[SOLVED] New to Manjaro <3 but full disk encryption somewhat buggs me

Hello!

First of all, thank you to the Manjaro team for the great work! I fleed ubuntu and I found my new home =)

tl;dr: does unlocking luks in grub always take so long?

[details=The cas in as many detail as my english allows ^^]
But now what makes me post here: I have set it up with full disk encryption so everything is now encrypted except two small partitions at the beginning and the end.
Works perfectly fine, except in GRUB when unlocking the encryption it literally takes for ever, which feels like it’s frozen. Is that normal? (1 Minute or more)
After that is done, everything works fast and snappy like expected.[/details]

System:
Manjaro 16.10 Fringilla
x86_64 Linux 4.8.9-1-MANJARO
DE Gnome
WM Gnome Shell
Intel Core i7-56000 @ 3.2GHz
GPU: Intel HD Graphics 5500
Ram: 12GB

How many keyslots are you using? If more than one, which one are you using to unlock the device?

Are your –iter-times set to reasonable values?

Accoarding to cryptsetup luksDump /dev/sda1 i have three slots used, though I am honestly not aware what is in slot 2 O.o as I only added one key to fix the DE/EN keyboard layout issue.

Honestly how can I determine that? I get the feeling that I actually end up using the 3rd … i feel like we are getting there O.o

I did not manually set anything there, just followed the graphical setup wizard from the live DVD, and they ended up beeing 1408527 somehow does not feel reasonable, does it?

This happened on my system as well. It appears Manjaro, for some reason, always generates another key in slot 1 (see here). When I removed this extra key, my system could no longer boot.

I have no idea why Manjaro does this; it is a massive security issue when using an unencrypted bootloader.

(I haven’t verified this myself, but this issue may have been fixed in the newer version of Calamares.)


The key you added probably ended up in slot 2. Cryptsetup attempts to unlock the drive by checking your password against each slot in order (starting from slot 0 and ending at slot 7). Each slot will run through its iterations before moving onto the next. Therefore, you will see some improvement by placing your most commonly used password in slot 0.


When dealing with cryptsetup, --iter-time and the listed Iterations: found in luksDump are two different things. I believe the –iter-time option defaults to 2000 when unspecified.


I recently setup a laptop with Manjaro and had the same problem you do: extremely slow unlock times with Luks (almost 2 minutes). I was able to get the unlock time back to an acceptable amount by replacing the key stored in slot 0 with another one, with a lower –iter-time. I had to do this several times to find an acceptable value.

Keep in mind, there are potential security implications when lowering the –iter-time.

If you have an unencrypted bootloader, you might wish to read this thread.

1 Like

Thanks a thousand times for your great explanation! =D

Ok, but will be able to recover the LUKS partition with a live usb-stick and chroot if I mess that up, right?

The keymap at the first GRUB (the pretty old style one) is EN right?

Check this thread:
How to chroot into an encrypted root partition

Be very careful. You might lock yourself out of your system if you mess this up.

First, I’d recommend adding a temporary key with:
cryptsetup luksAddKey --key-slot 7 --iter-time <ITER AMOUNT> /dev/sda1

Not only will a temporary key act as a safety net, you will need a working key so you can remove and add new keys in slot 0 and slot 2.

After you successfully replace your other passwords with the new –iter-time values, you can then delete this temporary key:
cryptsetup luksRemoveKey /dev/sda1 --> Enter the key you wish to remove when prompted


I don’t quite know what you are asking here.

2 Likes

Thanks even more again!

I already did it - now the first key is the one that I actually use to unlock the volumes (root and swap) which significantly decreased the time to unlock.
I keept the --iter-time untouched and I am ok with how long it takes now.

If I have had a bit more patience ^^ but for any future endeavor I highly appreciate that tip! Thanks

What I was trying to comunicate is/was, that I was not sure which keymap (english US or german) is used in GRUB where I enter the password to unlock the Luks volumes.
As with the setup that Manjaro installer did, there are two stages ob grup, the first is just the good old white on black, which must be in the MBR and unlocks the /root volume where then is another grub installed (the pretty Manjaro branded one) where one could choose kernels and recovery.

The first grub uses the enUS keymap, which - now that I know it - makes it obvious why my first install did not unlock as I am on a machine with german keyboard.

1 Like

Glad it all worked out.

I may be wrong, but I recall reading that for some reason the keymap to unlock the bootloader is locked to a US English layout.

1 Like

It might be, and updating grub “only” updates the 2nd stage one (the branded one).
Once again, lots of thanks for your help!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by Bytemark