Encryption problem with systemd-boot

Hello, I used this guide [Tutorial] Convert to systemd-boot and used the kernel-install method to switch from grub to systemd-boot. All is well, except when I boot into EndeavourOS my system boots normally and doesn’t ask for an encryption password (I have a LUKS encrypted system). When I had grub installed on my system, it prompted me to enter my encryption password. Can somebody help me fix this so that I have to enter my encryption password on boot?

Can you share a little more information?

Did you you use the manual option or the kernel-install option?

What does the options line of your entry files look like? They are in your ESP partition at loader/entries/*

I used the kernel-install option.
Here is my /efi/loader/entries:

(45f8d94621bd4bbeb2b1e20b1d2a6092-5.12.10-arch1-1.conf)

(45f8d94621bd4bbeb2b1e20b1d2a6092-5.12.10-arch1-1-fallback.conf)

I have replicated this issue and am investigating it now. It is quite strange.

@tn131
Welcome to the forum. Impressive, your first post has a big impact. I hope you enjoy your time here.

Pudge

OK, I found the issue.

There is a keyfile inside the initramfs that is unlocking your luks partition.

Before, the initramfs was at an encrypted location so it wasn’t an issue.

Now that initramfs is in the ESP, that key shouldn’t be there anymore. It also isn’t needed anymore.

To remove it, carefully follow the following steps:

• Edit /etc/mkinitcpio.conf and remove /crypto_keyfile.bin from the files section.
• Rebuild your initramfs with sudo mkinitcpio -P
• Reboot and make sure everything is still working. You should get asked for your password.
• Assuming it is, you can optionally remove the key and keyfile
• Use cryptsetup to delete the key from the luks partition

  sudo cryptsetup luksRemoveKey /dev/sdxy /crypto_keyfile.bin 
  

  Replace /dev/sdxy with the partition you have luks installed on.
• Delete the keyfile from the disk - sudo rm /crypto_keyfile.bin

While I have done this a couple of times without issue, keep in mind that whenever you mess around with your luks partition you run the risk of locking yourself out so it is wise to have a backup.

Thanks for the help! I have one more question. When I boot my device and enter in my password correctly, it says failed to open key file. It then proceeds to tell me to enter my password again, then after I enter my password again my system boots normally. Video Link: https://streamable.com/cggope Is this normal or if not, how can I fix this? (I have a encrypted swap file)

You can probably use a keyfile to unlock your swap. Is it a dedicated swap partition in a separate luks partition?

If you show me what lsblk looks like I will try to replicate your setup and write some instructions.

I am about to go to sleep so you probably won’t hear back from until tomorrow.

Also, are you using the swap partition for hibernation?

My setup is a dedicated swap partition in a separate luks partition.
I am also using the swap partition for hibernation.
Here is my lsblk: https://pastebin.com/uWgeiHPJ

If you are using it for hibernation, I don’t think there is a secure way to avoid putting the password in twice since it has to be unlocked by the initramfs to support resume.

Alternatively, you could probably use a swapfile inside the existing encrypted partition but I haven’t tested that personally.

Here are the instructions on how to do that if you would prefer:
https://wiki.archlinux.org/title/Power_management/Suspend_and_hibernate#Hibernation_into_swap_file

Thanks for identifying this issue. I have updated the tutorial with the information about LUKS for others to see.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.