Skip to main content
Topic: GRUB + LUKS2 not asking for password (Read 3510 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

GRUB + LUKS2 not asking for password

Hi,
I've setup a LUKS2 encrypted system disk, which I am able to boot using the GRUB rescue command line.
However, unlike a very similar LUKS1 setup I have, it does not prompt me for a password.

I would like to know how to make it ask for a password.  And, as a shortcut, how to get GRUB rescue to recognize the config file in /boot/grub/grub.cfg after cryptomounting it?

The command used to encrypt:
Code: [Select]
sudo cryptsetup --type luks2 --pbkdf argon2id -h whirlpool --iter-time 5000 --use-random -c serpent-xts-plain64 luksFormat /dev/sda1

Note - a key was added with PBKDF2 and Whirlpool, as GRUB2 apparently does not yet have support for argon2 (and argon2id by extension I guess), based on what I read in the comments section for grub-git:
https://aur.archlinux.org/packages/grub-git

Command used to install GRUB:
Code: [Select]
grub-install --target=i386-pc --modules="luks2 cryptodisk gcry_whirlpool gcry_serpent pbkdf2 part_gpt part_msdos linux" --recheck /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg


lsblk (sda2 will be SWAP):
Code: [Select]
NAME     MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
fd0        2:0    1     4K  0 disk
sda        8:0    0 136.7G  0 disk
|-sda1     8:1    0   130G  0 part
| `-root 254:0    0   130G  0 crypt /
|-sda2     8:2    0   6.7G  0 part
`-sda3     8:3    0  70.9M  0 part
sr0       11:0    1  1024M  0 rom


GRUB version (package is grub-git from the AUR):
Code: [Select]
grub-install (GRUB) 2.05

/etc/default/grub:
Code: [Select]
# GRUB boot loader configuration

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=[UUID of /dev/sda1]:main cryptkey=rootfs:/root/main.keyfile"
GRUB_CMDLINE_LINUX=""

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="luks2 cryptodisk gcry_whirlpool gcry_serpent pbkdf2 part_gpt part_msdos
linux part_gpt part_msdos"

# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y

# Set to 'countdown' or 'hidden' to change timeout behavior,
# press ESC key to display menu.
GRUB_TIMEOUT_STYLE=menu

# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console

# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE=auto

# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep

# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true

# Uncomment and set to the desired menu colors.  Used by normal and wallpaper
# modes only.  Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"

# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/path/to/wallpaper"
#GRUB_THEME="/path/to/gfxtheme"

# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"

# Uncomment to make GRUB remember the last selection. This requires
# setting 'GRUB_DEFAULT=saved' above.
#GRUB_SAVEDEFAULT="true"

/root/main.keyfile:
Code: [Select]
---------- 1 root root 2.0K Dec 17 02:21 /root/main.keyfile

I noticed that in the generated /boot/grub/grub.cfg config (script more like?) on the LUKS1 system it had a line for "cryptomount", yet on this LUKS2 setup it was omitted.
I'm also a little confused on how GRUB works: does it take the .cfg file and turn it into an image when running grub-install, that is then imprinted into /dev/sda3?  Or is it a dummy version?  Because in the LUKS1 setup it immediately asks for the password, then I assume finds the config, as it shows options for booting "Artix Linux".

There's also the issue of getting it to stop asking for the password twice, which works in LUKS1 but does not seem to be respected when using LUKS2, but I'll take one thing at a time.

Thanks in advance for any advice!



Re: GRUB + LUKS2 not asking for password

Reply #3
Did you setup a /etc/crypttab file as per https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration#crypttab ?
This should contain the encrypted devices to be unlocked during system boot.
Another option - if the password matches your login one - is to unlock at login time using pam.
No I did not.  In my experience /etc/crypttab has no effect on anything.  On my fully working LUKS1 setup, everything in /etc/crypttab is a commented out.  Also it sounds like crypttab is for post-boot, on whatever setup it does work (systemd?).
Login and encryption password are different, but thank you for pointing that out as an option.

Hi!  :)

But does GRUB support LUKS2? According to https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system, it doesn't.
Code: [Select]
No released version of GRUB supports LUKS2; see [1] and GRUB#Encrypted /boot for details. Use LUKS1 on partitions that GRUB needs to access.

From what I can tell, GRUB release does not support LUKS2, which is why I am using the git version.

Re: GRUB + LUKS2 not asking for password

Reply #4
luks2 in grub2 git is under heavy development.