How to decrypt both my LUKS drives on boot?

I’ve got two LUKS encrypted partitions (efi partition not encrypted).

One is the main endeavouros partition, it was encrypted during setup with the default settings.

The other one is new (It’s luks2, I could re-encrypt it, nothing is on it yet)

I read somewhere that systemd-boot would automatically detect it and then decrypt both drives if they have the same password, or prompt me for decrypting all drives if they don’t have the same password.

However as it turns out, it doesn’t even prompt me for the second drive at all, just asks for the password for the system partition and leaves the other one encrypted so i have to manually decrypt and mount it.

How do I get the system to decrypt both drives on boot? Preferably with just typing the password once?

I also have a second issue, my drive’s device path sometimes changes, from nvme0 to nvme1 seemingly at random between reboots, and the 2nd drive when decrypted is made available at /dev/mapper/nvmeXpX_crypt which will pose a problem for fstab I’m pretty sure for automounting after it’s been decrypted. How do I get it to use UUID instead of the device path in /dev/mapper/ like the system drive does?

I’ve been trying to look up how to do all this, but it’s been an exercise in frustration, please help.

Currently trying to guess my way through this…

Learned about crypttab existing so added an entry to it for my 2nd drive, which solves my second issue which i edited out of the mapper device naming since crypttab lets you manually name them. I also used the opportunity to change the name on my root partition.

But after that I can’t boot, so I tried to edit the loader.conf in the efi files, i changed the mapper name for the system drive.

Now I boot, it prompts for a password, I type it in, it says

Finished Cryptography Setup for luks-uuid1
Finished Cryptography Setup for luks-uuid2
Reached target Local Encrypted Volumes.
Reached target System Initialization.
Reached target Basic System.

Then it just stops there and doesn’t do anything anymore.

I used SysRq to reboot the system from that, and partway through it it says start job running for luks2-drive1 with no time limit.

So that’s where I know it must be hanging. But why?

my crypttab:

luks-system UUID=d87e115d-83a5-4f29-a76c-540ba5cc7e65     /crypto_keyfile.bin luks
luks2-storage UUID=9d17d24-5d55-4050-b5b2-b4d6061a8600     /crypto_keyfile.bin luks

The only thing I could guess is that it might have something to do with the /crypto_keyfile.bin? Maybe I need to update it? (But where even is it?! How would I do that?!) I created the partition with

`cryptsetup luksFormat /dev/name

so it’s on whatever the default is for that :thinking: I have no idea why it is hanging after it seemed to have been successfully encrypted (but it can’t have been considering i removed it from fstab so it can’t have been hung trying to mount it, can it?)

I basically didn’t get any further. Eventually i tried not mounting my 2nd drive at all, removing it from crypttab, fstab and the entry loader.conf for systemd-boot.

I was then trying only to boot the partition named luks-system.

It didn’t work.

I had it set up in crypttab, fstab, and /efi/loader/entries/*.conf

as luks-root.

It didn’t work.

I reset them all to luks-

And then i could boot again.

This indicates to me that there’s some fourth file or step i need to make for this to work that nobody seems to have shared anywhere, man this is frustrating as all hell.

I also found out that just adding

rw rd.luks.uuid=9d17d24-5d55-4050-b5b2-b4d6061a8600 root=/dev/mapper/luks2-storage

Is where my point of failure begins. E.g. if I do that, then I get stuck onthe start job for luks2-storage indefinitely.

If I boot without it but with settings in crypttab I get some other error about missing dependency.

I’m done, I’m gonna sleep, hopefully someone will have an answer for me when i wake up.


I finally sorted it out…

Here’s a quick guide for anyone trying to do the same thing.

  1. Make a new luks partition

    cryptsetup luksFormat /dev/device
    #Password needs to be the same as for your root drive if you want to decrypt both with the same password.
  2. Decrypt it and find the UUIDs (you can also do this through gui utils like gparted)

    cryptsetup luksOpen /dev/device && lsblk -f

    Example output:

    NAME FSTYPE FSVER LABEL       UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
          crypto 2                9d17d24-5d55-4050-b5b2-b4d6061a8600           
         ext4   1.16              867d3bbd-441e-4d2f-8af4-2b26f6a499b0    2,4T    27% /mnt/storage
  3. Format it to an fs of your choice (ext4 example; you can also do this through gui utils like gparted)

    mkfs.ext4 /dev/mapper/luks-9d17d24-5d55-4050-b5b2-b4d6061a8600
  4. Create crypttab entry (using above example uuids)

    echo "luks-9d17d24-5d55-4050-b5b2-b4d6061a8600	UUID=9d17d24-5d55-4050-b5b2-b4d6061a8600      /crypto_keyfile.bin luks >> /etc/crypttab

    Note:this is a direct copy-paste of the root partition’s entry with the uuid changed.

  5. Edit loader.conf

    nano /efi/loader/entries/$(cat /etc/machine-id)-$(uname -r).conf

    example conf:

    title      EndeavourOS
    version   6.6.11-1-lts
    machine-id 1ac977c4d5da5993bb9568f04ff0b231
    sort-key   endeavouros-6.6.11-1-lts
    options    nvme_load=YES nowatchdog rw rd.luks.uuid=a6833213-fb16-46e3-b2e4-245d419fe24f root=/dev/mapper/luks-a6833213-fb16-46e3-b2e4-245d419fe24f rd.luks.uuid=9d17d24-5d55-4050-b5b2-b4d6061a8600 nvidia-drm.modeset=1 
    linux      /1ac977c4d5da5993bb9568f04ff0b231/6.6.11-1-lts/linux
    initrd     /1ac977c4d5da5993bb9568f04ff0b231/6.6.11-1-lts/initrd

    Note: a6833213-fb16-46e3-b2e4-245d419fe24f is the uuid of the root partition in this case.
    Note2: The only thing we’re really doing is adding this option parameter:

  6. Reboot to test
    if it fails try booting from your fallback option instead, if that fails too you need to use a liveusb to get in the system and fix whatever you may have done wrong.

    #After successful reboot
    lsblk -f

    If it was successful, using our examples above you would see the following:

          crypto 2                9d17d24-5d55-4050-b5b2-b4d6061a8600           
         ext4   1.16              867d3bbd-441e-4d2f-8af4-2b26f6a499b0

    if it was unsuccessful you would only see this:

          crypto 2                9d17d24-5d55-4050-b5b2-b4d6061a8600           
  7. Make an fstab entry for /dev/mapper/luks-9d17d24-5d55-4050-b5b2-b4d6061a8600
    You do this like you would create any normal fstab entry, except instead of /dev/sdx1 you would put /dev/mapper/luks-9d17d24-5d55-4050-b5b2-b4d6061a8600

That’s it, you’re done.

Common points of failure:

  • The name of the device given in crypttab and fstab MUST be in the luks-<uuid> format like in the examples, otherwise for some reason it will fail (My guess is if you want to change the name of the mapped device, you must also define the name in the loader.conf; but I don’t know how to do that, so luks-uuid is what I’m going with)

  • If not using the same filesystem as your root drive, you must add the kernel module for your filesystem to the initrd, e.g.

    in /etc/dracut.conf.d/custom.conf:

    add_drivers+=" f2fs "

    for f2fs partitions; then you need to remake your initrd.

1 Like

These files get overwritten whenever the kernel updates. You should make this change in /etc/kernel/cmdline instead.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.