LIbreboot grub asks for LUKS password twice

6 replies [Last post]
GNUser
Offline
Joined: 07/17/2013

Hey guys,

SO, I installed my SSD in my T400 Libreboot laptop. I followed the instructions on the guide for doing so, and after some adjustements I got the system to boot just fine. However, I am having the issue of having to input my full disk encryption password twice! I searched around and found this https://wiki.parabola.nu/Installing_Parabola_on_Libreboot_with_full_disk_encryption_(including_/boot) As it seems the folks at parabola have the same issue and explain why. SO far so good, I tried using their solution for the problem (see under 11 Bonus: Using a key file to unlock /boot/) but they issue a command that does nothing in Trisquel, namely mkinitcpio
Is there anything that I have to install in order to get this to work under Trisquel 8?

Thanks.

Ignacio.Agullo
Offline
Joined: 09/29/2009

On 13/01/19 04:21 wrote:
> SO, I installed my SSD in my T400 Libreboot laptop. I followed the
> instructions on the guide for doing so, and after some adjustements I
> got the system to boot just fine. However, I am having the issue of
> having to input my full disk encryption password twice! I searched
> around and found this
> https://wiki.parabola.nu/Installing_Parabola_on_Libreboot_with_full_disk_encryption_(including_/boot)
> As it seems the folks at parabola have the same issue and explain
> why. SO far so good, I tried using their solution for the problem (see
> under 11 Bonus: Using a key file to unlock /boot/) but they issue a
> command that does nothing in Trisquel, namely mkinitcpio
> Is there anything that I have to install in order to get this to work
> under Trisquel 8?

That's a feature not a bug. It isn't asking for the same password
twice but asking you for two passwords: the password for the encrypted
boot partition and the password for the other encrypted partition. You
happened to set the same password for both partitions.

--
Ignacio Agulló · name at domain

GNUser
Offline
Joined: 07/17/2013

I'm not sure that's the case... I mean, it only asked for one password during the Trisquel 8 installation process, the Full Disk Encryption password. Maybe it is the case of being necessary to unlock both boot and swap?
However according to the Parabola guide, it is possible to automate that process, and I am trying to do that. However it doesn't seem to work for Trisquel, and that's what I need some help with. I attach a picture of the second time the system asks for the password.

Thanks.

pic.jpg
Ignacio.Agullo
Offline
Joined: 09/29/2009

On 14/01/19 02:44 wrote:
> I'm not sure that's the case... I mean, it only asked for one password
> during the Trisquel 8 installation process, the Full Disk Encryption
> password. Maybe it is the case of being necessary to unlock both boot
> and swap?
> However according to the Parabola guide, it is possible to automate
> that process, and I am trying to do that. However it doesn't seem to
> work for Trisquel, and that's what I need some help with. I attach a
> picture of the second time the system asks for the password.

It goes like this:
-Libreboot asks you for the password for the /boot logical volume,
mounts it and starts the boot process.
-The boot process asks you for the password for the / (root) logical
volume, mounts it and starts the system.

As for why does Libreboot set two separated logical volumes instead
of one in order to get full disk encryption, I can only guess that it is
so because it builds on the more common [non-full] disk encryption
procedure, that encrypts everything except for the /boot logical volume
so the BIOS can read it. Rather than creating a new procedure that
encrypted the entire filesystem in a single logical volume, they take
the already existing procedure and add a second encryption for the /boot
logical volume.

What I can tell you is that you get some error messages that
shouldn't be there. Everything goes right until "Begin: Mounting root
file system...". But then, you get these unexpected messages:

----- Start quote -----
Volume group "grubcrypt" not found
Cannot process volume group grubcrypt
lvmetad is not active yet, using direct activation during sysinit
Volume group "grubcrypt" not found
Cannot process volume group grubcrypt
----- End quote -----

After that, I am surprised to see that the start process continues
without hindrance. You get the prompt for the root logical-volume
password, "Please unlock disk sdb_crypt", mine is different: "Unlocking
the disk ... (sdb1_crypt) Enter passphrase". We are using different
Libreboot versions, yours probably newer than mine.

So, definitely it is not the same password twice, but two passwords
that happen to be the same. But when it comes to your real question,
how to avoid being requested two passwords, I'm sorry that I don't know
about the file option. I never bothered me to introduce two passwords
at each start.

--
Ignacio Agulló · name at domain

Ignacio.Agullo
Offline
Joined: 09/29/2009

On 14/01/19 13:46, Ignacio Agulló wrote:
> So, definitely it is not the same password twice, but two passwords
> that happen to be the same.

Well, I have my doubts after checking up that the ID volume
supplied is the same one the two times. Could it be that the ID and
password are for the LUKS and the same password be entered twice, the
first one to mount the boot logical volume inside, and the second one to
mount the root logical volume inside?

--
Ignacio Agulló · name at domain

GNUser
Offline
Joined: 07/17/2013

Thanks for your help. According to the Parabola link I provided above is goes like this:

"By default, you will have to enter your LUKS passphrase twice; once in GRUB, and once when booting the kernel. GRUB unlocks the encrypted partition and then loads the kernel, but the kernel is not aware of the fact that it is being loaded from an encrypted volume. Therefore, you will be asked to enter your passphrase a second time. A workaround is to put a key file inside initramfs, with instructions for the kernel to use it when booting. This is safe, because /boot/ is encrypted (otherwise, putting a key file inside initramfs would be a bad idea).".

That's what they say. Hence me thinking that it is indeed the same password (as in it is one only password and not two separate passwords that just happen to be the same).
I tried following their procedure but they make use of a command "mkinitcpio" and it's configuration file. However I can't get it to work in Trisquel 8. Parabola's way of installing in Libreboot systems is slightly different so I am unsure how to adjust it to our own. I have tried reading other pages online about using a key file to unlock partitions but there is much information I don't understand.

GNUser
Offline
Joined: 07/17/2013

Of course it would be easier if I just installed GRUB on disk with the Trisquel installation (I have done some changes to grub that way before on other computers), but I feel redundant to do so and think it will slow down a bit the boot process. Plus all the documentation on the libreboot page points to using the ROM GRUB.