Unencrypt boot partition and reconfigure grub

Hi,

I have a dual boot laptop, Windows and Linux. I was running Arch for a while but recently installed Manjaro i3 on that partition. I also chose encryption during the installation. The installation went smoothly.

With Arch, the boot sequence was bios post → grub → choose O/S (arch) → enter LUKS password to unlock root partition → login. I did not have to provide the LUKS password when booting Windows.

With Manjaro, the boot sequence is bios post → enter LUKS password to unlock (EFI???) partition → Manjaro’s grub displays (manjaro look and feel) → chose O/S → login.

I’d prefer to only have to enter the LUKS password when choosing Linux, i.e. the way it was configured with Arch.

Thanks for any advice you can give.

Hi and welcome to the forum :+1:

Could you provide the output of the following commands with ``` before and after (on separate lines) of the pasted texts

  • sudo lsblk --fs
  • efibootmgr -v

You cannot unencrypt boot - you can change the boot loader to systemd-boot which only uses the efi partition - and is capable of detecting the Windows bootloader.

@linux-aarhus i guess you’re tired at this moment?
He didn’t ask to un-encrypt the root… :wink:
He’s asking help with booting into grub without using a password before it’s menu is displayed…
But i agree with your choice of using sd-boot ofcourse as i use that also :smiley:

Apologies for the late reply, and I appreciate the help.

$ sudo lsblk --fs
NAME FSTYPE FSVER LABEL UUID                                 FSAVAIL FSUSE% MOUNTPOINT
nvme0n1
│                                                                           
├─nvme0n1p1
│    vfat   FAT32 SYSTEM
│                       0033-805F                             187.4M    27% /boot/efi
├─nvme0n1p2
│                                                                           
├─nvme0n1p3
│    ntfs         Windows
│                       01D23C0E00C1B830                      222.5G    56% /run/media
├─nvme0n1p4
│    ntfs         WinRE_DRV
│                       9EA036A1A0368037                                    
└─nvme0n1p5
     crypto 1           bbddb61a-26b5-488a-8b6b-03bf14a43c42                
  └─luks-bbddb61a-26b5-488a-8b6b-03bf14a43c42
     ext4   1.0         862a3f76-8d2b-495f-a1a0-dc2c5f621de2  409.7G     3% 
$ efibootmgr -v
BootCurrent: 0002
Timeout: 2 seconds
BootOrder: 0002,0001,0018,001B,0017,0000,0019,001A,001C
Boot0000* Windows Boot Manager	HD(1,GPT,bdbb84fc-7e1c-400e-9a55-aab2481672d7,0x800,0x82000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}...0................
Boot0001* Linux	HD(1,GPT,bdbb84fc-7e1c-400e-9a55-aab2481672d7,0x800,0x82000)/File(\EFI\Linux\grubx64.efi)
Boot0002* Manjaro	HD(1,GPT,bdbb84fc-7e1c-400e-9a55-aab2481672d7,0x800,0x82000)/File(\EFI\Manjaro\grubx64.efi)
Boot0010  Setup	FvFile(721c8b66-426c-4e86-8e99-3457c46ab0b9)
Boot0011  Boot Menu	FvFile(126a762d-5758-4fca-8531-201a7f57f850)
Boot0012  Diagnostic Splash Screen	FvFile(a7d8d9a6-6ab0-4aeb-ad9d-163e59a7a380)
Boot0013  Lenovo Diagnostics	FvFile(3f7e615b-0d45-4f80-88dc-26b234958560)
Boot0014  Startup Interrupt Menu	FvFile(f46ee6f4-4785-43a3-923d-7f786c3c8479)
Boot0015  Rescue and Recovery	FvFile(665d3f60-ad3e-4cad-8e26-db46eee9f1b5)
Boot0016  MEBx Hot Key	FvFile(ac6fd56a-3d41-4efd-a1b9-870293811a28)
Boot0017* USB CD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,86701296aa5a7848b66cd49dd3ba6a55)
Boot0018* USB FDD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,6ff015a28830b543a8b8641009461e49)
Boot0019* NVMe0	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,001c199932d94c4eae9aa0b6e98eb8a400)
Boot001A* ATA HDD0	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f600)
Boot001B* USB HDD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,33e821aaaf33bc4789bd419f88c50803)
Boot001C* PCI LAN	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,78a84aaf2b2afc4ea79cf5cc8f3d3803)
Boot001D* IDER BOOT CDROM	PciRoot(0x0)/Pci(0x16,0x2)/Ata(0,1,0)
Boot001E* IDER BOOT Floppy	PciRoot(0x0)/Pci(0x16,0x2)/Ata(0,0,0)
Boot001F* ATA HDD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f6)
Boot0020* ATAPI CD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,aea2090adfde214e8b3a5e471856a354)

Also, a minor irritant: the new sequence is reboot -> Lenovo splash screen (post-bios?) -> request for LUKS password -> grub -> Manjaro -. >>>Lenovo splash screen again<<< -> login prompt. Previously, I just got the one splash screen after reboot, then grub, then straight into whatever O/S I chose.

Thanks again…

Does the same happen when you try to boot using this entry: ?

Boot0001* Linux	HD(1,GPT,bdbb84fc-7e1c-400e-9a55-aab2481672d7,0x800,0x82000)/File(\EFI\Linux\grubx64.efi)

Hi,

I’m sorry for the delayed reply, and I genuinely appreciate the help. I am incredibly time poor right now due to work + new studies at night and weekends.

That entry above does not show up in Grub.

As an aside, I was editing Xresources in Manjaro and broke it. When I hit Mod-Enter in i3 I just get a busy cursor and no terminal. Disappointing - I wouldn’t think editing Xresources would break Manjaro. No need to reply, that was an aside and should be a separate thread.

However, this does mean I may reinstall Manjaro at some point, and this time I think I will ditch the encryption. It is a nice academic exercise, but most of my sensitive data is on my Windows partition and I haven’t encrypted that partition.

Here are some excerpts from my install notes from when I installed Arch, which may or may not be relevant:

Remove old Linux installations (optional)

If you have previously installed Linux(es) that you wish to remove (especially from the NVRAM boot menu (F12)), then first follow the “Backup UEFI Partition” instructions above.

efibootmgr (list boot manager entries)

efibootmgr -b 0001 -B (remove boot manager entry 0001)

Make sure not to delete the Windows Boot Manager entry!

efibootmgr (list again)

Now delete the old entries from the /boot partition:

cd /boot

Remove any Linux entries, such as grub or loader

cd EFI

Remove any Linux entries, such as grub or systemd

List the remaining files in /boot, looking for any Linux entries

ls -lR | less (ignore anything under Microsoft)

Adjust the TTY font size

cd /usr/share/kbd/consolefonts/

ls *32* (this is the largest font OOTB, and the one I prefer)

setfont *32* (setfont latarcyrheb-sun32.psfu.gz)

To make this a permanent change after the Arch installation:

vi /etc/vconsole.conf

KEYMAP=us

FONT= latarcyrheb-sun32.psfu.gz

Note: this made the LUKS password prompt readable rather than microprint on my HiDPI laptop.

Partition the hard disk

I’ve decided on two partitions:

Linux:

Used for the Arch Linux install

Single partition for everything

30GB (roughly 10GB /root, 4GB /home, 16GB (potential) swap file later (if hibernation is desired))

EXT4 (or F2FS?)

encrypted

Data:

Used for all “data”, including media and KVM virtual disks

700GB (rest of the disk)

EXT4 (or F2FS?)

encrypted

cgdisk /dev/nvme0n1

CAREFULLY choose the free space on the disk

752.6 GiB free space

New

First sector (default)

Size in sectors or {KMGTP} 30G

8300 (Linux filesystem)

Label Linux

722.6 GiB free space

New

First sector (default)

Size in sectors or {KMGTP} (default) (rest of free space)

8300 (Linux filesystem)

Label Data

reboot into Windows (make sure it still works)

reboot into Arch Linux installer

Set up encryption

cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p5

Enter passphrase: (easy to remember but hard for others to guess or brute force)

cryptsetup open --type luks /dev/nvme0n1p5 root

Do the same for the Data partition (nvme0n1p6)

Format the partitions

mkfs.ext4 /dev/mapper/root

mkfs.ext4 /dev/mapper/data

Mount the file systems

mount /dev/mapper/root /mnt

cd /mnt

mkdir boot data

mount /dev/mapper/data /mnt/data

mount /dev/nvme0n1p1 /mnt/boot <<<<<

findmnt

/dev/nvme0n1p1 is a 260MB partition that is unencrypted, and IIRC is where I installed Grub. I guess I thought the Manjaro installer would do the same?

Initramfs

vi /etc/mkinitcpio.conf

… keyboard block encrypt …

mkinitcpio -p linux

Boot loader

pacman -S grub efibootmgr os-prober

grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=grub

Get the UUID of the root partition:

ls -l /dev/disk/by-uuid (bac7cf53-c566-4b34-b33f-6a569f4064c2)

vi /etc/default/grub

See also /etc/grub.d/

grub-mkconfig -o /boot/grub/grub.cfg

Perhaps I can change the configuration after reinstalling Manjaro, although I can’t get to this for a while.

Thanks again for the help…

It might be me but i have a hard time following your planned partition layout…
Can you put it in a format like the lsblk one? eg. ASCII-graph.

It is an entry of your UEFI-bootmenu.

You should avoid using device names like that, better use the partition’s UUID/PARTUUID/LABEL/etc that stay persistent…


These are the minimum parts that you need for any setup:

  1. An ESP, this is where your UEFI bios loads your bootloader from.
    Can not be encrypted.
  2. A partition that is readable by your bootloader to read the kernel and ramdisk from.
  3. A partition with your OS. (encrypted or not)

My preference is to combine (2) inside the ESP as a subdir of it.