Password for encrypted laptop asked twice + strange waiting time
Hello, So I intstalled OS 15.5 on a lenovo Laptop with a normal /boot/efi and an encrypted LVM including partitions /, /home and /swap Now when I start the laptop I am asked twice for the password, where the first one takes 1 Minute (!) until the Grub-Menu appears and then asks it a second time... Something is wrong. But what? I appears the Logo of Lenovo in the middle of the screen and in the left upper corner: Welcome to GRUB! Enter passphrase for hd0, gpt2 (long number): I enter the passphrase (there is no feedback, the cursor doesn't move) After htting enter, it says "Attempting to decrypt master key" This takes a full minute. Then the usual Opensuse Grub Menu appears, I chose to start OS 15.5 and again am asked Please enter passphrase for disk NAME (cr_...part..): (This is the kind of prompt I am used to, it has feedback for characters entered (*) and immediately after hitting enter the boot process starts.) - What is that first passphrase question for? - Why does it appear? (I have never seen that and have installed don't know how many PC's and Laptops) - How can I can get rid of it? Thanks for your help! Daniel -- Daniel Bauer photographer Basel Málaga Twitter: @Marsfotografo (often explicit nudes) https://www.patreon.com/danielbauer https://www.daniel-bauer.com (nudes)
On 2024-06-14 16:41, Daniel Bauer wrote:
[LUKS activation in grub] takes a full minute.
See https://bugzilla.opensuse.org/show_bug.cgi?id=1184069
- What is that first passphrase question for?
grub needs to read it's config, and kernel and initrd from /boot. And that is on an encrypted device in your case.
- Why does it appear? (I have never seen that and have installed don't know how many PC's and Laptops) - How can I can get rid of it?
See the relevant bugs: https://bugzilla.opensuse.org/show_bug.cgi?id=1206710 https://bugzilla.opensuse.org/show_bug.cgi?id=1212853 https://bugzilla.opensuse.org/show_bug.cgi?id=1205314 Andreas
(Sorry for unintended private answer, Andreas) Am 14.06.24 um 16:53 schrieb Andreas Stieger via openSUSE Users:
On 2024-06-14 16:41, Daniel Bauer wrote:
[LUKS activation in grub] takes a full minute.
See https://bugzilla.opensuse.org/show_bug.cgi?id=1184069
- What is that first passphrase question for?
grub needs to read it's config, and kernel and initrd from /boot. And that is on an encrypted device in your case.
- Why does it appear? (I have never seen that and have installed don't know how many PC's and Laptops) - How can I can get rid of it?
See the relevant bugs:
https://bugzilla.opensuse.org/show_bug.cgi?id=1206710 https://bugzilla.opensuse.org/show_bug.cgi?id=1212853 https://bugzilla.opensuse.org/show_bug.cgi?id=1205314
Andreas
Thank you Andreas, I wasn't aware that in the /-tree within the encrypted LVM there will be a /boot directory, as I had a separate, unencrypted /boot/efi partition. So I installed again, and added an unencrypted /boot partition outside of the LVM. (To not have to change the LVM from the last install, I just made the /boot/efi partition smaller (0.2 instead of the 0.5 GiB that the installer proposed) and used the freed 0.3 GiB for the new /boot partition. I checked on my desktop and saw that those sizes should be enough.) Now the laptop starts normal, is asking the passphrase only once and the further procedure is immediately without waiting time. So, your hint has solved my problem, Thank you! Daniel -- Daniel Bauer photographer Basel Málaga Twitter: @Marsfotografo (often explicit nudes) https://www.patreon.com/danielbauer https://www.daniel-bauer.com (nudes)
On 2024-06-14 17:40, Daniel Bauer wrote:
(Sorry for unintended private answer, Andreas)
Am 14.06.24 um 16:53 schrieb Andreas Stieger via openSUSE Users:
On 2024-06-14 16:41, Daniel Bauer wrote:
[LUKS activation in grub] takes a full minute.
See https://bugzilla.opensuse.org/show_bug.cgi?id=1184069
- What is that first passphrase question for?
grub needs to read it's config, and kernel and initrd from /boot. And that is on an encrypted device in your case.
- Why does it appear? (I have never seen that and have installed don't know how many PC's and Laptops) - How can I can get rid of it?
See the relevant bugs:
https://bugzilla.opensuse.org/show_bug.cgi?id=1206710 https://bugzilla.opensuse.org/show_bug.cgi?id=1212853 https://bugzilla.opensuse.org/show_bug.cgi?id=1205314
Andreas
Thank you Andreas,
I wasn't aware that in the /-tree within the encrypted LVM there will be a /boot directory, as I had a separate, unencrypted /boot/efi partition.
So I installed again, and added an unencrypted /boot partition outside of the LVM.
(To not have to change the LVM from the last install, I just made the /boot/efi partition smaller (0.2 instead of the 0.5 GiB that the installer proposed) and used the freed 0.3 GiB for the new /boot partition. I checked on my desktop and saw that those sizes should be enough.)
Now the laptop starts normal, is asking the passphrase only once and the further procedure is immediately without waiting time.
So, your hint has solved my problem, Thank you!
I have a fully encrypted Lenovo laptop, just without using LVM, as prepared by YaST. Also running Leap 15.5 currently. It has these partitions: /boot/efi / /home swap Each is separately encrypted, except "/boot/efi" (the ESP partition). On booting, the code in /boot/efi is read and it asks for the passphrase. The grub menu appears, the kernel loads and it asks for the passphrase a second time, this time by the kernel. The first time it is grub code asking. Grub needs the passphrase in order to be able to load the kernel in ram. And the kernel needs the passphrase later in order to open the disks. This is normal. However, there is a trick so that it asks only once, basically by storing a encryption key file inside the initrd archive. I can not explain the trick in detail because it is no use to you (you are using LVM) and I'd have to read my notes ;-) The LVM encryption method is older. -- Cheers / Saludos, Carlos E. R. (from 15.5 x86_64 at Telcontar)
On Fri, 14 Jun 2024 19:28:31 +0200
"Carlos E. R."
On 2024-06-14 17:40, Daniel Bauer wrote:
(Sorry for unintended private answer, Andreas)
Am 14.06.24 um 16:53 schrieb Andreas Stieger via openSUSE Users:
On 2024-06-14 16:41, Daniel Bauer wrote:
[LUKS activation in grub] takes a full minute.
See https://bugzilla.opensuse.org/show_bug.cgi?id=1184069
- What is that first passphrase question for?
grub needs to read it's config, and kernel and initrd from /boot. And that is on an encrypted device in your case.
- Why does it appear? (I have never seen that and have installed don't know how many PC's and Laptops) - How can I can get rid of it?
See the relevant bugs:
https://bugzilla.opensuse.org/show_bug.cgi?id=1206710 https://bugzilla.opensuse.org/show_bug.cgi?id=1212853 https://bugzilla.opensuse.org/show_bug.cgi?id=1205314
Andreas
Thank you Andreas,
I wasn't aware that in the /-tree within the encrypted LVM there will be a /boot directory, as I had a separate, unencrypted /boot/efi partition.
So I installed again, and added an unencrypted /boot partition outside of the LVM.
(To not have to change the LVM from the last install, I just made the /boot/efi partition smaller (0.2 instead of the 0.5 GiB that the installer proposed) and used the freed 0.3 GiB for the new /boot partition. I checked on my desktop and saw that those sizes should be enough.)
Now the laptop starts normal, is asking the passphrase only once and the further procedure is immediately without waiting time.
So, your hint has solved my problem, Thank you!
I have a fully encrypted Lenovo laptop, just without using LVM, as prepared by YaST. Also running Leap 15.5 currently. It has these partitions:
/boot/efi / /home swap
Each is separately encrypted, except "/boot/efi" (the ESP partition).
On booting, the code in /boot/efi is read and it asks for the passphrase. The grub menu appears, the kernel loads and it asks for the passphrase a second time, this time by the kernel. The first time it is grub code asking.
Grub needs the passphrase in order to be able to load the kernel in ram. And the kernel needs the passphrase later in order to open the disks.
This is normal.
However, there is a trick so that it asks only once, basically by storing a encryption key file inside the initrd archive. I can not explain the trick in detail because it is no use to you (you are using LVM) and I'd have to read my notes ;-)
The LVM encryption method is older.
What's the point of this tale for Daniel? AFAICT he now has a working system and all I can understand of your tale is more complication and confusion for him, unless he understands it is irrelevant. Or have I misunderstood?
W dniu 14.06.2024 o 16:41, Daniel Bauer pisze:
Hello,
So I intstalled OS 15.5 on a lenovo Laptop with a normal /boot/efi and an encrypted LVM including partitions /, /home and /swap
Now when I start the laptop I am asked twice for the password, where the first one takes 1 Minute (!) until the Grub-Menu appears and then asks it a second time...
Something is wrong. But what?
I appears the Logo of Lenovo in the middle of the screen and in the left upper corner:
Welcome to GRUB! Enter passphrase for hd0, gpt2 (long number):
I enter the passphrase (there is no feedback, the cursor doesn't move) After htting enter, it says "Attempting to decrypt master key"
This takes a full minute. Then the usual Opensuse Grub Menu appears, I chose to start OS 15.5 and again am asked
Please enter passphrase for disk NAME (cr_...part..):
(This is the kind of prompt I am used to, it has feedback for characters entered (*) and immediately after hitting enter the boot process starts.)
- What is that first passphrase question for? - Why does it appear? (I have never seen that and have installed don't know how many PC's and Laptops) - How can I can get rid of it?
Thanks for your help!
Daniel
Everything seems correct. GRUB needs password to read files and config from disk. It has no direct way of passing the password to the kernel, so kernel asks for it again. There is a solution: https://en.opensuse.org/SDB:Encrypted_root_file_system Also, the waiting for GRUB menu comes from non-optimized cryptography implementation (I think there are some technical limitations). See https://wiki.archlinux.org/title/GRUB/Tips_and_tricks#Speeding_up_LUKS_decry...
On 14.06.2024 18:05, Adam Mizerski via openSUSE Users wrote:
W dniu 14.06.2024 o 16:41, Daniel Bauer pisze:
Hello,
So I intstalled OS 15.5 on a lenovo Laptop with a normal /boot/efi and an encrypted LVM including partitions /, /home and /swap
Now when I start the laptop I am asked twice for the password, where the first one takes 1 Minute (!) until the Grub-Menu appears and then asks it a second time...
Something is wrong. But what?
I appears the Logo of Lenovo in the middle of the screen and in the left upper corner:
Welcome to GRUB! Enter passphrase for hd0, gpt2 (long number):
I enter the passphrase (there is no feedback, the cursor doesn't move) After htting enter, it says "Attempting to decrypt master key"
This takes a full minute. Then the usual Opensuse Grub Menu appears, I chose to start OS 15.5 and again am asked
Please enter passphrase for disk NAME (cr_...part..):
(This is the kind of prompt I am used to, it has feedback for characters entered (*) and immediately after hitting enter the boot process starts.)
- What is that first passphrase question for? - Why does it appear? (I have never seen that and have installed don't know how many PC's and Laptops) - How can I can get rid of it?
Thanks for your help!
Daniel
Everything seems correct.
GRUB needs password to read files and config from disk. It has no direct way of passing the password to the kernel, so kernel asks for it again.
It has and it does. It applies to the device where /boot/grub is located. As we have no idea how many encrypted devices OP has we have no way to guess whether it is a bug or a normal behavior.
There is a solution: https://en.opensuse.org/SDB:Encrypted_root_file_system
Yes, for any other device than the one needed by grub you will need to do it.
Also, the waiting for GRUB menu comes from non-optimized cryptography implementation (I think there are some technical limitations). See https://wiki.archlinux.org/title/GRUB/Tips_and_tricks#Speeding_up_LUKS_decry...
participants (6)
-
Adam Mizerski -
Andreas Stieger -
Andrei Borzenkov -
Carlos E. R. -
Daniel Bauer -
Dave Howorth