Why are 2 passwords required to boot the system with 1 luks partition?

Greetings. I’m experimenting a bit with full disk encryption and would like to understand it better, and ideally remove the second LUKS password that EndeavourOS creates by default.

Using automatic partitioning I tried with one partition for EFI (containing only .efi files) and another with encrypted root (including /boot, with kernel and initramfs).

I assumed this meant that only one password would be needed, but I see that EndeavourOS creates a second LUKS slot with a keyfile, and settings in the crypttab and dracut.
If all of that is removed (or just the slot for the keyfile), after unlocking and booting, the content in /boot asks for the LUKS unlock password again, which doesn’t seem to make any sense.

Could this be a design flaw in any of the involved components, or am I overlooking something?

Having set up full disk encryption on numerous Endeavour OS systems now, allowing Calamaris to manage partitioning and such, I believe I can confirm that the default behaviour is a single password.

What I suspect may have happened (stressing that I only suspect), is if your drives partition tables were not fully wiped prior to install, you may have something lingering from a previous setup?

When you use grub, the partition has to be unlocked by grub to read the kernel and initramfs. Then the initramfs needs to unlock it.

That is what the keyfile was for. The keyfile made it so that grub asked for a password and then the initramfs used the keyfile so you didn’t have to enter the password twice. Since you removed the keyfile, it now needs to ask twice.

3 Likes

Oh, so I understand that the point is to let initramfs start from scratch.
Thank you! I was wasting a lot of time trying to “fix” this.

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.