First of all, thank you to the Manjaro team for the great work! I fleed ubuntu and I found my new home =)
tl;dr: does unlocking luks in grub always take so long?
[details=The cas in as many detail as my english allows ^^]
But now what makes me post here: I have set it up with full disk encryption so everything is now encrypted except two small partitions at the beginning and the end.
Works perfectly fine, except in GRUB when unlocking the encryption it literally takes for ever, which feels like it’s frozen. Is that normal? (1 Minute or more)
After that is done, everything works fast and snappy like expected.[/details]
Manjaro 16.10 Fringilla
x86_64 Linux 4.8.9-1-MANJARO
WM Gnome Shell
Intel Core i7-56000 @ 3.2GHz
GPU: Intel HD Graphics 5500
The key you added probably ended up in slot 2. Cryptsetup attempts to unlock the drive by checking your password against each slot in order (starting from slot 0 and ending at slot 7). Each slot will run through its iterations before moving onto the next. Therefore, you will see some improvement by placing your most commonly used password in slot 0.
When dealing with cryptsetup, --iter-time and the listed Iterations: found in luksDump are two different things. I believe the –iter-time option defaults to 2000 when unspecified.
I recently setup a laptop with Manjaro and had the same problem you do: extremely slow unlock times with Luks (almost 2 minutes). I was able to get the unlock time back to an acceptable amount by replacing the key stored in slot 0 with another one, with a lower –iter-time. I had to do this several times to find an acceptable value.
Keep in mind, there are potential security implications when lowering the –iter-time.
If you have an unencrypted bootloader, you might wish to read this thread.
Not only will a temporary key act as a safety net, you will need a working key so you can remove and add new keys in slot 0 and slot 2.
After you successfully replace your other passwords with the new –iter-time values, you can then delete this temporary key: cryptsetup luksRemoveKey /dev/sda1 --> Enter the key you wish to remove when prompted
I already did it - now the first key is the one that I actually use to unlock the volumes (root and swap) which significantly decreased the time to unlock.
I keept the --iter-time untouched and I am ok with how long it takes now.
If I have had a bit more patience ^^ but for any future endeavor I highly appreciate that tip! Thanks
What I was trying to comunicate is/was, that I was not sure which keymap (english US or german) is used in GRUB where I enter the password to unlock the Luks volumes.
As with the setup that Manjaro installer did, there are two stages ob grup, the first is just the good old white on black, which must be in the MBR and unlocks the /root volume where then is another grub installed (the pretty Manjaro branded one) where one could choose kernels and recovery.
The first grub uses the enUS keymap, which - now that I know it - makes it obvious why my first install did not unlock as I am on a machine with german keyboard.