LUKS passphrase prompt multiple tries

In the Manjaro Manual on page 92, it describes how you only get one try to unlock your system. If you get the passphrase wrong, you will enter into grub rescue mode. Please allow multiple tries, I would say 10 tries will be better and if you get it wrong on the 10th try then it can go into grub rescue mode.

People make mistakes, sometimes we press the wrong key or miss a key for out system passphrase and it is annoying to have to press the power button to turn your machine off and then turn it back on and try again.

You just need to hit control-alt-delete to do a reboot.

I saw you liked an old comment of mine explaining this. Unfortunately this is due to how Grub works and not something Manjaro can fix, it must be fixed upstream.

I've been meaning to try other bootmanagers (rEFInd and systemd boot) to check if they are smarter about asking for the password. But haven't found the time yet...

In the meantime the solution is to install manually through the Architect installer, don't encrypt the /boot partition and encrypt the /root partition. That even allows you to install and use Plymouth if you want.

Good to know, but it is still annoying to have to reboot when you punch your password in wrong.

As far as I know, no other boot manager is able to deal with kernels and initrds on encrypted partitions. This is why Secure Boot is so essential if security is a concern. For now I have to use sbupdate-git from AUR, which creates a single efi file comprised of initramfs, vmlinuz and cmdline. Checking its integrity with tpm2 hook adds even more security.

1 Like

All I am asking is a better system wide encryption lockscreen prompt that allows multiple tries right out of the box when you install Manjaro, just like how Ubuntu and Mint have this out of the box.

From searching the forum this seems to be something many want in one way or another.

The rather paranoid approach to this topic - it is a security measure.

Let's play - how many times do you want a brute-force attacker knocking on your LUKS passphrase before the system needs reboot?

If you are like me - one (1) time!

2 Likes

Not a bad point to bring up.

In that case, even a option to enable multiple tries even if that means you can choose
1 try
3 tries
5 tries
10 tries

That will be enough for me. And I am fine if the default settings is 1. As long I can easily adjust it within a GUI or be able to change it with one simple command line in the terminal that is good enough for me.

cryptsetup and crypttab support the -T/tries= option respectively, where you can choose how many tries are allowed.
However I don't know how automatic FDE is handled by Manjaro.

What is the terminal command to change the tries to 10 tries?

Don't know whether it uses /etc/crypttab or not.
If it does, simply add tries=X to the corresponding line in 4th column.

However, this most probably doesn't work at the GRUB prompt.

# /etc/crypttab: mappings for encrypted partitions.
#
# Each mapped device will be created in /dev/mapper, so your /etc/fstab
# should use the /dev/mapper/<name> paths for encrypted devices.
#
# See crypttab(5) for the supported syntax.
#
# NOTE: Do not list your root (/) partition here, it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf). The same applies
#       to encrypted swap, which should be set up with mkinitcpio-openswap
#       for resume support.
#
# <name>               <device>                         <password> <options>
luks-231cd5c6-6273-4059-b1da-851fcbb1a1df UUID=231cd5c6-6273-4059-b1da-851fcbb1a1df     /crypto_keyfile.bin luks
luks-4b3ba414-24e7-45d6-bd53-60dbc06f4e7e UUID=4b3ba414-24e7-45d6-bd53-60dbc06f4e7e /etc/luks-keys/luks-4b3ba414-24e7-45d6-bd53-60dbc06f4e7e nofail

This is my crypttab file? Were do I put the tries=X line? I will minus well give this a shot

It's an option, not a line. Add it to the end of first line, with a comma, so luks,tries=X. You must of course replace X with a number.

But I can already tell you that it won't work - both lines point to keyfiles and not to a password to be entered by the user, so don't waste your time :wink:

This is, I assume, something which must be done at GRUB level.

If this is not something that Manjaro can fix or do. Where could I make a post for such a feature request? Is there a GRUB Forums that I can make the feature request to?

Forum kindly sponsored by