[Bug 1166005] New: 20s to unlock fully encrypted partition
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005 Bug ID: 1166005 Summary: 20s to unlock fully encrypted partition Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: jsrain@suse.com Reporter: axel.braun@gmx.de QA Contact: jsrain@suse.com Found By: --- Blocker: --- I have a new TW installation with a 940GB encrypted root partition (including /boot, excluding /boot/efi). When starting the machine, grub asks in text mode for the passphrase. After entering the passphrase, it takes about 20s until the graphical boot screen appears. X1E:/home/test # lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT nvme0n1 259:0 0 953,9G 0 disk ├─nvme0n1p1 259:1 0 500M 0 part /boot/efi ├─nvme0n1p2 259:2 0 937G 0 part │ └─cr_root 254:0 0 937G 0 crypt / └─nvme0n1p3 259:3 0 16,4G 0 part [SWAP] linux:/home/test # cryptsetup luksDump /dev/nvme0n1p2 LUKS header information for /dev/nvme0n1p2 Version: 1 Cipher name: aes Cipher mode: xts-plain64 Hash spec: sha256 Payload offset: 4096 MK bits: 512 MK digest: c3 b3 b9 a1 4b cd 08 8d 93 47 59 be f1 b8 f3 24 5f ae 81 75 MK salt: 8b 87 eb c4 bd 43 4e af 57 ef eb 9f 3c 38 a9 8a f4 c5 63 2f 1b f6 98 1a 49 62 36 e0 9e 12 8a db MK iterations: 153840 UUID: 720864c9-f8ed-405e-9a17-ccfa1d2f347b Key Slot 0: ENABLED Iterations: 1229280 Salt: 5f 9b 38 6b 29 b4 2e b0 80 35 c5 bd 88 9f 77 61 29 6c 34 00 54 3c af a5 5a d4 f6 15 7e e4 8d c4 Key material offset: 8 AF stripes: 4000 Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED It is an i7-9750H machine, so CPU power should not be an issue... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c1
--- Comment #1 from Axel Braun
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c2
--- Comment #2 from Axel Braun
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005
Jiri Srain
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c3
Benjamin Greiner changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |code@bnavigator.de
--- Comment #3 from Benjamin Greiner
---
The problem is, that full disk encryption as provided by the TW installer also
means encrypting /boot. The LUKS implementation of GRUB is really slow.
https://www.reddit.com/r/archlinux/comments/6ahvnk/grub_decryption_really_sl...
--
You are receiving this mail because:
You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c4
Neil Rickert
Is systemd-boot maybe a solution for this
I don't think so. You can install it with "bootctl", and there is probably a man page for that on your system. But I think it only sets up a framework that you have to maintain. So whenever there's a kernel update, you would have to update the boot configuration for systemd-boot. Note that systemd-boot avoids the problem you are having, because the kernel and "initrd" are copied into the EFI partition. But you could also avoid your problem by just copying kernel, "initrd" and "grub.cfg" into the EFI partition yourself. You would run into the same problem, that after a kernel update you would have to reconfigure booting. Another alternative is to use a separately unencrypted "/boot". I do that (it requires using the expert partitioner during install). But then I am using "ext4". The problem when using "btrfs", is that if you do a rollback to an earlier snapshot, that rolls back the kernel modules but does not rollback the kernel. So a separate "/boot" is not recommended with "btrfs". -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c5
--- Comment #5 from Michael Chang
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005
Vojtech Zeisek
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c6
--- Comment #6 from Vojtech Zeisek
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c7
--- Comment #7 from Axel Braun
I have on three systems encrypted LVM containing whole root and swap, so the only unencrypted part is /boot/efi. The CPUs are Intel Atom x5-Z8350 [1], Intel Core™ i5-6300U [2] and AMD Ryzen 9 3900X [3]. They considerably do differ in their performances, but interestingly, on all three machines the decryption takes 20 seconds. :-) All systems have SSD disks.
Sounds like a conceptual problem in grub. I have re-partitioned the Laptop with only /home encrypted, and now everything is fine. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005
Ignacio Taranto
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005
Ignacio Taranto
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c9
Dirk Weber
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005
Martin Jambor
participants (2)
-
bugzilla_noreply@novell.com
-
bugzilla_noreply@suse.com