Arch Linux User Repository

i have not gotten this to work with luks2, however once in grub rescue you might try:

set debug=all

ls #find your hd and partition

cryptomount hd0,gpt2

I've noticed that using sha256 as the hash results in a failed to parse digest error, switching to sha1 results in an invalid passphrase error. Hope this helps... if you make a working setup please post here...

I'm having the same problem as @air-g4p

@eschwartz - grub-git still fails to boot from a LUKS2 disk.

Steps to reproduce the LUKS2 boot failure from a currently, properly booting --type luks1 encrypted /boot Arch system:

1. UEFI boot from any reasonably recent arch iso, and run: cryptsetup convert /dev/sdXY --type luks2 --pbkdf pbkdf2 That command will succeed, and luksDump will show PBKDF: pbkdf2 for both keyslot 0 and 1. However, carefully note, you get the exact same pbkdf2 luksDump results by ONLY running: cryptsetup convert /dev/sdXY --type luks2 so it may be that cryptsetup is ignoring the appended --pbkdf pbkdf2 option. Additionally, man cryptsetup does not mention the --pbkdf option under the convert command. That same --pbdkf string is a valid option under the luksConvertKey command, but that command can only modify the pbkdf parameters for an existing LUKS2 keyslot.

2. Run cryptsetup open /dev/sdXY <something>

3. mount everything and arch-chroot into /

4. Run mkinitcpio -P linux

5. Run grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=<some-id>

6. Run grub-mkconfig -o /boot/grub/grub.cfg

7. exit, umount and reboot.

8. Then you are greeted by the dreaded: error: disk 'lvmid/some-lengthy-UUID' not found. Entering rescue mode.

Again, if anyone discovers the correct grub-git LUKS2 encrypted /boot procedure, please carefully document it here.

@eschwartz apologies for not replying sooner - I got busy at work after compiling this and never switched to Luks2. I'll make a copy of my /boot onto my NFS share this weekend and try converting the existing partition to Luks2 using pbkdf2.

And did you use cryptsetup convert with the default pbkdf which is argon2i, or did you remember to pass --pbkdf pbkdf2 ?

The former is not yet implemented in grub and obviously cannot work. The latter is a non-default option to cryptsetup, which you may have forgotten...

I still have yet to see anyone actually confirm they tried using pbkdf2 and still got failures. I still have yet to see anyone actually confirm which one they used, in fact.

@WoefulDerelict - I built and installed grub-git without issue after your latest bump in February. However, after converting my / to LUKS2, reinstalling grub and re-running grub-mkconfig, my system refused to boot due to my LUKS2 conversion. Reverting back to LUKS1, of course, fixed everything.

Builds are currently succeeding on my test machine; however, I don't use LUKS or have the time spin up and test the LUKS2 support. If any brave users are willing to experiment please report back.

I'm currently in the process of reading through the recent commits as a some of these changes appear to fix issues the PKGBUILD has been working around. Once I've got all the unnecessary workarounds trimmed out and tested the resulting build I'll push an update.

eschwartz: Thanks for all the updates.

@drossbox,

How did it turn out?

@eschwartz thanks for letting me know. Built successfully, so I'll test Luks2 support over the weekend.

As of 17 hours ago, various build fixes have landed in upstream master.

(The Argon2 KDF feature is still being reviewed, though.)

So if anyone is interested in testing out luks2 support, now might be a good time. Especially since the code freeze for grub 2.06 is being called in less than a week.