Hi,
I've setup a LUKS2 encrypted system disk, which I am able to boot using the GRUB rescue command line.
However, unlike a very similar LUKS1 setup I have, it does not prompt me for a password.
I would like to know how to make it ask for a password. And, as a shortcut, how to get GRUB rescue to recognize the config file in /boot/grub/grub.cfg after cryptomounting it?
The command used to encrypt:
sudo cryptsetup --type luks2 --pbkdf argon2id -h whirlpool --iter-time 5000 --use-random -c serpent-xts-plain64 luksFormat /dev/sda1
Note - a key was added with PBKDF2 and Whirlpool, as GRUB2 apparently does not yet have support for argon2 (and argon2id by extension I guess), based on what I read in the comments section for grub-git:
https://aur.archlinux.org/packages/grub-git
Command used to install GRUB:
grub-install --target=i386-pc --modules="luks2 cryptodisk gcry_whirlpool gcry_serpent pbkdf2 part_gpt part_msdos linux" --recheck /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg
lsblk (sda2 will be SWAP):
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
fd0 2:0 1 4K 0 disk
sda 8:0 0 136.7G 0 disk
|-sda1 8:1 0 130G 0 part
| `-root 254:0 0 130G 0 crypt /
|-sda2 8:2 0 6.7G 0 part
`-sda3 8:3 0 70.9M 0 part
sr0 11:0 1 1024M 0 rom
GRUB version (package is grub-git from the AUR):
grub-install (GRUB) 2.05
/etc/default/grub:
# GRUB boot loader configuration
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=[UUID of /dev/sda1]:main cryptkey=rootfs:/root/main.keyfile"
GRUB_CMDLINE_LINUX=""
# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="luks2 cryptodisk gcry_whirlpool gcry_serpent pbkdf2 part_gpt part_msdos
linux part_gpt part_msdos"
# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y
# Set to 'countdown' or 'hidden' to change timeout behavior,
# press ESC key to display menu.
GRUB_TIMEOUT_STYLE=menu
# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console
# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE=auto
# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep
# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true
# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true
# Uncomment and set to the desired menu colors. Used by normal and wallpaper
# modes only. Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"
# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/path/to/wallpaper"
#GRUB_THEME="/path/to/gfxtheme"
# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"
# Uncomment to make GRUB remember the last selection. This requires
# setting 'GRUB_DEFAULT=saved' above.
#GRUB_SAVEDEFAULT="true"
/root/main.keyfile:
---------- 1 root root 2.0K Dec 17 02:21 /root/main.keyfile
I noticed that in the generated /boot/grub/grub.cfg config (script more like?) on the LUKS1 system it had a line for "cryptomount", yet on this LUKS2 setup it was omitted.
I'm also a little confused on how GRUB works: does it take the .cfg file and turn it into an image when running grub-install, that is then imprinted into /dev/sda3? Or is it a dummy version? Because in the LUKS1 setup it immediately asks for the password, then I assume finds the config, as it shows options for booting "Artix Linux".
There's also the issue of getting it to stop asking for the password twice, which works in LUKS1 but does not seem to be respected when using LUKS2, but I'll take one thing at a time.
Thanks in advance for any advice!
Topic: GRUB + LUKS2 not asking for password (Read 3125 times)
previous topic - next topic
