Auto mount of LUKS partition

I have a data partition that is LUKS encrypted. I mount this partition via /etc/fstab and /etc/cryptab. This all worked very well until I installed some updates last week.

Now I get asked for the password of this partition every time I boot my system. It looks like initramfs (or maybe some other service) tries to decrypt this partition and fails because the path to the keyfile is unknown or not available.

I tried to remove this partition from fstab and crypttab. It still asks for the password.
Is there some hook that automatically tries to decrypt all partitions? Can I disable this behaviour somehow?

Are you running dracut or grub? Check with

pacman -Q | grep dracut

Please post the following information:

sudo blkid
cat /etc/fstab | grep -v '#'
sudo cat /etc/crypttab | grep -v '#'

if you run dracut:

cat /etc/kernel/cmdline

if you run grub:

grep ^GRUB_CMDLINE_LINUX_DEFAULT /etc/default/grub
grep ^GRUB_CMDLINE_LINUX /etc/default/grub

In your /etc/crypttab file, you may have a line like

luks-[somenumber]    UUID=[somenumber]    /crypto_keyfile.bin    luks

for each LUKS encrypted partition you have mounted. /crypto_keyfile.bin is the default Endeavour’s Calamares installer uses, but you may have placed it somewhere else. Try to make sure that file still exists. If it’s been moved, you might want to consider re-keying your luks partition.

1 Like

Thanks guys really appreciate the help.
I run grub as my bootloader but I also have dracut on my system.

The device is “d96bdc8f-334e-451f-89de-94dbd398b306” (sdb1).

Here is my output:

NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda                                             8:0    0 465.8G  0 disk  
├─sda1                                          8:1    0 448.6G  0 part  
│ └─luks-27597fec-f5e6-4857-9026-58fdaee39c91 254:0    0 448.6G  0 crypt /var/log
│                                                                        /var/cache
│                                                                        /home
│                                                                        /
└─sda2                                          8:2    0  17.1G  0 part  
  └─luks-729926df-4255-4506-b49f-5b91c6b7804b 254:1    0  17.1G  0 crypt [SWAP]
sdb                                             8:16   0 931.5G  0 disk  
└─sdb1                                          8:17   0 736.2G  0 part  
  └─luks-d96bdc8f-334e-451f-89de-94dbd398b306 254:2    0 736.2G  0 crypt /media/data
sr0                                            11:0    1  1024M  0 rom

sudo blkid

/dev/mapper/luks-729926df-4255-4506-b49f-5b91c6b7804b: LABEL="swap" UUID="a7ee08d3-6518-43c8-a9a3-5cc0ca1fe460" TYPE="swap"
/dev/sdb1: UUID="d96bdc8f-334e-451f-89de-94dbd398b306" TYPE="crypto_LUKS" PARTUUID="06c81ab2-01"
/dev/mapper/luks-d96bdc8f-334e-451f-89de-94dbd398b306: LABEL="data" UUID="1f9bace0-a860-4a62-9635-7c8f416a15fe" BLOCK_SIZE="4096" TYPE="ext4"
/dev/mapper/luks-27597fec-f5e6-4857-9026-58fdaee39c91: LABEL="endeavouros" UUID="aaa21234-fd6a-41d2-b63b-e9cb33841655" UUID_SUB="0db3c1cd-fd04-4d86-8292-4b2bdc8ee4da" BLOCK_SIZE="4096" TYPE="btrfs"
/dev/sda2: UUID="729926df-4255-4506-b49f-5b91c6b7804b" TYPE="crypto_LUKS" PARTUUID="4f98680a-02"
/dev/sda1: UUID="27597fec-f5e6-4857-9026-58fdaee39c91" TYPE="crypto_LUKS" PARTUUID="4f98680a-01"

cat /etc/fstab | grep -v ‘#’

/dev/mapper/luks-27597fec-f5e6-4857-9026-58fdaee39c91   /             btrfs   subvol=/@,noatime,compress=zstd        0 0 
/dev/mapper/luks-27597fec-f5e6-4857-9026-58fdaee39c91   /home         btrfs   subvol=/@home,noatime,compress=zstd    0 0 
/dev/mapper/luks-27597fec-f5e6-4857-9026-58fdaee39c91   /var/cache    btrfs   subvol=/@cache,noatime,compress=zstd   0 0 
/dev/mapper/luks-27597fec-f5e6-4857-9026-58fdaee39c91   /var/log      btrfs   subvol=/@log,noatime,compress=zstd     0 0 
/dev/mapper/luks-729926df-4255-4506-b49f-5b91c6b7804b   swap          swap    defaults                               0 0 
tmpfs                                                   /tmp          tmpfs   noatime,mode=1777                      0 0 
/dev/mapper/luks-d96bdc8f-334e-451f-89de-94dbd398b306 /media/data ext4 defaults 0 0

sudo cat /etc/crypttab | grep -v ‘#’

luks-27597fec-f5e6-4857-9026-58fdaee39c91 UUID=27597fec-f5e6-4857-9026-58fdaee39c91     /crypto_keyfile.bin luks
luks-729926df-4255-4506-b49f-5b91c6b7804b UUID=729926df-4255-4506-b49f-5b91c6b7804b     /crypto_keyfile.bin luks
luks-d96bdc8f-334e-451f-89de-94dbd398b306 UUID=d96bdc8f-334e-451f-89de-94dbd398b306     /root/lukskey-data luks

grep ^GRUB_CMDLINE_LINUX_DEFAULT /etc/default/grub
grep ^GRUB_CMDLINE_LINUX /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="GRUB_CMDLINE_LINUX_DEFAULT='nowatchdog nvme_load=YES rd.luks.uuid=27597fec-f5e6-4857-9026-58fdaee39c91 rd.luks.uuid=729926df-4255-4506-b49f-5b91c6b7804b resume=/dev/mapper/luks-729926df-4255-4506-b49f-5b91c6b7804b loglevel=3' nvidia_drm.modeset=1"
GRUB_CMDLINE_LINUX_DEFAULT="GRUB_CMDLINE_LINUX_DEFAULT='nowatchdog nvme_load=YES rd.luks.uuid=27597fec-f5e6-4857-9026-58fdaee39c91 rd.luks.uuid=729926df-4255-4506-b49f-5b91c6b7804b resume=/dev/mapper/luks-729926df-4255-4506-b49f-5b91c6b7804b loglevel=3' nvidia_drm.modeset=1"

Seems to be set up correctly. (?)

Maybe check if your keyfile actually exists:

sudo [ -e '/root/lukskey-data'  ] && echo "File exists" || echo "File does not exist"

And maybe rebuild your initramfs before rebooting:
You said you’re using dracut, so run

sudo dracut-rebuild

else, if you’re using mkinitcpio

sudo mkinitcpio -P

Yes the file exists.

This is my boot screen:

I tried to rebuild the initramfs with sudo dracut-rebuild. If I do that I get asked for the password for all my luks partitions:

So I think the problem lies in the initramfs.

Sorry, I just noticed your root luks device is supposedly unlocked by keyfile in your /etc/crypttab.

Assuming you unlock your root device by password you should change the corresponding line by adding none:

luks-27597fec-f5e6-4857-9026-58fdaee39c91 UUID=27597fec-f5e6-4857-9026-58fdaee39c91 none luks

On your main issue: I just checked and you don’t seem to be the only one with luks related issues after the update to dracut 102-1.
Maybe a downgrade to version 101-1 could solve your issues until the quirks get ironed out:

sudo downgrade dracut

Edit: Another quick (temporary) fix could be adding to your grub cmdline and then regenerate with grub-mkconfig ...

1 Like

I tried to downgrade to 101-1. This solves the problem of my data partition. Now it gets mounted without asking me for a password.

However now I get asked for the password for my other 2 partitions (main and swap).
Do I have to do something special so that initramfs can use /crypto_keyfile.bin? I run sudo dracut-rebuild after the downgrade.

Other than /crypto_keyfile.bin, does your ‘swap’ partition have the same password(s) as ‘main’? If you add the same password you use to unlock ‘main’ this should be cached (by systemd-cryptsetup) and also unlock ‘swap’.

Edit: Sorry, I assumed you were either using the sd-encrypt mkinitcpio hook or the systemd dracut module. This stuff has gotten so much more complicated now that grub, systemd-boot, dracut, mkinitcpio could be in the mix.

Can you share cat /etc/dracut.conf.d/*

Yeah it’s a bit complicated. Thanks for your help btw. I feel like I already learned a lot.
However I am still figuring out which service does what exactly.

Well I installed endeavourOS with the default installer about 3 months ago. I used the “erase disk” option of the installer to automatically create my “main” and “swap” partitions (with btrfs).
Later I added my “data” partition. So those are all the partitions that I posted earlier.
To unlock all of this I only needed my “master” password in the beginning of the boot.

sudo cat /etc/dracut.conf.d/*

# Configuration file automatically written by the Calamares system installer
# (This file is written once at install time and should be safe to edit.)
# Enables support for LUKS full disk encryption with single sign on from GRUB.

# force installing /etc/crypttab even if hostonly="no", install the keyfile
install_items+=" /etc/crypttab /crypto_keyfile.bin "
# enable automatic resume from swap
add_device+=" /dev/disk/by-uuid/729926df-4255-4506-b49f-5b91c6b7804b "
omit_dracutmodules+=" network cifs nfs nbd brltty "
add_dracutmodules+=" resume "

You aren’t adding /root/lukskey-data to your initramfs.

Is it possible your /crypto_keyfile.bin has become invalid?

Where else are you seeing issues? If there is an issue, I would like to make sure it gets reported upstream.

I checked there too. :wink: So I think we’re good on that side.

102-1 seems to have gotten a new systemd-cryptsetup module and some ‘fixes’ regarding systemd-cryptsetup, crypt and others. Doesn’t seem to work for everybody though.
I have three laptops and one desktop set up the same; or so I thought. One of my laptops wouldn’t boot anymore and always “Failed to start Cryptography Setup …”. I resolved the issue by changing the name of the device in /etc/crypttab and /etc/fstab from ‘cryptdata’ (or similar?) to ‘luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx’ (luks-uuid…-format). Had been working for years.

It looks like my “crypto_keyfile.bin” was changed during the upgrade/initramfs-building (why? how?.. never touched it). I restored it from a previous snapshot. Then I downgraded dracut to 101.

So now my boot is working again. :smiley: :tada:

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.