LUKS passphrase required twice per boot after changing passphrase

I added a new key to luks via

cryptsetup luksAddKey

and removed old keys via

cryptsetup luksKillSlot

Now, after entering the passphrase on the usual GRUB screen, I get the message

No key available with this passphrase.
Invalid keyfile. Reverting to passphrase.

A password is required to access the luks-b8e…
Enter passphrase for /dev/nvme0n1p2:

After entering the same passphrase as before again, it boots into the os.

The following image sequence shows the process.

IMG_20211028_171526
IMG_20211028_171555
IMG_20211028_171605

The way it is configured by default it is unlocked by grub via the passphrase and then unlocked in the initramfs via a keyfile.

If you:

You probably removed the access to the keyfile as well.

You should re-add the keyfile.

So the luks partition gets unlocked twice? So I need to add a luks slot entry where the “password” is that keyfile, where do I find that keyfile?

/crypto_keyfile.bin

That worked, thanks! Can you point me to some endeavouros documentation where I could have figured that out myself. Using search engines didn’t help me.

I believe this setup with /crypto_keyfile.bin is not specific to EndeavourOS or Arch. This mechanism is also being used by other distros.

A good starting point to read is the Arch wiki:
https://wiki.archlinux.org/title/dm-crypt/Device_encryption#With_a_keyfile_embedded_in_the_initramfs

It is the default mechanism used by Calamares.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.