grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing

From: Eli Schwartz
Subject: Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results
Date: Fri, 28 Aug 2020 13:06:13 -0400 
On 8/28/20 12:35 PM, HardenedArray via Grub-devel wrote:
> Hi Eli,
> 
> Unless I missed what I said in this very long, convoluted LUKS2 IRC
> history, I do not recall telling you that I could cryptomount from a
> --type luks1 partition, simply because I had never had a reason to do
> so.

2020-08-17 03:27:30 PM  eschwartz       what I mean to say is, for
testing purposes it's useful to narrow down where grub might be failing
2020-08-17 03:28:16 PM  eschwartz       so instead of re-encrypting /
and /boot with luks2, try adding a new disk, encrypted with luks2, and
see if it can be mounted
2020-08-17 03:28:53 PM  eschwartz       this lets you test, in
isolation, whether grub can decrypt luks2 in general

2020-08-17 03:30:42 PM  eschwartz       if that works, then you can
follow on to the next stage -- seeing if the minimal grubx64.efi (or
BIOS core.img embedded in the MBR) can handle luks2 when unlocking /boot
(which is where extended modules are located)

2020-08-18 02:11:55 PM  h4rd3n3D        eschwartz:  following up from
yesterday, if this a sufficient test from your POV?  From a LUKS1 Arch
encrypted /boot system, I can easily mount a Fedora btrfs LUKS2
encrypted / partition.  The reverse boot and mount case is also true.
Both OSes run grub and can be independently booted.


My assumption was, here, that you performed the fedora mount using the
grub command line. In order to test grub.

Did you instead test this using the Linux initramfs command line? That
would test the linux "cryptsetup" program, a useless test.

> Again, grub boots my luks1 encrypted /boot system without issue,
> meaning I enter my passphrase at the grub (correct /dev/sda7 UUID)
> prompt (and NOT the `grub rescue>`) prompt and then boot continues
> until I reach KDE's SDDM login.
> 
> What I think I told you is:  once I'm logged into KDE on my luks1
> encrypted /boot system, I can easily mount another luks2 encrypted /
> on another partition, be that Fedora or some other OS.  No
> cryptomount command or `grub rescue> prompt involved.  Only entering
> the correct LUKS passphrase is required.
> 
> Hope that helps...

-- 
Eli Schwartz
Arch Linux Bug Wrangler and Trusted User

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]