Single LUKS password prompt before GRUB loads, preventing easy dual-boot into Windows

kimsa99 · 9 October 2021 03:15

I recently installed both Windows and Manjaro for the purpose of a dual-boot system, with Windows being the primary operating system intended to be used. The Windows partition is unencrypted for ease of recovery, but the Manjaro partition is encrypted to (hopefully) prevent the tampering of Linux system files in the event the Windows installation becomes infected with malware. Unfortunately, secure boot is not (officially/properly) supported by Manjaro, so protection would be some what limited, but partition encryption alone is better than nothing.

Since I’ll be using Windows at least 90% of the time, I’d like it to automatically boot into Windows unless I specify otherwise during GRUB’s boot menu. In the past, this has been easy to set up. However, LUKS asks for a password to decrypt the disk before GRUB even displays. Hitting escape doesn’t skip the prompt and instead enters GRUB Rescue. Once the password has been entered, it enters GRUB, and Manjaro can then be selected without a password.

How do I configure this to only prompt me once I’ve selected Manjaro in GRUB?

Partitions:
(sda1 is Windows recovery, sda2 is EFI, sda3 is Microsoft reserved partition, and sda4 is Windows’ C:\ partition)

NAME                     MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda                        8:0    0 465.8G  0 disk  
├─sda1                     8:1    0   300M  0 part  
├─sda2                     8:2    0   100M  0 part  /boot/efi
├─sda3                     8:3    0   128M  0 part  
├─sda4                     8:4    0 318.8G  0 part  
└─sda5                     8:5    0 146.5G  0 part  
  └─luks-e4f59a9a-caed-4721-8107-3294d10906f8
                         254:0    0 146.5G  0 crypt /

grub.cfg:

#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
insmod part_gpt
insmod part_msdos
if [ -s $prefix/grubenv ]; then
  load_env
fi
if [ "${next_entry}" ] ; then
   set default="${next_entry}"
   set next_entry=
   save_env next_entry
   set boot_once=true
else
   set default="${saved_entry}"
fi

if [ x"${feature_menuentry_id}" = xy ]; then
  menuentry_id_option="--id"
else
  menuentry_id_option=""
fi

export menuentry_id_option

if [ "${prev_saved_entry}" ]; then
  set saved_entry="${prev_saved_entry}"
  save_env saved_entry
  set prev_saved_entry=
  save_env prev_saved_entry
  set boot_once=true
fi

function savedefault {
  if [ -z "${boot_once}" ]; then
    saved_entry="${chosen}"
    save_env saved_entry
  fi
}

function load_video {
  if [ x$feature_all_video_module = xy ]; then
    insmod all_video
  else
    insmod efi_gop
    insmod efi_uga
    insmod ieee1275_fb
    insmod vbe
    insmod vga
    insmod video_bochs
    insmod video_cirrus
  fi
}

set menu_color_normal=light-gray/black
set menu_color_highlight=green/black

if [ x$feature_default_font_path = xy ] ; then
   font=unicode
else
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ext2
cryptomount -u e4f59a9acaed472181073294d10906f8
set root='cryptouuid/e4f59a9acaed472181073294d10906f8'
if [ x$feature_platform_search_hint = xy ]; then
  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/e4f59a9acaed472181073294d10906f8'  c0e9bd60-a38f-42b2-8699-7f1df0922ab2
else
  search --no-floppy --fs-uuid --set=root c0e9bd60-a38f-42b2-8699-7f1df0922ab2
fi
    font="/usr/share/grub/unicode.pf2"
fi

if loadfont $font ; then
  set gfxmode=auto
  load_video
  insmod gfxterm
  set locale_dir=$prefix/locale
  set lang=en_US
  insmod gettext
fi
terminal_input console
terminal_output gfxterm
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ext2
cryptomount -u e4f59a9acaed472181073294d10906f8
set root='cryptouuid/e4f59a9acaed472181073294d10906f8'
if [ x$feature_platform_search_hint = xy ]; then
  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/e4f59a9acaed472181073294d10906f8'  c0e9bd60-a38f-42b2-8699-7f1df0922ab2
else
  search --no-floppy --fs-uuid --set=root c0e9bd60-a38f-42b2-8699-7f1df0922ab2
fi
insmod gfxmenu
loadfont ($root)/usr/share/grub/themes/manjaro/dejavu_sans_12.pf2
loadfont ($root)/usr/share/grub/themes/manjaro/dejavu_sans_14.pf2
loadfont ($root)/usr/share/grub/themes/manjaro/dejavu_sans_16.pf2
loadfont ($root)/usr/share/grub/themes/manjaro/dejavu_sans_24.pf2
loadfont ($root)/usr/share/grub/themes/manjaro/dejavu_sans_48.pf2
loadfont ($root)/usr/share/grub/themes/manjaro/dejavu_sans_bold_16.pf2
loadfont ($root)/usr/share/grub/themes/manjaro/dejavu_sans_mono_12.pf2
loadfont ($root)/usr/share/grub/themes/manjaro/terminus-12.pf2
loadfont ($root)/usr/share/grub/themes/manjaro/terminus-14.pf2
loadfont ($root)/usr/share/grub/themes/manjaro/terminus-16.pf2
loadfont ($root)/usr/share/grub/themes/manjaro/terminus-18.pf2
loadfont ($root)/usr/share/grub/themes/manjaro/terminus-b12.pf2
loadfont ($root)/usr/share/grub/themes/manjaro/terminus-b14.pf2
loadfont ($root)/usr/share/grub/themes/manjaro/terminus-b16.pf2
loadfont ($root)/usr/share/grub/themes/manjaro/terminus-b18.pf2
insmod png
set theme=($root)/usr/share/grub/themes/manjaro/theme.txt
export theme
if [ x$feature_timeout_style = xy ] ; then
  set timeout_style=hidden
  set timeout=5
# Fallback hidden-timeout code in case the timeout_style feature is
# unavailable.
elif sleep --interruptible 5 ; then
  set timeout=0
fi
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/10_linux ###
menuentry 'Manjaro Linux' --class manjaro --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-c0e9bd60-a38f-42b2-8699-7f1df0922ab2' {
	savedefault
	load_video
	set gfxpayload=keep
	insmod gzio
	insmod part_gpt
	insmod cryptodisk
	insmod luks
	insmod gcry_rijndael
	insmod gcry_rijndael
	insmod gcry_sha256
	insmod ext2
	cryptomount -u e4f59a9acaed472181073294d10906f8
	set root='cryptouuid/e4f59a9acaed472181073294d10906f8'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/e4f59a9acaed472181073294d10906f8'  c0e9bd60-a38f-42b2-8699-7f1df0922ab2
	else
	  search --no-floppy --fs-uuid --set=root c0e9bd60-a38f-42b2-8699-7f1df0922ab2
	fi
	linux	/boot/vmlinuz-5.10-x86_64 root=UUID=c0e9bd60-a38f-42b2-8699-7f1df0922ab2 rw  quiet cryptdevice=UUID=e4f59a9a-caed-4721-8107-3294d10906f8:luks-e4f59a9a-caed-4721-8107-3294d10906f8 root=/dev/mapper/luks-e4f59a9a-caed-4721-8107-3294d10906f8 apparmor=1 security=apparmor udev.log_priority=3
	initrd	/boot/amd-ucode.img /boot/initramfs-5.10-x86_64.img
}
submenu 'Advanced options for Manjaro Linux' $menuentry_id_option 'gnulinux-advanced-c0e9bd60-a38f-42b2-8699-7f1df0922ab2' {
	menuentry 'Manjaro Linux (Kernel: 5.10.70-1-MANJARO x64)' --class manjaro --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.10.70-1-MANJARO x64-advanced-c0e9bd60-a38f-42b2-8699-7f1df0922ab2' {
	savedefault
		load_video
		set gfxpayload=keep
		insmod gzio
		insmod part_gpt
		insmod cryptodisk
		insmod luks
		insmod gcry_rijndael
		insmod gcry_rijndael
		insmod gcry_sha256
		insmod ext2
		cryptomount -u e4f59a9acaed472181073294d10906f8
		set root='cryptouuid/e4f59a9acaed472181073294d10906f8'
		if [ x$feature_platform_search_hint = xy ]; then
		  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/e4f59a9acaed472181073294d10906f8'  c0e9bd60-a38f-42b2-8699-7f1df0922ab2
		else
		  search --no-floppy --fs-uuid --set=root c0e9bd60-a38f-42b2-8699-7f1df0922ab2
		fi
		linux	/boot/vmlinuz-5.10-x86_64 root=UUID=c0e9bd60-a38f-42b2-8699-7f1df0922ab2 rw  quiet cryptdevice=UUID=e4f59a9a-caed-4721-8107-3294d10906f8:luks-e4f59a9a-caed-4721-8107-3294d10906f8 root=/dev/mapper/luks-e4f59a9a-caed-4721-8107-3294d10906f8 apparmor=1 security=apparmor udev.log_priority=3
		initrd	/boot/amd-ucode.img /boot/initramfs-5.10-x86_64.img
	}
	menuentry 'Manjaro Linux (Kernel: 5.10.70-1-MANJARO x64 - fallback initramfs)' --class manjaro --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.10.70-1-MANJARO x64-fallback-c0e9bd60-a38f-42b2-8699-7f1df0922ab2' {
		load_video
		set gfxpayload=keep
		insmod gzio
		insmod part_gpt
		insmod cryptodisk
		insmod luks
		insmod gcry_rijndael
		insmod gcry_rijndael
		insmod gcry_sha256
		insmod ext2
		cryptomount -u e4f59a9acaed472181073294d10906f8
		set root='cryptouuid/e4f59a9acaed472181073294d10906f8'
		if [ x$feature_platform_search_hint = xy ]; then
		  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/e4f59a9acaed472181073294d10906f8'  c0e9bd60-a38f-42b2-8699-7f1df0922ab2
		else
		  search --no-floppy --fs-uuid --set=root c0e9bd60-a38f-42b2-8699-7f1df0922ab2
		fi
		linux	/boot/vmlinuz-5.10-x86_64 root=UUID=c0e9bd60-a38f-42b2-8699-7f1df0922ab2 rw  quiet cryptdevice=UUID=e4f59a9a-caed-4721-8107-3294d10906f8:luks-e4f59a9a-caed-4721-8107-3294d10906f8 root=/dev/mapper/luks-e4f59a9a-caed-4721-8107-3294d10906f8 apparmor=1 security=apparmor udev.log_priority=3
		initrd	/boot/initramfs-5.10-x86_64-fallback.img
	}
}

### END /etc/grub.d/10_linux ###

### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###

### BEGIN /etc/grub.d/30_os-prober ###
menuentry 'Windows Boot Manager (on /dev/sda2)' --class windows --class os $menuentry_id_option 'osprober-efi-8C00-4D40' {
	savedefault
	insmod part_gpt
	insmod fat
	set root='hd0,gpt2'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2  8C00-4D40
	else
	  search --no-floppy --fs-uuid --set=root 8C00-4D40
	fi
	chainloader /EFI/Microsoft/Boot/bootmgfw.efi
}
set timeout_style=menu
if [ "${timeout}" = 0 ]; then
  set timeout=10
fi
### END /etc/grub.d/30_os-prober ###

### BEGIN /etc/grub.d/30_uefi-firmware ###
menuentry 'UEFI Firmware Settings' $menuentry_id_option 'uefi-firmware' {
	fwsetup
}
### END /etc/grub.d/30_uefi-firmware ###

### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###

### BEGIN /etc/grub.d/41_custom ###
if [ -f  ${config_directory}/custom.cfg ]; then
  source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f  $prefix/custom.cfg ]; then
  source $prefix/custom.cfg
fi
### END /etc/grub.d/41_custom ###

### BEGIN /etc/grub.d/60_memtest86+ ###
if [ "${grub_platform}" == "pc" ]; then
    menuentry "Memory Tester (memtest86+)" --class memtest86 --class gnu --class tool {
        search --fs-uuid --no-floppy --set=root --hint='cryptouuid/e4f59a9acaed472181073294d10906f8'  c0e9bd60-a38f-42b2-8699-7f1df0922ab2
        linux16 /boot/memtest86+/memtest.bin 
    }
fi
### END /etc/grub.d/60_memtest86+ ###

Chrysostomus · 9 October 2021 05:12

By having a separate, unencrypted /boot partition. Currently, grub configuration file is located on encrypted partition. So grub needs to decrypt that before showing you the menu.

kimsa99 · 9 October 2021 05:14

I see. Is this possible to fix without a full reinstall?

Chrysostomus · 9 October 2021 05:38

Yes, but somewhat difficult. Are you sure you want to go that route?

kimsa99 · 9 October 2021 05:56

What exactly does it involve? I’m open to it.

Chrysostomus · 9 October 2021 06:04

Back up all your valuable data
Boot into live USB system
Resize your partition to make room for another partition (Data loss can occur)
Make a new partition and format it to ext4 or something
Mount that new partitiom
Mount your installation
Copy the contents of your /boot to the new installation
Chroot into your installation
Edit your /etc/fstab to mount your new partition as /boot
Edit /etc/default/grub and comment out the enablecryptodisk line
Reinstall grub and regenerate it’s configuration files
Reboot and hope for the best

Chrysostomus · 9 October 2021 07:43

This is the way I would do it myself, but I do not recommend this approach. It requires you to be comfortable with command line and potentially unbooting system.