `videoinfo'
GRUB_GFXMODE=auto
# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep
# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true
# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true
# Uncomment and set to the desired menu colors. Used by normal and wallpaper
# modes only. Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"
# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/path/to/wallpaper"
#GRUB_THEME="/path/to/gfxtheme"
# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"
# Uncomment to make GRUB remember the last selection. This requires
# setting 'GRUB_DEFAULT=saved' above.
#GRUB_SAVEDEFAULT=true
# Uncomment to disable submenus in boot menu
#GRUB_DISABLE_SUBMENU=y
# Probing for other operating systems is disabled for security reasons. Read
# documentation on GRUB_DISABLE_OS_PROBER, if still want to enable this
# functionality install os-prober and uncomment to detect and include other
# operating systems.
#GRUB_DISABLE_OS_PROBER=false/boot/grub/grub-pre.cfg :
set crypto_uuid=3ad82450-c363-4fd0-b7d5-df2c70e8d565
set key_disk=2284-5CBE
cryptomount -u $crypto_uuid -k ($key_disk)/Laptop/cryptlvm-usb.key
set root=c17f32da-feae-4b0d-9333-1e85c75d9fbb
set prefix=($root)/boot/grub
insmod normal
normalLuksDump of /dev/nvme0n1p2
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: pbkdf2
Hash: sha256
Iterations: 5146384
Salt: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
1: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 4
Memory: 1048576
Threads: 4
Salt: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
AF stripes: 4000
AF hash: sha256
Area offset:290816 [bytes]
Area length:258048 [bytes]
Digest ID: 0
2: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: pbkdf2
Hash: sha256
Iterations: 4905618
Salt: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
AF stripes: 4000
AF hash: sha256
Area offset:548864 [bytes]
Area length:258048 [bytes]
Digest ID: 0I am curious as to how well the AUR package 'grub-improved-luks2-git' works. Does using that package require extra steps besides installation? Any help would be greatly appreciated
Offline
#7 2025-04-08 20:54:02
- tizzle
- Member
- Registered: 2025-04-08
- Posts: 3
Re: [SOLVED] Issues with GRUB config & USB keyfile on LUKS2 partition
Hi ohdonjohnson,
this is my very first post in this community and I was also looking for a solution for this problem too and managed it today to solve it and wanted to share with you my findings. I also have the same setup as you, which means, I'm running now my arch system full encrypted with LUKS on BTRFS and using an external USB drive, where the keyfile is stored, to decrypt my system without typing any passphrase.
I'd try the following changes on your end.
/boot/grub/grub-pre.cfg :
set crypto_uuid=3ad82450-c363-4fd0-b7d5-df2c70e8d565
set key_disk='hd0,msdos1'
cryptomount -u $crypto_uuid -k ($key_disk)/Laptop/cryptlvm-usb.key
set root='crypto0'
set prefix=($root)/@/boot/grub
insmod normal
normalAs you can see in the configuration, the UUID is not working for the key_disk and root. For key_disk the only way to find the partition is by using ls via the grub rescue mode. So in your case it could look like:
ls (hd0,msdos1)/Laptopand if you find your cryptlvm-usb.key then you got the right partition and have to add it to your key_disk.
Next is, once the cryptomount was successful you will see a new partition in grub which is your new root and is called set root='crypto0'.
As you are using btrfs, you have to add your subvol first, so it will then be set prefix=($root)/@/boot/grub.
There are also some changes in the grub image needed:
grub-mkimage -p /boot/grub -O x86_64-efi -c /boot/grub/grub-pre.cfg -o /tmp/grubx64.efi part_gpt part_msdos luks2 cryptodisk gcry_rijnadel gcry_sha256 lvm ext2 exfat fat ntfs btrfsReplace the gcry_sha512 with gcry_sha256, cause as you can see in the luksDump all keys are using sha256 hashes and add btrfs to the image.
Last step is to install:
install -v /tmp/grubx64.efi /efi/EFI/GRUB/grubx64.efiI'm still looking for a better solution to use the UUID of the key_disk, instead of the partition, cause as soon you plug in another USB stick it could be, that it will not work anymore. To make it more "stable", I plugged every USB drive off and had only the USB stick with the key plugged in, to get a partition id which seems not to change. Yeah not a good solution but it works for now.
Hope this helps you.
Offline
#8 2025-04-09 12:55:20
- frostschutz
- Member
- Registered: 2013-11-15
- Posts: 1,532
Re: [SOLVED] Issues with GRUB config & USB keyfile on LUKS2 partition
Does search not work for you?
keydisk=hd0,msdos1
keylabel=mylabel
search --set keydev --hint $keydisk --label $keylabel # or --uuid $keyuuid
cryptomount -k ($keydev)/...Offline
#9 2025-04-09 13:13:42
- tizzle
- Member
- Registered: 2025-04-08
- Posts: 3
Re: [SOLVED] Issues with GRUB config & USB keyfile on LUKS2 partition
No, unfortunately not. I get the message that the command search is not found.
Offline
#10 2025-04-09 13:20:44
- frostschutz
- Member
- Registered: 2013-11-15
- Posts: 1,532
Re: [SOLVED] Issues with GRUB config & USB keyfile on LUKS2 partition
add grub modules `search search_fs_file search_fs_uuid search_label` to your mkimage command above
Offline
#11 2025-04-09 19:34:28
- tizzle
- Member
- Registered: 2025-04-08
- Posts: 3
Re: [SOLVED] Issues with GRUB config & USB keyfile on LUKS2 partition
Bester Mann! It's working! Thank you @frostschutz! That was the last puzzle piece!
Last edited by tizzle (2025-04-09 19:36:17)
Offline
#12 2025-04-11 05:37:00
- ohdonjohnson
- Member
- Registered: 2024-12-02
- Posts: 6
Re: [SOLVED] Issues with GRUB config & USB keyfile on LUKS2 partition
That worked! Thanks so much!
For future peeps looking at this, here's the working configuration I landed on:
/boot/grub/grub-pre.cfg:
set crypto_uuid=3ad82450-c363-4fd0-b7d5-df2c70e8d565
set keydisk=hd0,gpt1 # GRUB-format
set keyUUID=2284-5CBE # USB UUID
search --set keydev --hint $keydisk --fs-uuid $keyUUID
cryptomount -u $crypto_uuid -k ($keydev)/{path on USB to keyfile}
set root=lvm/ArchSystem-root # lvm/MyVolGroup
set prefix=($root)/@/boot/grub # '@' because BTRFS
insmod normal
normalgrub-mkimage command:
grub-mkimage -p /boot/grub -O x86_64-efi -c /boot/grub/grub-pre.cfg -o /tmp/grubx64.efi part_gpt part_msdos luks2 cryptodisk gcry_rijndael gcry_sha256 lvm ext2 exfat fat ntfs btrfs search search_fs_file search_fs_uuid search_labelInstall command: Same as 8.6 step on the wiki
cryptmount luksDump /dev/nvme0n1p2 (NOTE: pbkdf2 is used for both password keyslot and USB keyslot):
LUKS header information
Version: 2
Epoch: 19
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 3ad82450-c363-4fd0-b7d5-df2c70e8d565
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: pbkdf2
Hash: sha256
Iterations: 4821038
Salt: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
AF stripes: 4000
AF hash: sha256
Area offset:806912 [bytes]
Area length:258048 [bytes]
Digest ID: 0
1: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 4
Memory: 1048576
Threads: 4
Salt: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
AF stripes: 4000
AF hash: sha256
Area offset:290816 [bytes]
Area length:258048 [bytes]
Digest ID: 0
2: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: pbkdf2
Hash: sha256
Iterations: 4837720
Salt: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha256
Iterations: 326049
Salt: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
Digest: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX /etc/default/grub (Main changes):
# GRUB boot loader configuration
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet"
GRUB_CMDLINE_LINUX="... cryptkey=rootfs:/key_usb/Laptop/cryptlvm-usb.key" #unsure if this line is needed
# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos btrfs"
# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=yI'm unsure if the following changes are necessary, but it works with them active soo... yeah
/etc/mkinitcpio.conf
MODULES=(vfat) #USB filesystem type
FILES=(/etc/cryptsetup-keys.d/cryptlvm.key /key_usb/Laptop/cryptlvm-usb.key)
HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems fsck)/etc/fstab (USB entry, generated via mounting to /mnt/key_usb on iso before genfstab):
# /dev/sda1
UUID={UUID of USB partition} /key_usb vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2There is one last issue I'm having: unlocking with USB takes around 3 whole minutes to reach the GRUB menu, which causes to eat around 8-10% battery every time I restart my computer (contrast to 3-5 seconds via password unlock on arch ISO boot). How would I fix this? (NOTE: in the above luksDump, slot 0 is the usb keyfile, see tip given here
Last edited by ohdonjohnson (Yesterday 23:54:43)
Offline
#13 2025-04-11 07:24:33
- frostschutz
- Member
- Registered: 2013-11-15
- Posts: 1,532
Re: [SOLVED] Issues with GRUB config & USB keyfile on LUKS2 partition
There is one last issue I'm having: unlocking with USB takes around 3 whole minutes to reach the GRUB menu, which causes to eat around 8-10% battery every time I restart my computer (contrast to 3-5 seconds via password unlock on arch ISO boot). How would I fix this? (NOTE: in the above luksDump, slot 0 is the usb keyfile, see tip given here
Grub is super slow to unlock keyslots.
If you are using a keyfile anyway: if your keyfile has more than 128bit of entropy, you don't need any of LUKS anti-bruteforce shenanigans. You can reduce the iteration count for this keyslot close to 0. Then Grub should be able to open it "instantly".
Also with LUKS2 the keyslot order may not be correct. Unlocking behavior changed from LUKS 1, in LUKS 2 the keyslot number is no longer respected by cryptsetup. It might instead try in keyslot area order (I'm not sure) or by whatever order is in the JSON metadata. This may also be different in cryptsetup vs. grub cryptomount.
LUKS2 also allows setting keyslots to prefer/ignore priority (cryptsetup config --priority). But I'm not sure if Grub respects that.
If in doubt (if still slow after reducing iteration counts) you'd have to enable Grub debug to see that it actually tries the correct keyslot first.
Last edited by frostschutz (2025-04-11 07:29:57)
Offline
#14 Today 00:00:57
- ohdonjohnson
- Member
- Registered: 2024-12-02
- Posts: 6
Re: [SOLVED] Issues with GRUB config & USB keyfile on LUKS2 partition
Turning down the iteration count with --pbkdf-force-iter to 1000 did the trick, it now only sucks back 5%, which is better. Funny enough, when using this setup on my desktop, it gives an 'Invalid Sector Size 65535' warning, but unlocks after around 30 seconds. I humbly suggest the wiki be updated to include the mkinitcpio hooks, an updated grub-pre.cfg, and a new grub-mkimage command to include the search modules, but I'm marking this as closed
Offline