John Doe wrote: >Hi all, when encrypting /boot on Buster after a fresh install of Debian >with encrypted lvm, I need to enter three times a passthrase (two times >foor /boot, one time foor /root) > >"... > >GRUB loading.. >Welcome to GRUB! > >Attempting to decrypt master key... >Enter passphrase for hd0,msdos1 (...): >Slot 0 opened > >.. > > GNU GRUB version 2.04-5 > > The highlighted entry will be executed automatically in 0s. > >... > > Booting `Debian GNU/Linux' > > Volume group "debian-bustervm-vg" not found > Cannot process volume group debian-bustervm-vg > Volume group "debian-bustervm-vg" not found > Cannot process volume group debian-bustervm-vg >Please unlock disk sda5_crypt: >cryptsetup: sda5_crypt: set up successfully >/dev/mapper/debian--buster--try02vm--vg-root: clean, 38666/507904 files, >434177s >Please enter passphrase for disk QEMU_HARDDISK (boot_crypt): ***" > >I don't understand why after boot is encrypted the above passthrase >prompt ask me to enter this passthrase for the second time for the boot >partition. >Why is that so and how can I avoid this extra step? > >I'm testing here in a qemu VM. > >I use (1) to encrypt the boot partition. > >1) https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
Grub needs the passphrase for /boot, and then Linux needs it separately. Unfortunately there isn't a way for Grub to pass the passphrase to Linux so it has to ask you again. People are looking at ways to make this work better... -- Steve McIntyre, Cambridge, UK. st...@einval.com Armed with "Valor": "Centurion" represents quality of Discipline, Honor, Integrity and Loyalty. Now you don't have to be a Caesar to concord the digital world while feeling safe and proud.
