Attempting to decrypt master key... takes 10 seconds

Just downloaded and installed the latest version of EndevourOS as of 4/20/2022. Since this is a laptop, I elected to encyrpt the disk during the installation. Everything works fine however on startup, it takes a long time for the key to be decrypted. Sometimes between 10 and 20 seconds. Grup just sits there with the message “Attempting to decrypt master key…”. Eventually it goes forward and boots up just fine.

After researching the issue it appears that this has something to do with the complexity of the key. I have read multiple people comment about creating a new key with less iterations or something to that nature. What I haven’t found was anything that explains how to do that in a way I can understand. I am hesitant to start typing commands that I don’t fully comprehend and end up bricking my laptop.

Can someone please suggest how to change the key to a less complex one and what commands I need to do it?

Thanks in advance for assistance.

The issue is that grub decryption happens entirely in software as grub doesn’t support hardware decryption.

1 Like

on solus it takes 1 sec, eos 10 secs, same pw, same hw, same nvme

Is this an issue of the complexity of the key just being very high by default on installation? I have an older laptop (with an original Antergos install) that takes zero seconds to decrypt. I can’t imagine it is because of the speed of the laptop but the complexity used during install. How can I make this faster?

Solus uses an unencrpyted initramfs. That means that the initramfs can decrypt it which has the benefit of all the functionality of the kernel/initramfs including hardware-accelerated decryption.

If you are willing to lower your security a bit you can configure EOS this way as well.

No

See above.

1 Like

Yes, I have no problem with lower level security. Nothing super secret on the laptop, just want to keep casual folks out in case it got stolen. How do I configure EOS to do as you suggest? Does it have to be done at installation or can it be done after install?

You need an unencrypted /boot partition.

If it is fresh install, it is probably easier to re-install. Use manual partitioning and create a 1GiB ext4 partition and mount it at /boot.

If it is not a clean install, you can do it post-install.

  • Create 1GiB of free space somewhere on the disk
  • Create a ext4 partition in that space
  • Copy the date from /boot into it excluding the data in /boot/efi
  • Add an entry in /etc/fstab for the new /boot partition
  • sudo umount /boot/efi
  • sudo mount /boot
  • sudo mount /boot/efi
  • If all that worked, reboot. If it worked, you should not be asked for a password at all
  • Lastly remove the keyfile from your luks volume
  • Reboot and this time you should be asked for a password

I should warn you that there is a side-effect of this process if you are using btrfs. It will limit your ability to boot into snapshots and/or restore snapshots seamlessly.

2 Likes

Thanks, I will have to study this a bit and see if it is something I feel comfortable trying to do. Install is new so I wouldn’t lose much to re-do but can’t do it while traveling on the road currently.

Is the default installation of Endevour OS with encryption always going to result in 10+ second delays on boot to decrypt for everyone? Is there no way to choose the complexity desired at installation so as to reduce the boot delay? I think a lot of people will want encryption but will think twice if it is going to result in boot times taking so long.

No. It depends on the speed of your CPU.

So I just counted the time it took and it was actually 20 seconds for the key to decrypt. This is on a Ryzen 9 6000 series (mobile) processor. While it isn’t quite as fast as a desktop processor, it is pretty much AMDs top of the line mobile solution for 2022. While I understand it is CPU dependent, I can’t believe that this is behaving properly. I think the key that was created is too complex.

I have seen issues like these before.

I think the Calamares installer uses an –iter-time 200000 where a luks2 default is 2000 - we are talking ms so the 20s equals an --iter-time of 200000.

Wnen you encrypt a device the encryption matches the CPU - so if you create a portable encrypted system designed for booting on other systems - the decryption time will be different depending on the device used to boot the encrypted system.

One of the reason recommandations has been seen to encrypt the storage on the system it is intended to be used with.

=> Your system is behaving exactly as expected! (See this post for a detailed explanation.)

As @dalto already stated, the unlock time for a key-slot is calculated for your specific hardware when setting a passphrase and defaults to 2 seconds (once the system can make use of hardware assisted decryption).

Grub can only do pure software decryption or AES-NI, not SSE-accelerated decryption. Thus your first grub unlock stage will probably take multiple times longer than your set iter-time; multiple in this context meaning it could take 10 or more times longer than the calculated default 2 seconds. So the encryption will probably add about 20sec to the boot time for most users.


If you absolutely can’t live with this you basically have three options:

  1. Don’t use encryption at all

  2. Change to a setup with an unencrypted /boot
    (Downside is you’ll have somewhat reduced security because your kernels and intramfs are potentially accessible to everyone.)

  3. Lower the iteration number of your current passphrase (see the aforementioned post)
    (Absolutely not recommended; the ~2 second (respectively ~20 in grub) default (on your system) was chosen by developers for a reason. Lowering the iter-time can seriously compromise security. Combine that with a subpar passphrase and your system may just have become brute-forcable without the need of high-end machinery.)

4 Likes

Thank you for the detailed explanation. Now that I understand this is intentional, I can respect the developers decisions. However, would it not be possible to allow the user to determine some of these settings at install? Like could users be given the choice between different level of security depending on their needs? Have a lower setting option with faster boot times or a most secure option with longer boot times? Or at the very least warn the user that using encryption as is will add 20 seconds to the boot time?

For me, I use encryption on a laptop simply because if it gets stolen, I just want to make sure that the thief with likely marginal computers skills will not be able to simply turn it on and access my file system. This is 99.99% the most likely scenario I would be concerned about and why I choose to use encryption. I think this is what most of the Endevour OS users are concerned about and why they would decide to use encryption in the first place.

Having a 20 second delay on the boot time gives me pause though. It is very unlikely the laptop will get stolen, let alone stolen by someone who could get past any sort of encryption even if it it was very basic encryption. Yet now I am faced with long boot times every time I need to turn the machine on. This is compounded by the fact that sleep and hibernate aren’t working properly (results in black screen) so my power management settings will be set to just turn off the laptop entirely. A simple work around to another issue but no longer a desirable one with such a long boot time.

At any rate, I will have to ponder what changes I will make to make this work best for me. I appreciate all of your help and explanations. At least now I know it is working as intended and can decide what to do now based off that knowledge.

I don’t know how easy it would be to implement this, but looking a distros like Ubuntu and pop OS that have a company behind them and $ to support for development, the encryption is pretty minimal option, either encrypt or don’t. So not sure that wish would be implemented in eos anytime soon.

From my perspective, I reboot my system perhaps once a week or even less and it keep it mostly in suspend when moving from one place to another or overnight. Most recent laptops have long battery life, and reboots might not be necessary that often. However I get it, I don’t encrypt because I hate waiting more than 2s :rofl: