Decrypting manjaro to get to installed grub bootloader takes 20+ secs?


#1

so I was distro hopping and had windows + qubes os installed. However, realized Manjaro is just best for my current workflow. Anyways I live CD and installed manjaro which was easy and it was able to replace and install on the qubes os partition. I made sure to install with encrypt option ticked so manjaro has password.

The issue is when my PC starts up, it ask to decrypt the drive. After entering my password it takes like 20 seconds to finally get to the grub bootloader.

If you decrypt manjaro, how long does it take you after entering password? anyway to speed it up?

I swear on manjaro 17 it was a lot faster, if not instant


#2

~8 seconds from hitting enter to the “slot 0 opened” message. Still surprisingly long…haven’t looked into speeding this up.
Drive is NVMe SSD, filesystem is btrfs.


#3

This depends on iteration counts and whether you open device with grub or not. If you make separate unencrypted /boot and get rid of grub’s cryptdisk option, your decryption time will increase in two times at minimum. Also make a sudo cryptsetup luksDump /dev/your_partition to see iterations count for key.

Generally speaking, full disk encryption is something too overrated. If using no keyfiles there is no need to encrypt /boot and stick to LUKS v1 for grub compatibility. Moreover, solutions like luks-tpm allow using TPM sealed keyfiles which is way more convenient than entering unlock passphrase on each boot. Just check AUR and give it a chance.


#4

I went with the defaults during installation and you are right, grub is part of the encrypted partition.

Now, this is very interesting, but also quite involved. I guess if something goes wrong one may even brick his laptop/tpm module?


#5

What can I say? Be wary, be cautious! :wink:


#6

Imho TPM should be used for establishing that the current hardware, BIOS, boot manager and OS have a previously established trust relation and none of the parts have been tampered with.

(Disk) encryption is a separate issue and should be solved separately (again, imho). A (hardware) TPM may offer decryption services if and only if it also provides a secure/trusted authentication mechanism. Generally, however, you’d want the boot manager or OS to use the TPM to add another layer of establishing system integrity before decryption.

For more info start here.


closed #7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.