[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Can't unlock LUKS2 encrypted boot partition with GRUB
From: |
Mike Benson |
Subject: |
Can't unlock LUKS2 encrypted boot partition with GRUB |
Date: |
Tue, 7 Jul 2020 08:10:06 +1000 |
I am playing around with full disk encryption, but Grub is not being
cooperative.
I am using a build of Grub cloned from the Git repository, so luks2 support
is available. I have run grub-mkconfig and grub-install, preloading
part_gpt, luks2 and cryptodisk modules
The boot partition is locked with two keys at the moment. The second is a
temporary, memorable (but low entropy) passphrase for testing.
If I boot from the live usb, I can do:
*Code:*
cryptsetup luksOpen /dev/nvme0n1p2 BOOT
and that works fine with the second key.
When I boot the target, I get a "no such device" error and get dropped into
a rescue shell. I'll deal with that later.
I type:
*Code:*
set debug=all
cryptomount (hd0,gpt2)
...
Enter passphrase for hd0,gpt2 (<UUID follows>): <Types passphrase>
disk/luks2.c:598: Trying keyslot 0
disk/luks2.c:613: Decryption with keyslot 0 failed
...
error: Could not parse digest 1.
If I do a luksDump, I can confirm there is no digest 1 (although there is a
digest 0, referenced by both keyslots). I don't know if this is a bug with
searching the keyslots, or a problem with the LUKS header (though surely
cryptsetup would have problems if that were the case).
Any grub masters available to offer suggestions?
- Can't unlock LUKS2 encrypted boot partition with GRUB,
Mike Benson <=