Converting from systemd-boot encrypted to grub

v3n0mg33k · May 17, 2023, 1:48pm

I want to know if there’s a way I can convert my systemd-boot encrypted installation to grub.
The esp is mounted at /efi and it’s encrypted and using dracut.
I would like not to reinstall and have a method to convert it into grub so I could use grub boot snapshots.

dalto · May 17, 2023, 1:54pm

Yes, it can be done.

I don’t think we have an existing tutorial for that but the basic steps are:

Remove kernel-install-for-dracut
Install grub
Copy your kernel params from /etc/kernel/cmdline to the appropriate place in /etc/default/grub
Install eos-dracut
Reinstall any kernel packages you have installed. i.e. linux or linux-lts
Run sudo grub-mkconfig -o /boot/grub/grub.cfg
Run grub-install with the appropriate options

v3n0mg33k · May 17, 2023, 1:55pm

do i need to chroot? what of grub not being able to boot from encrypted boot?

dalto · May 17, 2023, 1:56pm

Not unless you break something along the way.

Why wouldn’t grub be able to boot from an encrypted boot?

v3n0mg33k · May 17, 2023, 1:57pm

https://wiki.archlinux.org/title/GRUB
See the encrypted boot section, it needs special package and is pretty messed up.

dalto · May 17, 2023, 2:00pm

That is for luks2 with argon2id.

Is your luks partition using argon2id?

The only thing I see for luks1 is setting GRUB_ENABLE_CRYPTODISK=y in /etc/default/grub

You may get asked for the password twice but you can fix that after everything it booting correctly.

v3n0mg33k · May 17, 2023, 2:00pm

EOS uses luks2, that’s what I guessed. Does it use luks1? I don’t know about that. How can I check it?

dalto · May 17, 2023, 2:01pm

Our installer uses luks1 because grub does not support luks2/argon2id.

v3n0mg33k · May 17, 2023, 2:05pm

what parameters do i need to copy? I haven’t changed anything and its btrfs encrypted install with systemd boot.

dalto · May 17, 2023, 2:06pm

Almost all of them. Can you share the contents of /etc/kernel/cmdline? It is only one line.

v3n0mg33k · May 17, 2023, 2:07pm

nvme_load=YES nowatchdog rw rootflags=subvol=/@ rd.luks.uuid=dd82472f-d6ad-4cd1-a0d8-26b844650ec8 root=/dev/mapper/luks-dd82472f-d6ad-4cd1-a0d8-26b844650ec8 quiet

dalto · May 17, 2023, 2:07pm

Yes, all of that should be copied.

v3n0mg33k · May 17, 2023, 2:08pm

okay thanks!

dalto · May 17, 2023, 2:08pm

It goes into the line GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub

v3n0mg33k · May 17, 2023, 2:08pm

thanks a lot for your time!

v3n0mg33k · May 17, 2023, 2:20pm

Works fine just one problem.
It’s asking for password twice.
Since it’s using dracut, how do I add the keyfile?

dalto · May 17, 2023, 2:23pm

Well yes…like I said:

You need to create a luks keyfile, then add that keyfile to your luks volume and dracut config.

Also, you should clean up the old files in /efi that you don’t need anymore.

dalto · May 17, 2023, 2:25pm

Add a file named /etc/dracut.conf.d/keyfile.conf with the contents:

install_items+=" /crypto_keyfile.bin "

You can replace /crypto_keyfile.bin with whatever you name your keyfile.

v3n0mg33k · May 17, 2023, 2:29pm

cryptsetup luksAddKey /dev/sdX# /crypto_keyfile.bin

Output of lsblk

NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
nvme0n1
259:0 0 238.5G 0 disk
├─nvme0n1p1
│ 259:1 0 1000M 0 part /efi
└─nvme0n1p2
259:2 0 237.5G 0 part
└─luks-dd82472f-d6ad-4cd1-a0d8-26b844650ec8
254:0 0 237.5G 0 crypt /var/log
/var/cache
/swap
/home
/

What do I replace with /dev/sdx# in the above command?

dalto · May 17, 2023, 2:31pm

Looks like /dev/nvme0n1p2 but that output is formatted not quite right.