Encrypting system with installer does not work (manjaro 17.0.2)


#1

Using the installer of the live version, I cannot encrypt my system successfully:
The installation finishes successfully but when I try to boot into the new system I get asked for the decryption password before I can see grub. After I type my password, it takes about one minute of nothing happening until it says:

 error: access denied.
 error: no such cryptodisk found.
 error: disk 'cryptouuid/f....' not found.
 Entering rescue mode...

Using the same live version, the installation works without any problems when I don’t choose to encrypt my system.

My partition setup:

sda1 - boot loader windows
sda2 - windows 7
sda3 - Manjaro

Thanks for any hints!


#2

Please try with a recent release. There have been many bugs fixed since 17.0.2.


#3

This is the message when you incorrectly enter your LUKS passphrase.

During installation did you manually partition and only encrypt your root partition?

sda1 - boot loader windows

UEFI or MBR install?

This is because /boot/grub/grub.cfg is located on your encrypted root partition, which needs to be decrypted before grub can load.


#4

Just a thought, but did you happen to use a keyboard layout other than US English during the installation? That could explain the incorrect passphrase issue.


#5

Yes I did, and since my password contains symbols, this might indeed be the cause of the problem. How can I change the keyboard layout for the grub/decryption process?
Edit: I found “mkinitcpio -H keymap” for this (?), but when am I supposed to run this command? Before installation?
Edit 2: this issue has been discussed here already Calamares Full Encryption - Wrong keyboard layout decrypting master key

I did not choose manual partitioning, instead I chose to replace the existing partition sda3.

Alternatively I could need a hint how to not encrypt boot, but root, home and swap.


#6

You could google the us layout and based on it you can translate your passphrase to that layout.


#7

Doing so, I could indeed boot into my system, yet not change the keymap layout for grub…

Searching the forum for this issue, I found two threads that pointed out it’s basically impossible to change the keymap for the first stage of grub:
Grub keymap setting with LUKS? Calamares Full Encryption - Wrong keyboard layout decrypting master key

So I guess I have two options:

  1. Use the dirty workaround mentioned in the first thread (entering my password with engUS keymap during install) or what was just suggested by you, muser (entering your actual password shifted from the engUS layout)
  2. Not encrypt boot partition, so the decryption password is being asked after I select manjaro in grub. For this stage the keymap can be changed
  • I could need a hint how to do option 2 with calamares (I used to do it manually with setting up partitions in terminal and then running “setup” when that was still possible)

#8

But if you already translated your passphrase to the english layout and it works, isn’t the problem solved?


#9

Hello @samson I can just tell you that - so far - I had the best success with using a s d f g as password in calmares - as the homerow is the same for my (de_DE) and en_US keyboard layout.
Later I just used the (gnome) disk utility with the keymap switched to en_US to change the passphrase into something good - that way I circumvent the problem that a view times the loacles and language did not setup propperly when I stayed in en_US for the install.

To “recover” your install - use a keymap of your language and a en_US one and map the characters accoardingly. That way I fixed my first manjaro install :wink: which is still running great today


#10

Using a boot partition I will assume UEFI booting. Your boot partition is not encrypted.

Your /boot/grub directory is in your root partition, not your boot partition, and your root partition is encrypted.

In order to achieve what you want you could mount your boot partition to /boot instead of /boot/efi. Just make sure it has enough space for all the kernels also.

There was a similar thread recently, take a read.


#11

One nother possible way would be to only encrypt /home so your personal data is encrypted but the rest of the system is not.
That only requires you to leave space for a /home partition to be created and encrypted after the initial setup.


#12

Thank you for your helpful responses!
I have reinstalled the system just setting “asd” as password as you suggested. Indeed, the booting process works now, being able to decrypt the hard disk successfully.

However, is it normal that the decryption steps takes about 45 seconds after I entered my password? On my last installation, when I was asked for the decryption password after I had selected the manjaro grub entry, the decryption took about 5 seconds only. (and yes, I also had the root dir encrypted)…


#13

Somewhat yes - sadly. The encryption is set up in a running system with all the crypto accelerations enabled - but grub dons -not- have these.
So the software benchmarks your system and determines that x-thausand itterations on the password (ittertime) are - ok - on your system, but without aes features and stuff enabled in grub it takes proportionally longer to unlock the master key.
(your password actually only encrypts a much larger key, which than is used to decrypt the drive)

In the manual to cryptsetup there is a flag to manually set the itteration rounds (higher the more secure, but also the slower) - but as I do not “boot” as often I have not bothered to switch yet.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.