Having to enter encryption password twice upon boot for 2 partitions

My installation has the / and /home partitions encrypted. When I boot my system, I have to enter the encryption password twice. I found that I need to add “,keyscript=decrypt_keyctl” to both lines in my /etc/crypttab file. I ran dracut --force, and did a reboot, and it still prompts me for two passwords.

I believe this tool only caches passphrases for devices that are in /etc/crypttab. The passphrase is not cached when you unlock the / device because it unlocked during the boot process by the initramfs. Handling /etc/crypttab comes after this process is already complete, so for the purposes of decrypt_keyctl that first passphrase “doesn’t count” so to speak.

Instead, you may want to set up a keyfile to unlock the secondary devices, for example like this: https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Avoiding_having_to_enter_the_passphrase_twice

EOS ships with a script which you can use instead of this, to rebuild all kernel images:

sudo dracut-rebuild
1 Like

I looked over the article you sent me. Not sure if this is the right thing to do? It speaks about ‘GRUB and once for the initramfs’. Does this still apply if it’s asking for passwords for / and /home partitions?

If you are using full disk encryption with Grub, you will need to enter the passphrase once to unlock the encrypted partition for Grub, and then a second time to unlock it for the initramfs. Embedding a keyfile in the initramfs prevents needing to unlock the second time. Note that /etc/crypttab is not available yet when this initial unlock is taking place (that is why you can’t unlock the root partition with /etc/crypttab).

The home partition should be able to be unlocked with /etc/crypttab, and shouldn’t require the passphrase being entered again.