Package Details: grub-git 2.04.rc1.r19.g4e7b5bb3b-1

Git Clone URL: (read-only, click to copy)
Package Base: grub-git
Description: GNU GRand Unified Bootloader (2)
Upstream URL:
Licenses: GPL3
Conflicts: grub
Provides: grub
Submitter: ridikulusrat
Maintainer: WoefulDerelict
Last Packager: WoefulDerelict
Votes: 12
Popularity: 0.57
First Submitted: 2013-10-22 18:55
Last Updated: 2020-02-07 03:46

Dependencies (20)

Required by (125)

Sources (6)

Latest Comments

1 2 3 4 5 6 ... Next › Last »

miffi commented on 2021-02-13 04:26

For the other space cadets out there...

cryptomount will only detect your luks2 partition UUID if there is no dashes in the identifier otherwise you will be greeted with no such cryptodisk found.

Thanks for making this accessible everybody.

archabuser commented on 2021-01-31 16:55

@ceri This is due to grub-install not correctly configuring your grub EFI-Image. It seems to be one of the limitations of upstream LUKS2 support. I ran into the same issue and then followed air-g4p's comment to add the right early config. I created a file /boot/grub/init.cfg with the following contents:

cryptomount -u <uuid-of-luks2-partition>
set root='lvmid/<vg-uuid>/<lv-uuid>'
set prefix=($root)/grub

insmod normal

Where <vg-uuid> and <vl-uuid> point to the lvm volume that contains your /boot directory (use vgdisplay and lvdisplay for lookup). Then i ran grub-mkimage with all the required modules and added the config with -c /boot/grub/init.cfg.

ceri commented on 2021-01-18 14:53

I'm using luks2 with pbkdf2 keys for encrypted /boot and I'm having difficultly with the grub EFI.

It complains/lies "no such cryptodisk found" with the UUID of my boot partition. If I manually unlock it, it shows the same UUID (with hyphens), and the main grub loader starts:

cryptomount (hd2,gpt2)

insmod normal


This is the command I'm using to build my EFI stub

sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub_new --recheck

Any ideas?

praise_x commented on 2020-11-27 17:20

Here is my patch to use 4096-byte sectors with LUKS2

diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 473c93976..4016ed7ba 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -237,6 +237,8 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
     return (do_encrypt ? grub_crypto_ecb_encrypt (dev->cipher, data, data, len)
        : grub_crypto_ecb_decrypt (dev->cipher, data, data, len));

+  sector <<= (dev->log_sector_size - 9);
   for (i = 0; i < len; i += (1U << dev->log_sector_size))
       grub_size_t sz = ((dev->cipher->cipher->blocksize
@@ -391,7 +393,7 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
-      sector++;
+      sector += 1 << (dev->log_sector_size - 9);
   return GPG_ERR_NO_ERROR;
diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
index d96764a02..8ec4ed9f5 100644
--- a/grub-core/disk/luks2.c
+++ b/grub-core/disk/luks2.c
@@ -498,7 +498,10 @@ luks2_decrypt_key (grub_uint8_t *out_key,
       goto err;

+  int original_log_sector_size = crypt->log_sector_size;
+  crypt->log_sector_size = 9;
   gcry_ret = grub_cryptodisk_decrypt (crypt, split_key, k->area.size, 0);
+  crypt->log_sector_size = original_log_sector_size;
   if (gcry_ret)
       ret = grub_crypto_gcry_error (gcry_ret);

rushaur commented on 2020-10-07 11:19

I finally could boot from a LUKS2 encrypted root (not converted). If someone is interested, here the steps With help from @air-g4p comments: By the way thank you!

1- As usual, partition/format the disk. I had only two partitions:
sda1 ------> /boot/efi
sda2 ------> /

2- Encryption:

modprobe dm-crypt
cryptsetup -y --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --pbkdf pbkdf2 --type luks2 luksFormat /dev/sda2
__mapper__=/dev/mapper/luks-"$(cryptsetup luksUUID /dev/sda2)"

AFAIK --allow-discards --persistent are LUKS2 only:

cryptsetup --allow-discards --persistent open /dev/sda2 luks-"$(cryptsetup luksUUID /dev/sda2)"

3- Make the filesystem and mount it to /mnt:

mkfs.btrfs "${__mapper__}"
mount -o noatime,compress=zstd,ssd,space_cache=v2 "${__mapper__}" /mnt

Steps to create/mount subvolumes skipped here to keep things short

mkfs.fat -F 32 /dev/sda1
mount /dev/sda1 /mnt/boot/efi

4- Install the new system: the usual pacstrap /mnt pkg1 pkg2 pkgn...

pacman -r /mnt -U /path/to/grub-git.pkg.tar.zst

5- Tweaks: Replace xxxxx with the uuid of your root: You can get it by running:

cryptsetup luksUUID /dev/YOUR_ROOT_PARTITION

Edit (/mnt)/etc/default/grub to reflect this:


If you plan to unlock with a keyfile, luksAddKey accepts --pbkdf pbkdf2 cmdline parameter

For later reuse, let's make the script provided by @air-g4p locally available. Modified for own use case. Because I had created a subvolume @grub to be later mounted at /boot/grub; you will see the @grub notation:

cat <<'__END_SCRIPT__' >/usr/local/bin/grub-mkluks2-image
set -e
read -rp "Enter the partition containing /, without '/dev/': " __ROOT__
cr_root_uuid="$(cryptsetup luksUUID /dev/${__ROOT__})"
CONFIG=$(mktemp /tmp/grub-config.XXXXX)
cat >"$CONFIG" <<EOF
cryptomount -u ${cr_root_uuid//-/}

set prefix='(crypto0)/@grub'
set root='(crypto0)'

insmod normal

grub-mkimage \
    -p '(crypto0)/@grub' \
    -O x86_64-efi \
    -c "$CONFIG" \
    -o /boot/efi/EFI/archlinux/grubx64.efi \
    luks2 btrfs part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512

rm "$CONFIG"

chmod 755 /usr/local/bin/grub-mkluks2-image

It might be useless; but at least it will create the directory structure :)

grub-install --target=x86_64-efi --modules="luks2 part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512" --efi-directory=/boot/efi --bootloader-id="archlinux" --recheck

Create the "new" bootloader which will include the modules/instructions needed to unlock our luks2 container:


If all goes well, you will be hopefully greeted by grub asking for enc. passphrase :)

yangsheng6810 commented on 2020-10-02 00:15

In case someone like me who do not know how to modify an existing LUKS2 partition with argon2 keys to make it work, here is how I did it. You may need to remove every argon2 keys to make GRUB unlocking work. (For me, those argon2 keys that uses a keyfile instead of a passphrase can be kept)

# my encrypted device is /dev/nvme0n1p3, replace with your own device
# show current LUKS header, and observe which are existing key slots
sudo cryptsetup luksDump "$DEVICE"
# add a key using pbkdf2
sudo cryptsetup luksAddKey --pbkdf pbkdf2 "$DEVICE"
# remove old keys that use argon2/argon2i, replace the 0 with your key slot
sudo cryptsetup luksKillSlot "$DEVICE" 0

air-g4p commented on 2020-09-29 07:53

@drgr33n - Noted, however, if you parse through the grub-devel archives you will see there are numerous argon2 threads. is but one example.

From what I can discern, the devs believe that future support for argon2 will not be all that difficult to incorporate. That being said, it appears that the window for including argon2 support in 2.06 has already closed. So, we'll just have to be patient and continue our LUKS2 grub /boot unlocking with pbkdf2 until then.

Personally, I remain thankful that we now have a documented, working LUKS2 grub /boot unlocking procedure well ahead of schedule! I boot from LUKS2 /boot on both of my laptops without issue.


drgr33n commented on 2020-09-25 22:39

luks2 works fine as long as you use pbkdf2. I have just set it up on my new laptop and it works great. Pitty about the argon2 support though. Hopefully that will come soon enough.

air-g4p commented on 2020-09-03 22:48

If anyone desires to automate their LUKS2 GRUB encrypted /boot unlocking process, Patrick S. (of grub-dev) was kind enough to develop and share with me a generic grub-mkimage unlocking script, which obviously needs to be modified in accordance with the specifics of your system.

The following script includes the modifications I made to unlock my system, remaining consistent with my prior system setup comments.


CONFIG=$(mktemp /tmp/grub-config.XXXXX)
cat >"$CONFIG" <<EOF
cryptomount -u XXX #(where XXX=the UUID of your Arch encrypted / partition, in my case:  /dev/sda7)# 

set prefix=(lvm/ArchSSD-root)/boot/grub
set root=lvm/ArchSSD-root

insmod normal

grub-mkimage \
    -p '(lvm/ArchSSD-root)/boot/grub' \
    -O x86_64-efi \
    -c "$CONFIG" \
    -o /tmp/image \
    luks2 lvm btrfs part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512

rm "$CONFIG"



Ignore the final </code> line above. That's merely a markdown codeblock artifact.

That script when executed, generates a GRUB executable image file stored at: /tmp/image.

Finally, you need to overwrite your existing grubx64.efi file. Run something similar to:

cp /tmp/image /efi/EFI/Luks2Testing/grubx64.efi

Reboot, and enjoy automated unlocking of your LUKS2 encrypted /boot, / and swap!

air-g4p commented on 2020-08-30 09:52

FINALLY! The correct procedure to unlock a LUKS2 encrypted /boot:

I have been working with the fine folks on the grub-devel mailing list. Following MANY hours of testing, I have identified a process to successfully unlock a LUKS2 encrypted /boot.

This process still requires manual intervention following reboot, but the important part is that IT WORKS!

Carefully Note: I originally encrypted my partition with: cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random --type luks1 luksFormat /dev/sdXZ

You may have run cryptsetup luksFormat with different options - and how you set up encryption will become important in the grub-install (Step 5, below). Adapt to your requirements.

Then I set up two LVs: swap (512M) and / (remaining partition space). That encrypted swap LV is assigned as dm-1 and encrypted / is assigned as dm-2. I happen to run dm-2 with BTRFS, but any sane filesystem should also work.

GRUB has always booted my LUKS1 encrypted: /boot, / and swap system without issue.

The process I used to successfully unlock my LUKS2 encrypted /boot:

  1. UEFI boot from any reasonably recent arch iso, and run: cryptsetup convert --type luks2 /dev/sdXZ. That command will succeed, and luksDump will show PBKDF: pbkdf2 for both Keyslot 0 and 1.

  2. Run cryptsetup open /dev/sdXY <something>

  3. Mount everything and arch-chroot into /

  4. Run mkinitcpio -P linux

  5. Run grub-install --target=x86_64-efi --efi-directory=/efi --modules="luks2 part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512" --bootloader-id=<some-id>. That installation command completes without error, ASSUMING you are actually running grub-git! If you are running Arch GRUB from the mainline repos, you WILL GET a luks2.mod not found error! Also note my use of gcry_sha512 given my cryptsetup luksFormat options, shown above.

  6. Run grub-mkconfig -o /boot/grub/grub.cfg

  7. Exit, umount and reboot.

  8. Immediately following power on: you are greeted by the dreaded: error: disk 'lvmid/some-lengthy-UUID' not found. Entering rescue mode. That lengthy UUID is the exact UUID of my dm-2 which is my encrypted / LV.

  9. At the grub rescue> prompt: type ls. There I see (proc) (hd0) and (hd0,gpt1)...(hd0,gpt7) where gpt7 is my last partition and where my encrypted / and /boot reside.

  10. Still at grub rescue> type: cryptomount (hd0,gpt7) which then requires my passphrase. After CORRECT passphrase entry, and hitting Enter: You should see 'Slot 0 opened' and then you are immediately returned to the grub rescue> prompt.

  11. From grub rescue> type: ls. Unlike before, you will now see something similar to: (proc) (hd0) and (hd0,gpt1)...(hd0,gpt7) where gpt7 is my last partition and where my encrypted / resides. ADDITIONALLY, you should now also see your LVs similar to: (/lvm/ArchSDD-root) and (lvm/ArchSSD-swap) depending upon your local LV naming convention decisions. This is important PROGRESS as it demonstrates that GRUB has successfully decrypted your LUKS2 encrypted /boot using your LUKS2 key from Keyslot 1!!!

  12. From grub rescue> type: insmod normal

  13. From grub rescue> type: normal

That should launch your typical/welcome Arch Linux and Advanced options for Arch Linux screen as controlled by /etc/default/grub and by X.

After you select the kernel to boot, GRUB hands over control to the kernel which uses your LUKS2 key from Keyslot 0 to decrypt your encrypted swap (dm-1) and your encrypted / (dm-2).

My launcher (with multiple Arch kernels, and several multi-booting OSes) works perfectly...hope yours does also!