Change behaviour for asking password on encrypted devices

Hey,

i just set up a new notebook with dual boot (Windows 10 LTSC / EndeavourOS) with both Systems encrypted.

it is now if grub starts, it ask first for password for decrypt, then shows the list with the grub entries. The Problem is now, if i want to start Windows, i have to enter the password a secound time.

Can i change the behaviour FIRST to ask what i want to start and then to ask for password?

If you create a decrypted partition for grub to be in, “yes”. Otherwise, “no”, because it has to decrypt the partition to read the config.

What many people do with grub is have an unencrypted /boot partition. This way, the root partition gets unlocked by the initramfs, not grub.

2 Likes

If i see right, the ISO Installer created one unencrypted /boot partition, and swap and / is encrypted (luks).

If i understand you right, i have simply to move grub configs to /boot?

What kind of configs?

Are you sure that isn’t your EFI partition?

Can we see lsblk -o name,fstype,type,label,size,mountpoint

Sure you can :slight_smile:

user@192.168.5.241's password: 
[user@zbook ~]$ lsblk -o name,fstype,type,label,size,mountpoint
NAME                                          FSTYPE      TYPE  LABEL   SIZE MOUNTPOINT
sda                                                       disk        953,9G 
├─sda1                                        vfat        part          300M /boot/efi
├─sda2                                        crypto_LUKS part        936,5G 
│ └─luks-4e83938e-7dde-4d30-83ac-f5c5edd3b4be ext4        crypt       936,5G /
└─sda3                                        crypto_LUKS part         17,1G 
  └─luks-6c661088-236c-423e-9f34-4e5522982baa swap        crypt swap   17,1G [SWAP]
sdb                                                       disk        476,9G 
├─sdb1                                        vfat        part          100M 
├─sdb2                                                    part           16M 
├─sdb3                                                    part        476,3G 
└─sdb4                                        ntfs        part          525M 
[user@zbook ~]$

Edit:

And Grub have one entry for endeavouros linux-zen and one for Windows:

HD(1,GPT,c4c505da-236a-4ae9-9109-d3f19d519726,0x800,0x32000)/File(\EFI\VeraCrypt\DcsBoot.efi)

It looks like you would need to either create an unencrypted /boot partition or mount your existing EFI partition at /boot. If you can find a spot for a small partition(1G), the former is a simpler and more conventional solution than the latter.

so if i understand you right, i simply backup /boot and the content of it. create a new partition wich isnt encrypted, and copy everything back? (and edit fstab)

the 300mb big partition isnt encrypted, so i can use that?

That is one way to do it, yes.

That is your EFI partition. You can technically use that but I don’t recommend it. It will leave you with a fairly unconventional setup for grub.

Sorry for that maybe stupid question: But why? What is the difference of that partition, and a new partition?

I would delete that “EFI Partition”, and create a new one with fat32 too?

You can’t delete the EFI partition. Your machine needs it to boot.

The EFI partition is used by the UEFI boot process. For grub installs it is almost always mounted at /boot/efi

As long as everything fits, you can move the contents of /boot to it and then unmount it and mount it at /boot. It will work, it will just be very non-standard.

So standard would be to have two partitions?

One for /boot and one for /boot/efi?

Edit:

if i install arch linux manualy: https://wiki.archlinux.org/title/Installation_guide#Partition_the_disks

there the guide says simply to create one partition, where everything is under /boot. grub, efi, etc.

Standard for grub would be to have the EFI partition mounted at /boot/efi and have a separate boot partition if that is desired.

That is an example, not a directive. Also, mounting the EFI partition at /boot does make sense if you are using systemd-boot which it seems like most/many Arch users do.

The guide doesn’t consider the need for an unencrypted /boot to avoid grub decryption.

That being said, if you would prefer to use your EFI partition, go for it. As I have pointed out, it will work.

grafik

That i would do now (but dont know how the installer now knows what format it should format the partitions?).

The installer requires the EFI partition to be mounted at /boot/efi I believe.

If you are going to reinstall, there is no reason to try to re-use that partition. Create separate /boot(ext4) and /boot/efi(fat32)

1 Like

Thats simplier i think. because i dont have done anything with that install until yet.

Yeah it trows a error/information about that. what i dont understand, because /boot exist so it could create what he wants under /boot ?

Ok, im honestly dont understand why 2 partitions wich handles boot are better as one, but i do it that way.

grafik

Edit:

Ok, the installer just closed/crashed. i retry,

Ok, so far it works like it should. Thank you.

I have now only one “Problem”, this behaviour is normal on this notebook, because of the nvidia gpu:
grafik

but as soon it loads the nvidia driver, the output of systemd gets normal.

But because it now ask first for password, it stucks in this glichted graphics.

This is only a cosmetic problem, because i know it ask for password and i simply put it in.

But is there a GRUB flag or something to make it look normal like it should? (vesa driver or so?)

I would try early loading for the nvidia modules in mkinitcpio.conf

https://wiki.archlinux.org/title/NVIDIA#Early_loading

Already done that. That fix only after it gets loaded. But not before that.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.