[英]enter FDE password after grub menuentry
My system is a dual boot of Windows 10 (sdb) and Manjaro (sda) installed on separate hard drive.我的系统是安装在单独硬盘上的 Windows 10 (sdb) 和 Manjaro (sda) 的双启动。 Windows system drive is encrypted with bitlocker and Manjaro is encrypted via LVM over LUKS as the following (lsblk).
Windows 系统驱动器使用 bitlocker 加密,Manjaro 通过 LVM over LUKS 加密,如下所示 (lsblk)。
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 931.5G 0 disk
├─sda1 8:1 0 619M 0 part /boot/efi
├─sda2 8:2 0 232.8G 0 part
│ └─cryptroot 254:0 0 232.8G 0 crypt
│ ├─vg0-swap 254:1 0 32G 0 lvm [SWAP]
│ ├─vg0-system 254:2 0 20G 0 lvm /
│ └─vg0-data 254:3 0 180.8G 0 lvm /home
└─sda5 8:5 0 698.1G 0 part
sdb 8:16 0 232.9G 0 disk
├─sdb1 8:17 0 499M 0 part
├─sdb2 8:18 0 100M 0 part
├─sdb3 8:19 0 16M 0 part
└─sdb4 8:20 0 232.3G 0 part
I setup grub2 as the default bootloader (installed on Manjaro) and it is able to ask me to choose whether I want to boot Windows or Manjaro via a menu.我将 grub2 设置为默认引导加载程序(安装在 Manjaro 上),它可以让我通过菜单选择是要引导 Windows 还是 Manjaro。 However, the problem is that it will ask the (LUKS FDE) password before giving me that menu.
但是,问题是它会在给我那个菜单之前询问(LUKS FDE)密码。 As a result, because Windows is already encrypted with bitlocker, I will have to enter the Windows bitlocker password after the LUKS password, which is quite inconvenient.
结果,因为windows已经用bitlocker加密了,所以要在LUKS密码后面输入windows的bitlocker密码,很不方便。 (If I want to boot to Manjaro, suprisingly, I don't need to enter the LUKS password twice)
(如果我想启动到 Manjaro,出人意料的是,我不需要输入两次 LUKS 密码)
Because Windows and Manjaro is installed on different physical hard drive and the boot partition is not encrypted (as shown above), it shouldn't be necessary for grub to ask me the password for LUKS when I want to boot to Windows.因为 Windows 和 Manjaro 安装在不同的物理硬盘上,并且引导分区没有加密(如上所示),所以当我想引导到 Windows 时,grub 不需要询问我 LUKS 的密码。 It should first show the menu and ask me the LUKS password only if I choose to boot to Manjaro.
只有当我选择启动到 Manjaro 时,它才应该首先显示菜单并询问我的 LUKS 密码。 But I am not sure how to configure this, and I can't find much resource about it.
但是我不确定如何配置它,而且我找不到太多关于它的资源。
Here is my grub config file (at /etc/default/grub
)这是我的 grub 配置文件(在
/etc/default/grub
)
GRUB_DEFAULT=saved
GRUB_TIMEOUT=10
GRUB_TIMEOUT_STYLE=hidden
GRUB_DISTRIBUTOR="Manjaro"
GRUB_CMDLINE_LINUX_DEFAULT="quiet udev.log_priority=3"
GRUB_CMDLINE_LINUX="cryptdevice=UUID=<uuid_is_hidden>:cryptroot"
# If you want to enable the save default function, uncomment the following
# line, and set GRUB_DEFAULT to saved.
GRUB_SAVEDEFAULT=true
# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"
# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y
# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console
# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command 'videoinfo'
GRUB_GFXMODE=auto
# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep
# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true
# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true
# Uncomment and set to the desired menu colors. Used by normal and wallpaper
# modes only. Entries specified as foreground/background.
GRUB_COLOR_NORMAL="light-gray/black"
GRUB_COLOR_HIGHLIGHT="green/black"
# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/usr/share/grub/background.png"
GRUB_THEME="/usr/share/grub/themes/manjaro/theme.txt"
# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"
OK, after a lot of research, I figured out a solution, but it might not be the best solution (see caveats below).好的,经过大量研究,我找到了一个解决方案,但它可能不是最好的解决方案(请参阅下面的警告)。
Notice the below line in lsblk
请注意
lsblk
的以下行
├─sda1 8:1 0 619M 0 part /boot/efi
The /boot
partition is actually encrypted except for the efi partition /boot/efi
.除了 efi 分区
/boot/efi
之外, /boot
分区实际上是加密的。 I remembered this is the recommended (and probably the default) setting when I installed manjaro.我记得这是我安装 manjaro 时推荐的(可能也是默认的)设置。 Because grub will read the menu entries from
/boot/grub/grub.cfg
, it must first decrypt the LUKS volume ( /boot/grub
is encrypted).因为 grub 将从
/boot/grub/grub.cfg
读取菜单项,所以它必须首先解密 LUKS 卷( /boot/grub
已加密)。 Therefore, if we want grub to display menu entries before entering password, we must make sure /boot/grub/grub.cfg
is not encrypted.因此,如果我们想让 grub 在输入密码之前显示菜单项,我们必须确保
/boot/grub/grub.cfg
没有被加密。
One way to do this is to mount sda1
as /boot
instead of /boot/efi
.一种方法是将
sda1
挂载为/boot
而不是/boot/efi
。 To do this, we first need to make change in /etc/fstab
to change the mount destination.为此,我们首先需要在
/etc/fstab
进行更改以更改挂载目的地。 Then, we need to copy all files from /boot
to the sda1
.然后,我们需要将所有文件从
/boot
复制到sda1
。 You may want to reinstall grub
and regenerate initramfs
in the process.您可能希望在此过程中重新安装
grub
并重新生成initramfs
。 The following commands are useful for this.以下命令对此很有用。
sudo mkinitcpio -P
sudo grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=manjaro --recheck
sudo grub-mkconfig -o /boot/grub/grub.cfg
In the end, you need to comment out the line GRUB_ENABLE_CRYPTODISK=y
in /etc/default/grub
to disable decryption from grub.最后,您需要注释掉
/etc/default/grub
GRUB_ENABLE_CRYPTODISK=y
行以禁用来自 grub 的解密。 When everything is done, run the following command to update grub to write the change.一切完成后,运行以下命令更新 grub 以写入更改。
sudo update-grub
initramfs
so it does not need password to unlock LUKS volume, for detail see here .initramfs
因此无需密码即可解锁 LUKS 卷,详情请参见此处。 Since /boot
is not encrypted in the new setup, we must not include this keyfile in the initramfs
./boot
在新设置中没有加密,我们不能在initramfs
包含这个密钥文件。 To do this, modify the config file for mkinitcpio
(the default one should be /etc/mkinitcpio.conf
) to remove the keyfile (under FILES=(...)
), and regenerate initramfs
.mkinitcpio
的配置文件(默认应为/etc/mkinitcpio.conf
)以删除密钥FILES=(...)
(在FILES=(...)
),并重新生成initramfs
。/boot/efi
instead of /boot
provides better security as the only unencrypted part is the EFI binary ( grubx64.efi
)./boot/efi
而不是/boot
的默认和推荐设置提供了更好的安全性,因为唯一未加密的部分是 EFI 二进制文件 ( grubx64.efi
)。 In my setup, however, the initramfs
and linux kernel image ( vmlinuz.img
) is also unencrypted.initramfs
和 linux 内核映像 ( vmlinuz.img
) 也未加密。 An attacker can inject malicious code into these files that get executed after you entered the password. For the reason mentioned above, I don't think my solution is the best and not sure whether there are other solutions for this problem without compromise too much security.由于上述原因,我认为我的解决方案不是最好的,并且不确定是否有其他解决方案可以解决此问题而不会牺牲太多安全性。
Useful links:有用的链接:
https://wiki.manjaro.org/index.php/GRUB/Restore_the_GRUB_Bootloader https://wiki.archlinux.org/index.php/GRUB https://wiki.archlinux.org/index.php/Mkinitcpio#Image_creation_and_activation https://wiki.manjaro.org/index.php/GRUB/Restore_the_GRUB_Bootloader https://wiki.archlinux.org/index.php/GRUB https://wiki.archlinux.org/index.php/Mkinitcpio#Image_creation_and_activation
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.