Converting from systemd-boot encrypted to grub

I want to know if there’s a way I can convert my systemd-boot encrypted installation to grub.
The esp is mounted at /efi and it’s encrypted and using dracut.
I would like not to reinstall and have a method to convert it into grub so I could use grub boot snapshots.

Yes, it can be done.

I don’t think we have an existing tutorial for that but the basic steps are:

  • Remove kernel-install-for-dracut
  • Install grub
  • Copy your kernel params from /etc/kernel/cmdline to the appropriate place in /etc/default/grub
  • Install eos-dracut
  • Reinstall any kernel packages you have installed. i.e. linux or linux-lts
  • Run sudo grub-mkconfig -o /boot/grub/grub.cfg
  • Run grub-install with the appropriate options

do i need to chroot? what of grub not being able to boot from encrypted boot?

Not unless you break something along the way.

Why wouldn’t grub be able to boot from an encrypted boot?
See the encrypted boot section, it needs special package and is pretty messed up.

That is for luks2 with argon2id.

Is your luks partition using argon2id?

The only thing I see for luks1 is setting GRUB_ENABLE_CRYPTODISK=y in /etc/default/grub

You may get asked for the password twice but you can fix that after everything it booting correctly.

EOS uses luks2, that’s what I guessed. Does it use luks1? I don’t know about that. How can I check it?

Our installer uses luks1 because grub does not support luks2/argon2id.

what parameters do i need to copy? I haven’t changed anything and its btrfs encrypted install with systemd boot.

Almost all of them. Can you share the contents of /etc/kernel/cmdline? It is only one line.

nvme_load=YES nowatchdog rw rootflags=subvol=/@ rd.luks.uuid=dd82472f-d6ad-4cd1-a0d8-26b844650ec8 root=/dev/mapper/luks-dd82472f-d6ad-4cd1-a0d8-26b844650ec8 quiet

Yes, all of that should be copied.

okay thanks!

It goes into the line GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub

thanks a lot for your time!

1 Like

Works fine just one problem.
It’s asking for password twice.
Since it’s using dracut, how do I add the keyfile?

Well yes…like I said:

You need to create a luks keyfile, then add that keyfile to your luks volume and dracut config.

Also, you should clean up the old files in /efi that you don’t need anymore.

Add a file named /etc/dracut.conf.d/keyfile.conf with the contents:

install_items+=" /crypto_keyfile.bin "

You can replace /crypto_keyfile.bin with whatever you name your keyfile.

cryptsetup luksAddKey /dev/sdX# /crypto_keyfile.bin

Output of lsblk

259:0 0 238.5G 0 disk
│ 259:1 0 1000M 0 part /efi
259:2 0 237.5G 0 part
254:0 0 237.5G 0 crypt /var/log

What do I replace with /dev/sdx# in the above command?

Looks like /dev/nvme0n1p2 but that output is formatted not quite right.