Passphrase for LUKS encrypted partitions asked twice during boot

During boot process, I am asked a second time to enter a LUKS passphrase for a partition which I added later on in crypttab and fstab (later means after the first complete installation process).

Following are fragments from crypttab:

luks-0b2e5609-b174-45aa-875c-727ae046ea13 UUID=0b2e5609-b174-45aa-875c-727ae046ea13     /crypto_keyfile.bin luks
luks-a9001606-80a3-47d8-bc48-e2a79a3a95be UUID=a9001606-80a3-47d8-bc48-e2a79a3a95be     /crypto_keyfile.bin luks
luks-03e0680d-6510-4bda-a1c2-698e71e0448a UUID=03e0680d-6510-4bda-a1c2-698e71e0448a     /crypto_keyfile.bin luks
luks-ed616353-6a2e-4003-93fe-13b7e931c04d UUID=ed616353-6a2e-4003-93fe-13b7e931c04d     /crypto_keyfile.bin luks

and fstab:

UUID=F577-4FE2                                          /boot/efi    vfat    noatime             0 2
/dev/mapper/luks-0b2e5609-b174-45aa-875c-727ae046ea13   swap         swap    defaults            0 0
dev/mapper/luks-a9001606-80a3-47d8-bc48-e2a79a3a95be   /            ext4    noatime             0 1
/dev/mapper/luks-03e0680d-6510-4bda-a1c2-698e71e0448a   /home        ext4    noatime             0 2
/dev/mapper/luks-ed616353-6a2e-4003-93fe-13b7e931c04d   /software    ext4    noatime             0 2
tmpfs                                                   /tmp         tmpfs   noatime,mode=1777   0 0

Entering before boot the passphrase, goes all the way up until mounting /software. The passphrase is asked again. I have added this partition later on, after the installation process in which I defined all encrypted partitions manually (using Calamares). I decided to change the filesystem type for /software thus I needed to set it up again from the scratch to be an ecrypted partition.

Why is the passphrase asked again even if it is the same? Do I need to do something in the initramfs?

It makes no difference if the password is different or the same.

There is a keyfile in the root that is used to unlock all the partitions except the root itself.

You need to add that keyfile into a slot on the luks partition you created.

If there is a keyfile in the root that is used to unlock all other partitions, why does it stumble on one partition? I.e. why does it ask for a second time a passphrase to open and mount the partition Software?

Does each and every encrypted partition need its key “added” onto itself?

A keyfile is like a password, it will only unlock partitions you allow it to.

Yes. When the installer creates partitions, it adds the keyfile to it. When you create your own, you need to do that.

Once had this problem. The arch wiki may help:

[https://wiki.archlinux.org/title/dm-crypt/Device_encryption#With_a_keyfile_embedded_in_the_initramfs]

Welcome to the Endavour forums :slight_smile:

1 Like

I did exactly this:

cryptsetup luksAddKey /dev/mapper/luks-ed616353-6a2e-4003-93fe-13b7e931c04d

and “added” (?) the same passphrae. I am still asked for the passphrase, for this very partition. What am I doing wrong? Or, what is next to check?

Alright, it worked via :

cryptsetup luksAddKey /dev/nvme0n1p9 /crypto_keyfile.bin

Thank you @dalto.

ps- I am marking this as the solution just because it containts a concrete command. The answer came, of course from @dalto’s first reply in this thread.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.