Encrypted install alongside Windows 10 fails to boot

So did you resize the Windows-partition in Windows or Linux?

GNU Grub is a build and maintained by the GNU Project. Problems or featurerequests for Grub should be directed there, I think.

You say Grub doesn’t show your Windows-installation, which would be a seperate problem. I’m not quite sure where you stand right now, can you access your system?

Ok, let me summarize my whole “customer journey” :wink: :

My requirements

  • Dual Boot - Windows / Linux
  • At least Linux must be encrypted, best case: Windows is encrypted, too
  • Boot time / Wakeup Time < 30s till system is usable
  • System must be remote unlockable (via ssh)
  • As little time and effort as possible (no 10 hour sessions of config trial and error, till it works) - wizard click and work would be best

First try

  • Secure boot enabled
  • Fresh install of Windows, whole drive
  • Resizing the partition size to 200GB / 500GB in Windows
  • Encrypt Windows using bitlocker
  • Install endeavourOS (encrypted) on the 300GB remaining NOT selecting alongside because it was not visible
  • No boot possible (I thought it was due to secure boot issues, but as it seems it was mainly the wrong encryption password due to keyboard layout problems)

Second try

  • Secure boot enabled
  • Fresh install of Windows, whole drive
  • Resizing the partition size to 200GB / 500GB in Windows
  • Try the “alongside” option of install endeavourOS (encrypted) on the 300GB remaining with the wizard => NOT possible, it tried to resize the 200GB of windows into 100GB Windows and 100GB Linux
  • aborted

A few tries with different options later

  • Secure boot DISABLED
  • Fresh install of Windows, whole drive
  • NO resize in Windows
  • Try the “alongside” option of install endeavourOS (encrypted) on the 500GB Windows with the wizard => Installer resizes Windows
  • Result: Resizing worked (250GB Linux, 250GB Windows), Linux encryption worked, GRUB asks for crypt drive password

That is where I stand now…
So what are the issues:

  • First grub decrypt takes forever (> 20s) - regardless if the password is correct or not, while it works nice on other distros (so it seems that it is not a hardware issue)
    • This is a SHOWSTOPPER… I don’t wanna wait for my main system to boot that long
  • Grub menu does not show Windows, although it is possible to boot into windows via BIOS Menu (which is still kind of annoying)

Possible Fixes

  • Not encrypting /boot might solve the problems, but it has to be done manually. Unfortunately this much more work than just clicking through the wizard.

I’d really love to check out EndeavourOS, but it seems my personal but strict requirements won’t let me until I have the time to do some research. Maybe I have to switch distro :-/

well yes, “alongside” apparantly means you install it in the same space as Windows. If you just want to have it on the same disk with the Win-part already resized, just install it normally, with os-prober set as package you want to install (it might already be in there, just to be sure), then arch-chroot your new partition and edit

/etc/default/grub

and uncomment

GRUB_DISABLE_OS_PROBER=false

and run

sudo grub-mkconfig -o /boot/grub/grub.cfg

If you invest so much time into this, wouldn’t it be not far to try manually partitioning the config?

Maybe not give up so fast. The more work you put into it, the more rewarding it feels when it works. :wink:

I mean…it is a very small amount of additional work. It is a few extra clicks in a GUI. Even if you go really slowly through it considering every choice it is less than 5 minutes.

To be honest, if having to use the manual partition GUI is the thing that is holding you back I am not sure any Arch-based distro is a good choice for you. When you use a aggressively rolling distro, there are going to be times that you need to put work in to figure stuff out.

Secure boot should have been disabled from the start. Decrypt takes 20s is how long it takes on mine. It’s not a show stopper. It is a little bit of time. Windows doesn’t show on the grub menu because you have to set GRUB_DISABLER_OS_PROBER=false and then run sudo grub-mkconfig -o /boot/grub/grub/.cfg.
This is a recent change from grub developers. To set up the parameters for the install is not hard and doesn’t take long to do.

Installing without encryption is a choice if one doesn’t like how long it takes to decrypt the drive on boot.

There is no 10 hours sessions of config trial & error till it works. If you were installing Arch from scratch it doesn’t even take that long.

That would be a show stopper for me…wtf is going on there. I am curious why decryption using grub so much slower than when you decrypt in the initramfs.

Well it is longer than i would like but for me it’s not a show stopper is really what i mean when you think of it in terms of Windows. Sometimes windows machines take way longer. Again it depends on the hardware too. My hardware is up to date so yes it is a bit long. I could be off by a few seconds also. I’ll time it next time and let you know for sure. I do know it’s a little slower than I’d like so i will agree with you.
It sucks! :laughing:

Edit: My install is via the @2000 wiki setup. I’m not sure if all luks encryption is the same time to decrypt?

Thx very much, I’ll try that next.

Nah I do not tend to give up that fast.

While I understand your point of view, I did never say that the manual partition GUI is holding me back. It is just taking a pretty long time to figure out a working config without deep knowledge of grub, luks and partitioning. I’d love to gain that, but it is frustrating, having to install windows all the time just to figure out that the config / partitioning does not work - and windows is part of the problem here. Unfortunately I need it for work.

You are all willing to help me and this is awesome, thank you. So I will listen to your advice and try the manual install with the suggestions above. While you all my be right, is this the right place for a feature request? Or is there a git repository / issue tracker for this?

Hmm. Depending on your hardware and needs you could just install only EOS and put your Windows into a virtual Qemu. As stated, depends what you need (graphics for example is not great, tried using it for netflix/prime hd, nogo) and what you have (some cpu-threads and ram to spare)

Quoted from this post. :wink:

GRUB is early bootstage. On a device with an encrypted /boot there is no OS (no Linux kernel) available yet. Unfortunately Grub’s implementation is really slow on most machines, since (unlike the kernel) it can only do pure software decryption or AES-NI, not SSE-accelerated decryption. Thus your first grub unlock stage will probably take multiple times longer than your set iter-time; multiple in this context meaning it could take 10 or more times longer than the calculated default 2 seconds. So the encryption will probably add about 20sec to the boot time for most users.

1 Like

This looks promising: https://der-jd.de/blog/2020/02/10/ZoL-ArchLinux/

Encrypted ZFS on root is an interesting option. I’ll read more about that :slight_smile: Having ZFS Snapshots would be lovely.

1 Like

You don’t need an understanding of all that. Most of it is handled by the installer. I am not in front of the installer right now but basically it works like this:

  • Find the existing ESP partition, it should be obvious given it’s small size and fat32 format. Set the mountpoint to /boot/efi, don’t format it.
  • Delete the existing EOS partition
  • Create a 1GB /boot partition, format it to ext4
  • Use the remainder of the space for a new partition. Format it to ext4 and check the encrypt box. Set the mountpoint to /

I think you will find it is easier than you are thinking it is.

1 Like

This is what I do on my main workstation. I am a big ZFS advocate. That being said, it is vastly more complicated than the above. It requires a ton of manual setup and research into proper ZFS tuning.

I didn’t read that guide in detail but I can tell you that there shouldn’t be a need to create a special ISO for it. You can just use the normal Arch ISO and install the zfs-dkms module.

Also, that isn’t much of a guide, it is more like how one user configures their specific system.

I timed it and it’s about 12+ seconds.