GRUB "Invalid passphrase" but works on different PC

threestate · 2026-05-18 07:30:40

I have an SSD with Arch installed with encrypted boot (I followed the wiki). I moved the drive to a different system but now when booting and trying to unlock I'm getting

error: Invalid passphrase.

The error appears instantly, so it doesn't even try to check the entered password (argon2id takes seconds to compute).

I was originally using grub-improved-luks2-git (2.12.rc1.r0.g7a994c87f-1) which worked fine. Except for this new system. I tried updating to grub (2:2.14-1) (because 2.14 now supports argon2) but nothing changed. Everything boots fine on the previous system but fails on the new one.

I'd like to get this fixed properly (rather than doing a workaround like downgrading to PBKDF2), so I'm willing to debug even if that would require patching, compiling, reinstalling GRUB.

frostschutz · 2026-05-18 07:43:19

I'm not familiar with grub-improved. In regular Grub you need 2.14 at minimum. It's possible to boot an old grub version by accident (e.g. grub-install and grub-install --removable are two separate installs, same if you got more than one EFI partition).

Otherwise not sure. I tested argon2 in grub-2.14 and it does work for me, with a standard LUKS2 headers, no special flags or integrity settings.

The alternative would be to forgo argon2 and add a pbkdf2 keyslot.

You can check your /boot/grub/*/load.cfg if it's using the correct device, uuid for cryptomount.

If grub gives you a shell you can enable debug and pager and see if you can open it manually or not.

Last edited by frostschutz (2026-05-18 07:50:43)

threestate · 2026-05-18 14:36:18

Thanks for suggestions!

frostschutz wrote:

It's possible to boot an old grub version by accident (e.g. grub-install and grub-install --removable are two separate installs, same if you got more than one EFI partition).

I removed backup .efi files from the EFI partition to be sure. Now there's only /EFI/BOOT/BOOTX64.EFI.

frostschutz wrote:

You can check your /boot/grub/*/load.cfg if it's using the correct device, uuid for cryptomount.

/boot/grub/x86_64-efi/load.cfg and /boot/grub/grub-pre.cfg both contain the correct UUID.

frostschutz wrote:

If grub gives you a shell you can enable debug and pager and see if you can open it manually or not.

No shell. Only the rescue mode where only a handful of commands can be run.

But with that, I've just found a difference between the two machines.

On working machine:

grub rescue> ls (hd6,gpt2)
(hd6,gpt2): Filesystem is unknown

On non-working machine:

grub rescue> ls (hd0,gpt2)
error: disk/efi/efidisk.c:grub_efidisk_open:524:invalid sector size 0.

seth · 2026-05-18 14:57:12

What does fsck tell you about that partition?

threestate · 2026-05-18 19:09:54

seth wrote:

What does fsck tell you about that partition?

It's the LUKS partition, so fsck can't check it.

seth · 2026-05-18 19:33:30

You cannot open the luks container either?

I moved the drive to a different system but

tbc, the same disk (where also grub is installed, nb the difference in hd0 and hd6) behave differently when attached to different hardware?
Or is this from different grub installations/versions?

threestate · 2026-05-18 20:08:27

seth wrote:

tbc, the same disk (where also grub is installed, nb the difference in hd0 and hd6) behave differently when attached to different hardware?

Exactly.

My SSD has two partitions:

1. ESP: with grub installed as /EFI/BOOT/BOOTX64.EFI and configured to unlock the LUKS partition.
2. LUKS: has LVM on top with logical volumes for / (which includes /boot) and /home.

I boot from the SSD on machine 1, enter the password and get the OS loaded.
I boot from the SSD on machine 2, enter the password and immediately see the error, (On the same SSD, which I move between machines).

Regarding the different drive numbering (hd0 vs hd6), I think that's expected for different machines. The partition is specified in GRUB's conf using UUID. I suppose it correctly finds it both cases because otherwise there would probably be an error.

P.S. I also updated the BIOS on machine 2 but nothing changed.

Last edited by threestate (2026-05-18 20:10:31)

seth · 2026-05-18 20:22:17

I meant because the other system might also have hd1-5 and you'd be booting from one of those.

"SSD" is sata or nvme?
What are those systems? PC? Notebook? Similar CPU (which one's older)?
Do you use the same keyboard? If it's external, does removing it help? (Speculating on spurious input - might also be webcam, wifi or charger if you can disable/detach those)

threestate · 2026-05-19 08:47:10

seth wrote:

I meant because the other system might also have hd1-5 and you'd be booting from one of those.

Both systems has other drives installed. If you mean that:
a. On machine 1 everything works because I'm unknowingly booting from some other drive, then it shouldn't be possible because the other drives on both machines have no GRUB or Linux installed.
b. On machine 2 unlock fails because GRUB tries to access the wrong drive/partition, then it's unlikely because it uses UUID to identify them and always correctly shows partition number (gpt2). I could try to rebuild GRUB with a wrong LUKS partition UUID specified to make sure that it is the UUID what is being used to locate the partition (it would print an error in that case) and not some drive/partition numbers, but that would take time.

seth wrote:

"SSD" is sata or nvme?
What are those systems? PC? Notebook? Similar CPU (which one's older)?

It's an M.2 NVME. I am currently use it through a USB adapter to be able to quickly switch between the machines. But inserting it directly into machine 2 gives the same results.

Both machines are laptops:
- Machine 2 (the problematic laptop) is newer - 11th gen Intel.
- Machine 1 - 5th gen Intel.
- Machine 0, on which I initially set up GRUB, - Zen 4 AMD.

seth wrote:

Do you use the same keyboard? If it's external, does removing it help? (Speculating on spurious input - might also be webcam, wifi or charger if you can disable/detach those)

I used the integrated keyboard of both laptops. It shouldn't be input related because it doesn't even try to check the entered password. Or, if the passphrase isn't actually getting typed, which would be equivalent to entering an empty passphrase, IIRC it would fall into recovery shell immediately. Will check next time.

My current guess is that it is a bug in either GRUB or laptop's BIOS/UEFI.

seth · 2026-05-20 06:23:14

you mean that:
a. On machine 1 everything works because I'm unknowingly booting from some other drive

https://wiki.archlinux.org/title/GRUB#E … g_messages
https://wiki.archlinux.org/title/GRUB#Invalid_signature ?

Arch Linux

#1 2026-05-18 07:30:40

GRUB "Invalid passphrase" but works on different PC

#2 2026-05-18 07:43:19

Re: GRUB "Invalid passphrase" but works on different PC

#3 2026-05-18 14:36:18

Re: GRUB "Invalid passphrase" but works on different PC

#4 2026-05-18 14:57:12

Re: GRUB "Invalid passphrase" but works on different PC

#5 2026-05-18 19:09:54

Re: GRUB "Invalid passphrase" but works on different PC

#6 2026-05-18 19:33:30

Re: GRUB "Invalid passphrase" but works on different PC

#7 2026-05-18 20:08:27

Re: GRUB "Invalid passphrase" but works on different PC

#8 2026-05-18 20:22:17

Re: GRUB "Invalid passphrase" but works on different PC

#9 2026-05-19 08:47:10

Re: GRUB "Invalid passphrase" but works on different PC

#10 2026-05-20 06:23:14

Re: GRUB "Invalid passphrase" but works on different PC

Board footer