NeuroAgent

Why does the second Fedora ask for the LUKS2 key from the first system?

Learn why the second Fedora system asks for the LUKS key from the first system during boot and how to fix it. Complete guide to solving GRUB and encryption issues.

#data-protection#disk-partitioning#dual-boot#fedora-luks2#grub-configuration
Question

Why does the second Fedora system request the LUKS2 key from the first Fedora system during boot?

I have the first Fedora system installed with encrypted partitions:
├─sda1 256M 0 part /boot/efi
├─sda2 1G 0 part /boot
├─sda3 37G 0 part
│ └─ 37G 0 crypt /
├─sda4
│ └─50G 0 crypt /home

Only the root partition (/) and home directory (/home) are encrypted. During boot, the first system requests the key once, and there are no problems.

If I manually install a second Fedora system on the same disk (with or without encryption), it still requests the key from the first system. It doesn’t matter that after this I enter the wrong key from the first system 2-3 times - the system still boots without any problems.

The second system’s layout:
─sda9 8:9 0 244M 0 part /boot/efi
├─sda10 8:10 0 954M 0 part /boot
├─sda11 8:11 0 32.6G 0 part /
└─sda12 8:12 0 37.3G 0 part /home

What could be the reason for this behavior?

NeuroAgent

The main reason the second Fedora system requests the LUKS2 key from the first system is related to how GRUB handles encrypted partition detection during boot. Even if the second system doesn’t have explicit encryption, GRUB tries to detect and unlock all found LUKS containers on the disk.

Contents

Why GRUB requests the key from the first system

GRUB (Grand Unified Boot Loader) automatically scans all available partitions for LUKS encrypted containers during boot. When you already have a first system with LUKS partitions on your disk, GRUB detects these containers and attempts to unlock them, regardless of which system you’re trying to boot.

In your case, even though the second system doesn’t use encryption, GRUB still detects the LUKS containers from the first system (sda3 and sda4) and requests a password to unlock them. This behavior occurs due to the following factors:

  1. Automatic detection: GRUB has built-in cryptodisk support and automatically scans disks for LUKS partitions
  2. Shared boot environment: Both systems use the same disk, so GRUB sees all partitions
  3. Lack of proper configuration: GRUB isn’t configured to ignore irrelevant encrypted partitions

Technical explanation of the problem

How GRUB works with LUKS

According to the Fedora documentation, GRUB 2 supports working with encrypted disks through the cryptodisk module. The process works as follows:

  1. GRUB loads and scans all available devices
  2. If a LUKS container is detected, GRUB requests a password to unlock it
  3. After successful unlocking, GRUB can load the kernel and initramfs

The problem with multiple systems

As explained in the Arch Linux community, GRUB doesn’t pass the password or unlock status to systemd. This means each LUKS container requires separate unlocking.

In your scenario:

  • The first system has encrypted root partition (sda3) and home directory (sda4)
  • The second system has no encryption, but GRUB still detects the existing LUKS containers
  • GRUB attempts to unlock all found containers, requesting the password from the first system

Solutions to the problem

1. Disabling automatic LUKS detection

You can configure GRUB so it doesn’t try to automatically detect and unlock LUKS containers. To do this, edit the /etc/default/grub file:

bash
sudo nano /etc/default/grub

Find the line GRUB_ENABLE_CRYPTODISK=y and replace it with:

GRUB_ENABLE_CRYPTODISK=n

Then update the GRUB configuration:

bash
sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg

2. Using a separate boot partition

As recommended on Unix Stack Exchange, use a separate boot partition for each system:

  • First system: /boot on sda2
  • Second system: /boot on sda10

This will prevent GRUB detection conflicts.

3. Configuring GR_PRELOAD_MODULES

Add to /etc/default/grub:

GRUB_PRELOAD_MODULES="luks cryptodisk"

And specify which partitions should be checked:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda3:rootfs cryptdevice=/dev/sda4:homefs"

4. Completely disabling os-prober

If the second system doesn’t need to be in the first system’s GRUB menu, disable automatic detection:

GRUB_DISABLE_OS_PROBER=true

Preventing future issues

1. Planning the installation

Before installing the second system:

  1. Create a separate boot partition for each system
  2. Use different names for GRUB configurations
  3. Consider using LVM for better management

2. Regular GRUB updates

After making changes to the system, always update the GRUB configuration:

bash
sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg

3. Backing up the configuration

Keep copies of important configuration files:

bash
sudo cp /etc/default/grub /etc/default/grub.backup
sudo cp /boot/efi/EFI/fedora/grub.cfg /boot/efi/EFI/fedora/grub.cfg.backup

Verifying current GRUB configuration

To understand the current GRUB configuration, run:

bash
sudo cat /etc/default/grub
sudo cat /boot/efi/EFI/fedora/grub.cfg | grep -i crypt

Look for the following parameters:

  • GRUB_ENABLE_CRYPTODISK
  • GRUB_PRELOAD_MODULES
  • GRUB_CMDLINE_LINUX
  • cryptdevice settings

If you see references to sda3 or sda4 in the second system’s GRUB configuration, this explains why the password from the first system is being requested.

Conclusion

The problem occurs because GRUB automatically detects all LUKS containers on the disk, regardless of which system is being booted. The main solutions are:

  1. Disable automatic LUKS detection in GRUB via GRUB_ENABLE_CRYPTODISK=n
  2. Use separate boot partitions for each system
  3. Configure GRUB to check only necessary partitions
  4. Disable os-prober if the second system isn’t needed in the boot menu

For your case, we recommend starting with disabling GRUB_ENABLE_CRYPTODISK, since the second system doesn’t use encryption. This will prevent unnecessary password prompts when booting the second system.

Sources

  1. LUKS2 encrypted boot on Fedora - how to set up correctly? - Fedora Discussion
  2. Working with the GRUB 2 Boot Loader :: Fedora Docs
  3. How to get a dual boot (2 Linux OSs) system working when both are LUKS-encrypted - Unix & Linux Stack Exchange
  4. System asking for 3 passwords on boot - Arch Linux Forums
  5. Using a single passphrase to unlock multiple encrypted disks at boot - Unix & Linux Stack Exchange
  6. Let Passphrase Be Asked Only Once During Boot - Gentoo Configuration Guide
How to disable automatic LUKS detection in GRUB for Fedora?How to configure separate boot partitions for two Fedora systems?Why does GRUB ask for a password for an unencrypted system?How to check the current GRUB configuration for LUKS settings?Can I use one password for multiple LUKS partitions during boot?How to prevent encryption conflicts when installing a second Fedora system?
Ask NeuroAgent