Skip to main content
Topic: [SOLVED]GRUB cannot decrypt LUKS partition with Secure Boot enabled (Read 276 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

[SOLVED]GRUB cannot decrypt LUKS partition with Secure Boot enabled

Hi everyone,

I recently installed Artix with the runit init system and I am loving it! I encrypted my root partition with LUKS1. I wanted to enable secure boot, because I had it off during the installation, so I followed the guide on the Arch Wiki using sbctl. I enabled secure boot and I signed all the efi files of GRUB.  However, when I boot with secure boot enabled, GRUB shows errors which go like this:

Code: [Select]
Enter passphrase for hd0,gpt3:
Attempting to decrypt master key...
Slot 0 opened
error: prohibited by secure boot policy.
Entering rescue mode...
grub rescue>

This has also happened with Arch Linux and Arcolinux. Sbctl shows that all files are signed, so I do not understand why GRUB show the error "prohibited by secure boot policy" when decrypting. Because slot 0 is opened, I think GRUB is able to decrypt the master key but something goes wrong after that. Any ideas?

Thanks!

Re: GRUB cannot decrypt LUKS partition with Secure Boot enabled

Reply #1
UPDATE: I found the cause of the problem. I forgot to run grub-install with the --disable-shim-lock option today. Marking this thread as solved.