Having to enter encryption password twice upon boot for 2 partitions

My installation has the / and /home partitions encrypted. When I boot my system, I have to enter the encryption password twice. I found that I need to add “,keyscript=decrypt_keyctl” to both lines in my /etc/crypttab file. I ran dracut --force, and did a reboot, and it still prompts me for two passwords.

I believe this tool only caches passphrases for devices that are in /etc/crypttab. The passphrase is not cached when you unlock the / device because it unlocked during the boot process by the initramfs. Handling /etc/crypttab comes after this process is already complete, so for the purposes of decrypt_keyctl that first passphrase “doesn’t count” so to speak.

Instead, you may want to set up a keyfile to unlock the secondary devices, for example like this: https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Avoiding_having_to_enter_the_passphrase_twice

EOS ships with a script which you can use instead of this, to rebuild all kernel images:

sudo dracut-rebuild
1 Like