Since Debian 13 (Trixie), when using the default FDE which uses grub to decrypt the luks partition, I have a single attempt

When the password is mistyped there is a long pause (over 10 seconds) and then the error appears.

I already tried increasing the max tries, which seems to be set to 1 when a keyfile is used.

The config/script seems to be in /usr/share/initramfs-tools/scripts/local-top/cryptroot.

I copied that to /etc/initramfs-tools/scripts/local-top/cryptroot and replaced the value CRYPTTAB_OPTION_tries=1 with 10 using find/replace (ansible stuff).

I think this has no effect though and doing so (might be a different issue) breaks boot entirely 💀

More info:

  • by default when legacy boot (BIOS) is available, Debian will install grub to the MBR. This is where it happens
  • when forcing or prioritizing legacy boot and using GPT, debian somehow boots from a 300MB efi partition, the same happens though, one attempt
  • bacon_pdp@lemmy.world
    4·
    14 days ago

    There is no attempt limit in grub by default, just use cryptomount (hd0,msdos1) and type in the password; repeat until you get it right

    • Blue_Morpho@lemmy.world
      3·
      13 days ago

      I think he’s referring to the 10 second pause between attempts. It’s security theatre because you can replace the bootloader with one that doesn’t pause.

      • Derpgon@programming.dev
        1·
        13 days ago

        Is it? I always though the password is hashed via Bcrypt (or similar) with very high difficulty so it takes some time to check

          • Derpgon@programming.dev
            2·
            12 days ago

            So, it is purely a software timeout and not hardware due to key derivation algorithm? That’s partly understandable and partly a security hole if it can be disabled so easily.