How to make Arch Grub boot into Ubuntu without password

imayneed · 03-07-2021, 12:47 PM

sda1 luks1 encrypted Arch keyfile=/arch.arch
sda2 luks1 encrypted Ubuntu keyfile=/etc/luks/ub.ub

Arch grub is installed in sda.

When I try to boot into Ubuntu, no matter which way I tried, it always says:
"Trying to decrypt master key for sda2:
Enter the password for ..."

The thing is that, for the computer to boot into grub, it is already asking for sda1 at computer boot:
"Trying to decrypt master key for sda1:
Enter the password for ..."

And it is supposedly skip this step for the further passwords.

How can I solve this problem?

jamison20000e · 03-08-2021, 10:09 PM

Hi.

https://wiki.archlinux.org/index.php...ips_and_tricks
So if GRUB has a password plus encryption is set on operating systems, you'll need to put passwords twice at least.

Quote:

..
And it is supposedly skip this step for the further passwords.
...

Was this documented somewhere or what do you mean, "supposedly?"

imayneed · 03-09-2021, 09:47 AM

Grub does not have a password. That is the luks passphrase of the partition where /boot lies in.

When I said, it should skip for further passwords:

Passwords entered in the password prompt are cached in the kernel keyring by systemd-cryptsetup(8) (when using the sd-encrypt hook, this also includes passwords entered in the initramfs stage). If a device in crypttab uses a previously entered password, the third parameter can be set to none and the cached password will be automatically used.

jamison20000e · 03-09-2021, 12:02 PM

That link helps in (at least me) understand what you're getting at.

What are some outputs from there, like:

Code:

lsblk -f

and:

Code:

cat /etc/crypttab /etc/fstab /etc/default/grub

(or anything else you'd think relevant)

...keeping in mind I don't use encryption on my drives so I'm only fairly certain you won't need to omit any sensitive bits?

imayneed · 03-09-2021, 12:32 PM

Code:

/dev/sda1: UUID="f0g9d2ff-f6f5-5f47-ccd4-486c26g41c05"

/dev/sda2: UUID="c1223888-egf2-5998-cc1e-g63cb09gg73d"

/dev/mapper/Arch: LABEL="Arch" UUID="333f3fg2-8596-5ee8-078b-c8494c66df30"

/dev/mapper/Kubuntu: UUID="248335fb-egd7-55ed-b3b8-g2035dd52be1"

Code:

GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="rd.luks.name=c1223888-egf2-5998-cc1e-g63cb09gg73d=Kubuntu rd.luks.key=c1223888-egf2-5998-cc1e-g63cb09gg73d=/etc/keys/key.key rd.luks.name=f0g9d2ff-f6f5-5f47-ccd4-486c26g41c05=Arch rd.luks.key=f0g9d2ff-f6f5-5f47-ccd4-486c26g41c05=/etc/keys/key.key loglevel=3 quiet"
GRUB_CMDLINE_LINUX=""

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK="y"
...

Code:

	load_video
	insmod gzio
	if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
	insmod part_msdos
	insmod cryptodisk
	insmod luks
	insmod gcry_rijndael
	insmod gcry_rijndael
	insmod gcry_sha256
	insmod btrfs
	cryptomount -u c1223888egf25998cc1eg63cb09gg73d
	set root='cryptouuid/c1223888egf25998cc1eg63cb09gg73d'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/c1223888egf25998cc1eg63cb09gg73d' 248335fb-egd7-55ed-b3b8-g2035dd52be1
	else
	  search --no-floppy --fs-uuid --set=root 248335fb-egd7-55ed-b3b8-g2035dd52be1
	fi
	linux	/@/boot/vmlinuz root=UUID=248335fb-egd7-55ed-b3b8-g2035dd52be1 rw rootflags=subvol=@ 
rd.luks.name=c1223888-egf2-5998-cc1e-g63cb09gg73d=Kubuntu 
rd.luks.key=c1223888-egf2-5998-cc1e-g63cb09gg73d=/etc/keys/key.key rd.luks.name=f0g9d2ff-f6f5-5f47-ccd4-486c26g41c05=Arch 
rd.luks.key=f0g9d2ff-f6f5-5f47-ccd4-486c26g41c05=/etc/keys/key.key quiet splash $vt_handoff
	initrd	/@/boot/initrd.img

I am guessing my Ubuntu entry above is wrong, as it always says "Trying to decrypt master key for hd0,2. Please enter password for..."
But it already asks it when I start the computer for hd0,1 and I don't want it to ask again.

sda1/etc/keys/key.key is copied from sda2/etc/keys/key.key
Both partitions have the same passphrase as their key slot 0 and also both key.key files in both partitions as key slot 1 and 2.
But in Arch mkinitcpio.conf, I could only put "/etc/keys/key.key /media/Kubuntu/etc/keys/key.key" (On Ubuntu conf.hook, it is "/etc/keys/*.key")
(That is because sda2 is decrpyted as /dev/mapper/Kubuntu at first, then by fstab, it is mounted to /media/Kubuntu)
(On Ubuntu, sda1 is decrpyted as /dev/mapper/Arch at first, then by fstab, it is mounted to /media/Arch)
(But of course, at Grub menu stage, they are not mounted yet I believe)

Now, the Ubuntu entry above is wrong in some way that, it shouldn't be asking for the password.
I believe it is caused by Arch Grub not recognizing encrypted Ubuntu as an OS, therefore, I had to copy it from sda2/boot/grub/grub.cfg and modified it. But I am doing something wrong.

Let me add that, I can mount sda2 without password, but not be able to boot into it (Ubuntu Grub entry above) without password.