Does not prompt me for a passphrase for my encrypted drive during startup


#1

Went through the archlabs-installer and use the auto partitioning scheme. I also selected the encrypt drive option. Machine boots and I can log on as user and I can use the machine but I would expect that even before that there will be a prompt asking me for the passphrase to enable the encrypted drive. Did I go wrong somewhere? Where can I check if the setup is correct?


#2
lsblk -f

will show me your system block devices

ls -al /crypto_keyfile.bin

will show me if a keyfile was created

grep 'crypto_keyfile' /etc/mkinitcpio.conf

will show me if a keyfile was added to the initramfs.

It might also be relevant which bootloader you chose (I assume grub usually)


#3

I chose grub as the bootloader. The results of each listed command shows everything is fine but the passphrase ask is still missing for boot up.


#4

How do you know what ‘fine’ is if you’re asking for help with the issue?

If you have a keyfile and aren’t being prompted for a passphrase then obviously something is wrong with the install process or in your choices. If I don’t know what I’m looking at (some info) then I can’t offfer any more help.


#5

Sorry, did not mean to be vague. Here are the results.

NAME          FSTYPE      LABEL UUID                                 FSAVAIL FSUSE% MOUNTPOINT
sda                                                                                 
├─sda1        vfat              0142-357C                             396.6M    22% /boot
└─sda2        crypto_LUKS       b955d245-3b9b-4ba6-a4fb-c34e0cb38a66                
  └─cryptroot ext4              fe03e9a0-90a2-418a-b43a-b3e6c859c4ad  132.3G    14% /
---------- 1 root root 4096 Mar  1 03:55 /crypto_keyfile.bin
FILES=(/crypto_keyfile.bin)

#6

Try to revome the keyfile from the FILES=() in /etc/mkinitcpio.conf then rebuild it with

# change linux to linux-lts or linux-zen, etc. if needed
mkinitcpio -p linux

You shouldn’t need to touch the keyfile for now, reboot and see if it prompts for a passphrase. If all goes well you can remove the keyfile, I think that should be all that’s needed.

Can you also perhaps post the output of cat /etc/default/grub, there should be a couple lines

...
GRUB_ENABLE_CRYPTODISK=y
...
GRUB_CMDLINE_LINUX="...."
...

that’s all I’m interested in, if the reboot is fine and all then you can just disregard this.


#7

Just dropped in, I recently installed the latest version several times, the prompt for LUKS / cryptroot only occurs when you choose systemd-boot instead of grub AFAIK.


#8

Thanks natemaia. That solved the issue.
I removed the keyfile from FILES=() in /etc/mkinitcpio.conf and then rebuild it with

# change linux to linux-lts or linux-zen, etc. if needed
mkinitcpio -p linux

rebooted and the system prompts for the passphrase as expected. Much obliged.


#9

Thanks gazeka74 for the additional information. I thought it should work for grub because that was what I did on other distros I tried. Seems to be a step missing in the installer automatic process I think.


#10

Hmm interesting, it should (obviously) not do that :stuck_out_tongue:

Theyre all just supposed to prompt once, I know what’s happenening but not fully why. In the installer if the system is BIOS, the bootloader is grub, and the user setup LUKS (but not lvm), then a keyfile is gonna get created.

Perhaps something changed recently but with all my testing (given I only have a few machines) I was prompted twice for password, leading me to think a keyfile was the answer…

I’ll do some fiddling around and see what I can figure out, but I think it’s safe to say at this point it was an error on my part and that keyfile creation will likely be dropped from the installer.


#11

Awesome stuff, feel free to remove the keyfile.