Correct installation procedure for entering decryption password after Grub?

I’ve seen a lot of conflicting information when searching about this and, normally, I would probably just use Architect to achieve what I’m looking for but it looks like that’s no longer supported.

I would like to do a dual boot Windows installation with the Manjaro partition encrypted. However, I don’t want to use the Manjaro installer defaults because my understanding is that /boot/efi is placed inside the encrypted root partition and, therefore, has to be decrypted prior to loading Grub. I would rather either A) combine the boot partition with the existing Windows efi partition or B) have a separate unencrypted boot partition. Basically I want to load Grub first and only have to enter the decryption password if I’m booting into Manjaro.

I tried manually pointing the installer to the existing Windows 10 efi partition for /boot/efi and I tried creating a separate unencrypted partition where I put the /boot/efi mountpoint. But I still get prompted to enter my decryption password at boot prior to Grub.

I feel kinda silly because I’ve done this with Arch before and this has me more stumped. I appreciate any help!

see this

@stephane okay now I’m thoroughly confused. In the post you linked, isn’t this command

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=manjaro --recheck --verbose

what the installer should be running anyway (minus --recheck and --verbose)? If I run the installer and have /dev/sda1 marked with mountpoint /boot/efi and it has the boot flag, why would the installer process be any different than the one you linked?

what is useful is the way to chroot luks disk
in case you need it

grub-install ( here for GPT & /boot/efi) is here for a restore grub line for the link

I guess I’m confused because grub isn’t broken, I just want to change the boot configuration. I can boot fine but I have to enter the decrypt password before grub and I want to decrypt after grub. Windows is unencrypted so it’s annoying to enter the decrypt password when I’m booting into Windows.

So I finally figured it out and am putting the solution here in case anyone stumbles across this.

Create separate unencrypted partitions for /boot AND /boot/efi. I made sure the /boot/efi partition was fat32 and had boot and esp flags using gparted but I don’t know if that’s necessary. The installer will warn you about having an unencrypted boot partition but you can still continue. For some reason, the grub theme doesn’t load but you’re not prompted for the decrypt password unless you choose Manjaro.

I still have no idea why this is necessary. With Arch, I am able to mount the existing unencrypted Windows EFI partition to /boot or /boot/efi and Grub will still load without the decryption password. So the idea that the mount point must be decrypted prior to Grub doesn’t make sense to me. Nevertheless, this solution worked for me.

EDIT: I’m guessing the grub theme won’t load because it’s located at usr/share/grub/themes/manjaro/theme.txt which is encrypted when grub is displayed.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.