Btrfs + LUKS via tutorial = Slowwwww boot time

If you’re willing to re-install anyway, you could do us a big favor and actually first try to change the iterations of slot0 to something like 500000 or 250000 and report its effect on your boot times.

Instead of doing a complete re-install, you could also try to convert your current system to one with an unencrypted boot partition.

Pretty straightforward if you happen to have 300-500MB of free space for the /boot partition. If not, you could try resizing the luks partition to free up some space. You can find a description on how to do this here. You’d just have to adjust for btrfs (Disclaimer: haven’t done this myself for btrfs yet).

I changed the iterations of slot 0 down to 500000. The time to open the slot decreased from approx. 20 sec. to down to less than 3 sec., as expected in one of your previous posts.

I have the possibility to shorten the Windows partition and then create a new /boot-partition.
Some questions before doing that:

1. Should the /boot-partition be formatted with ext4 or btrfs? IIRC grub only can handle a ext4-partition for /boot.
2. Does the new /boot-partition needs some partition flags? If yes, is boot enough
3. If the /boot-partition is created, I have to move all the data from the /boot-directory to the new partition, excluding the data from EFI, right?
4. Next steps will be chrooting to recreate the kernel, grub and EFI-configuration, right?
5. Did I miss a step?
   Thank you!

The expert will be along, but my own experience of ‘mixed’ boot setups means I can answer some of those…

1. ext4 is easiest for ANY bootloader
2. Flags are for UEFI if present
3. makes sense - also an fstab entry for /boot needs to be in /

Can’t think of anything else I did for my f2fs setups

Thanks!
I forgot this step which is quite necessary.

Thanks a lot!

The main reason I stick to btrfs with an encrypted boot is that the kernels and initramfs will be part of the root btrfs-snapshots I make; this isn’t the case with an unencrypted boot partition. If you then happen to restore a snapshot that doesn’t fit your kernel version you may not be able to boot and then have to downgrade your kernel by chrooting from a live environment.
Happened to me occasionally with lvm-snapshots during my lvmonluks period. That’s why I personally will stick to BTRFSonLUKS with an encrypted boot for the foreseeable future.

For future reference:

Influence of cryptsetup’s iter-time, iterations and your CPU on GRUB2’s decryption time
‘=======================================================================’

LUKS uses PBKDF2 for key derivation. The supplied passphrase by the user is combined with a salt and hashed a specified number of rounds. This is called key stretching and makes the password more secure against brute force attacks. The total number of iterations is determined by the speed of the current hardware and can be influenced by setting the number of milliseconds that will be spent in PBKDF2 passphrase processing (–iter-time). At the time of writing the default iter-time is 2000 (2 seconds) for LUKS2. See here for other current defaults.

So, the unlock time for a key-slot is calculated for your specific hardware when setting a passphrase and defaults to 2 seconds. If you set a passphrase on a slow machine and then unlock it on a fast machine, the unlocking time can be much shorter and vice versa. Also take into account that up to 8 key-slots (LUKS2: up to 32 key-slots) have to be tried in order to find the right one.
A possible attacker will most certainly brute-force on high-end hardware, so you’ll benefit from a combination of a high iteration number and a secure password.

• To check your current unlock time, run
  TIMEFORMAT='%lU';time sudo cryptsetup luksOpen --test-passphrase --verbose <encrypted-device>
  E. g. for the luks partition /dev/sda2, run
  TIMEFORMAT='%lU';time sudo cryptsetup luksOpen --test-passphrase --verbose /dev/sda2

• To check the current number of iterations of all your keyslots, run
  sudo cryptsetup luksDump <encrypted-device> | grep -B1 "Iterations:"

• To change the iteration number of a current passphrase, run
  sudo cryptsetup luksChangeKey --pbkdf-force-iterations <iterations> <encrypted-device>
  E. g. if your current iteration number is 2500000, use 5000000 as <iteration>-value to increase the iterations to the equivalent of 4 seconds (from 2s) unlock time for your specific hardware.

Why is the GRUB2 (boot) unlock time so much longer than the set iter-time?

GRUB is early bootstage. On a device with an encrypted /boot there is no OS (no Linux kernel) available yet. Unfortunately Grub’s implementation is really slow on most machines, since (unlike the kernel) it can only do pure software decryption or AES-NI, not SSE-accelerated decryption. Thus your first grub unlock stage will probably take multiple times longer than your set iter-time; multiple in this context meaning it could take 10 or more times longer than the calculated default 2 seconds. So the encryption will probably add about 20sec to the boot time for most users.

=> There is a linear relationship between your grub decryption time and your iteration count. You should be able to halve your grub unlock time by halving your keyslots iteration number.

So, why not simply decrease the iterations to reduce the grub unlock time?
You could, but this is generally a very bad idea, unless you only use high-entropy passphrases. If you decrease the iteration time without ensuring that, then you put your system at increased risk, and considering how rarely LUKS containers are unlocked in a typical work-flow, you do so without a good reason.
Don’t do it. The iteration time is already low enough that users with low entropy passphrases are vulnerable. Lowering it even further increases this danger significantly.

This “loader” time includes grub waiting for the user to enter the LUKS password, the time it takes to decrypt the HD and it includes the time grub is displaying the menu. So where exactly are you losing the time?

Does it take so long before the grub menu appears?
Does it take so long to display the grub menu?
What is your GRUB_TIMEOUT?

I tried the first line but obviously i need to add something to it?

<encrypted-device> => /dev/sda2 or similar?

Do you put it inside the <> and use the whole drive or the root partition?
Edit: It’s an nvme drive

Sorry, no, not inside <>. Substitute “<encrypted-device>” with your encrypted luks device, e. g. /dev/sda2 or /dev/nvme0n1p2

Do you also substitute the passphrase?

No, just the <…> stuff.

I’m just not getting it? Everything i have put in gives me an error.

[ricklinux@eos-cinnamon ~]$ lsblk -l
NAME                            MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                               8:0    0 465.8G  0 disk  
sda1                              8:1    0   512M  0 part  
sda2                              8:2    0 465.3G  0 part  
sdb                               8:16   0   3.6T  0 disk  
sdb1                              8:17   0   3.6T  0 part  
luks-a5a43309-2a90-4c15-8a0d-63fe709a9cdd
                                254:0    0 465.3G  0 crypt /run/timeshift/backup
nvme1n1                         259:0    0 465.8G  0 disk  
nvme0n1                         259:1    0 465.8G  0 disk  
nvme1n1p1                       259:2    0   512M  0 part  /boot/efi
nvme1n1p2                       259:3    0 465.3G  0 part  
nvme0n1p1                       259:4    0   512M  0 part  
nvme0n1p2                       259:5    0 465.3G  0 part  
[ricklinux@eos-cinnamon ~]$ 

@2000
Finally i got it to work.

[ricklinux@eos-cinnamon ~]$ TIMEFORMAT=’%lU’;time sudo cryptsetup luksOpen --test-passphrase --verbose /dev/nvme1n1p2
Enter passphrase for /dev/nvme1n1p2:
Key slot 0 unlocked.
Command successful.
0m2.051s
[ricklinux@eos-cinnamon ~]$

Okay so this part is fast but when i actually boot and do this it takes about 20 secs

Edit: It may have something to do with the fact i am loading it using rEFInd?

20s, exactly as expected. This seems to be the price for an encrypted boot, which can only be lowered by reducing the iterations and thus, security.

I don’t think refind plays a role in this; doesn’t it just call grub2?