Arch Linux

EgidioCaprino

Member

Registered: 2016-03-13

Posts: 102

Encrypted disk asks for password twice

I installed Arch on an encrypted filesystem following this. When the system boots it asks for the password for decrypting the root device twice. Why is that happening and how could I fix it?

qinohe

Member

From: Netherlands

Registered: 2012-06-20

Posts: 1,494

Re: Encrypted disk asks for password twice

You should have read a little further? https://wiki.archlinux.org/index.php/Dm … rase_twice

EgidioCaprino

Member

Registered: 2016-03-13

Posts: 102

Re: Encrypted disk asks for password twice

That's specific for GRUB. I'm using systemd-boot.

schard

Forum Moderator

From: Hannover

Registered: 2016-05-06

Posts: 1,992

Website

Re: Encrypted disk asks for password twice

Show us the output of lsblk and your entire /etc/mkinitcpio.conf.

---

macro_rules! yolo { { $($tokens:tt)* } => { unsafe { $($tokens)* } }; }

EgidioCaprino

Member

Registered: 2016-03-13

Posts: 102

Re: Encrypted disk asks for password twice

~ % lsblk
NAME          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
nvme0n1       259:0    0 476.9G  0 disk  
├─nvme0n1p1   259:1    0   512M  0 part  
└─nvme0n1p2   259:2    0 476.4G  0 part  
  └─cryptroot 254:0    0 476.4G  0 crypt /

~ % cat /etc/mkinitcpio.conf
# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES=(piix ide_disk reiserfs)
MODULES=(i915)

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES=()

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
##   This setup specifies all modules in the MODULES setting above.
##   No raid, lvm2, or encrypted root is needed.
#    HOOKS=(base)
#
##   This setup will autodetect all modules for your system and should
##   work as a sane default
#    HOOKS=(base udev autodetect block filesystems)
#
##   This setup will generate a 'full' image which supports most systems.
##   No autodetection is done.
#    HOOKS=(base udev block filesystems)
#
##   This setup assembles a pata mdadm array with an encrypted root FS.
##   Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
#    HOOKS=(base udev block mdadm encrypt filesystems)
#
##   This setup loads an lvm2 volume group on a usb device.
#    HOOKS=(base udev block lvm2 filesystems)
#
##   NOTE: If you have /usr on a separate partition, you MUST include the
#    usr, fsck and shutdown hooks.
HOOKS=(base udev autodetect keyboard modconf block encrypt filesystems fsck)

# COMPRESSION
# Use this to compress the initramfs image. By default, gzip compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"

# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()

qinohe

Member

From: Netherlands

Registered: 2012-06-20

Posts: 1,494

Re: Encrypted disk asks for password twice

Is nvme0n1p1 you boot partition? , not mounted?
Please show your boot entry and fstab.

EgidioCaprino

Member

Registered: 2016-03-13

Posts: 102

Re: Encrypted disk asks for password twice

I'm sorry. I just realized I posted it from another Arch machine, not the one having the problem. This is the one with the problem:

~ % lsblk
NAME            MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda               8:0    0 931.5G  0 disk  
├─sda1            8:1    0   512M  0 part  /boot
└─sda2            8:2    0   931G  0 part  
  └─cryptroot   254:0    0   931G  0 crypt /
sdb               8:16   0 698.6G  0 disk  
└─sdb1            8:17   0 698.6G  0 part  
  └─external750 254:1    0 698.6G  0 crypt /mnt/external750
sr0              11:0    1  1024M  0 rom

~ % cat /etc/mkinitcpio.conf
# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES=(piix ide_disk reiserfs)
MODULES=()

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES=()

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
##   This setup specifies all modules in the MODULES setting above.
##   No raid, lvm2, or encrypted root is needed.
#    HOOKS=(base)
#
##   This setup will autodetect all modules for your system and should
##   work as a sane default
#    HOOKS=(base udev autodetect block filesystems)
#
##   This setup will generate a 'full' image which supports most systems.
##   No autodetection is done.
#    HOOKS=(base udev block filesystems)
#
##   This setup assembles a pata mdadm array with an encrypted root FS.
##   Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
#    HOOKS=(base udev block mdadm encrypt filesystems)
#
##   This setup loads an lvm2 volume group on a usb device.
#    HOOKS=(base udev block lvm2 filesystems)
#
##   NOTE: If you have /usr on a separate partition, you MUST include the
#    usr, fsck and shutdown hooks.
HOOKS=(base udev autodetect keyboard modconf block encrypt filesystems fsck)

# COMPRESSION
# Use this to compress the initramfs image. By default, gzip compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"

# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()

schard

Forum Moderator

From: Hannover

Registered: 2016-05-06

Posts: 1,992

Website

Re: Encrypted disk asks for password twice

And that explains everything. You have two separate dm-crypt containers. One for / and one for /mnt/external750.
So you're also prompted to enter the passphrase for the latter in order for systemd to mount it.
If you want that to happen automatically,  you can create an appropriate entry in /etc/crypttab for the latter.

---

macro_rules! yolo { { $($tokens:tt)* } => { unsafe { $($tokens)* } }; }

EgidioCaprino

Member

Registered: 2016-03-13

Posts: 102

Re: Encrypted disk asks for password twice

But that's another disk I'm using for backups and later on during boot it asks for that password as well. So totally it's asking for 3 passwords for decrypting 2 disks. I don't want it to be decrypted automatically. This is what I followed for encrypting sdb1. I've added an entry to /etc/crypttab as specified in that page of the wiki.

Last edited by EgidioCaprino (2020-11-26 09:48:00)

schard

Forum Moderator

From: Hannover

Registered: 2016-05-06

Posts: 1,992

Website

Re: Encrypted disk asks for password twice

Please show your /etc/crypttab.

---

macro_rules! yolo { { $($tokens:tt)* } => { unsafe { $($tokens)* } }; }

EgidioCaprino

Member

Registered: 2016-03-13

Posts: 102

Re: Encrypted disk asks for password twice

It's this one:

~ % cat /etc/crypttab
# Configuration for encrypted block devices.
# See crypttab(5) for details.

# NOTE: Do not list your root (/) partition here, it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf).

# <name>       <device>                                     <password>              <options>
# home         UUID=b8ad5c18-f445-495d-9095-c9ec4f9d2f37    /etc/mypassword1
# data1        /dev/sda3                                    /etc/mypassword2
# data2        /dev/sda5                                    /etc/cryptfs.key
# swap         /dev/sdx4                                    /dev/urandom            swap,cipher=aes-cbc-essiv:sha256,size=256
# vol          /dev/sdb7                                    none

external750	UUID=449fd627-dabc-49d7-94a3-df49b60254f2	none	luks

EgidioCaprino

Member

Registered: 2016-03-13

Posts: 102

Re: Encrypted disk asks for password twice

@schard @qinohe do you know how I can fix that problem?

qinohe

Member

From: Netherlands

Registered: 2012-06-20

Posts: 1,494

Re: Encrypted disk asks for password twice

I don't. I was with schard on your '/mnt/external750', but your crypttab has no evidence of that also.
Sure something's not right for my passwd is only asked once and conditions look similar to yours, crypttab is the same...

EgidioCaprino

Member

Registered: 2016-03-13

Posts: 102

Re: Encrypted disk asks for password twice

Could it be to HOOKS in /etc/mkinitcpio.conf, that they are loaded in the wrong order? I put them in the same order as the wiki.

qinohe

Member

From: Netherlands

Registered: 2012-06-20

Posts: 1,494

Re: Encrypted disk asks for password twice

No, hooks and the order is correct;)
Have you done anything special that you can recall?
Maybe you can share what commands you used to setup the env., I know you pointed at the wiki, but that's not prove..;)

loqs

Member

Registered: 2014-03-06

Posts: 17,502

Re: Encrypted disk asks for password twice

What is the output of

systemctl status systemd-cryptsetup@*

EgidioCaprino

Member

Registered: 2016-03-13

Posts: 102

Re: Encrypted disk asks for password twice

@qinohe I had this problem since Arch was installed the first time.

@Ioqs this is it:

~ % systemctl status 'systemd-cryptsetup@*'
● systemd-cryptsetup@external750.service - Cryptography Setup for external750
     Loaded: loaded (/etc/crypttab; generated)
     Active: active (exited) since Fri 2020-11-20 20:22:01 CET; 1 weeks 0 days ago
       Docs: man:crypttab(5)
             man:systemd-cryptsetup-generator(8)
             man:systemd-cryptsetup@.service(8)
   Main PID: 479 (code=exited, status=0/SUCCESS)
      Tasks: 0 (limit: 17895)
     Memory: 0B
     CGroup: /system.slice/system-systemd\x2dcryptsetup.slice/systemd-cryptsetup@external750.service

Nov 20 20:21:45 lenovo systemd[1]: Starting Cryptography Setup for external750...
Nov 20 20:21:58 lenovo systemd-cryptsetup[479]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/dis>
Nov 20 20:22:01 lenovo systemd[1]: Finished Cryptography Setup for external750.

Do you see something wrong?

loqs

Member

Registered: 2014-03-06

Posts: 17,502

Re: Encrypted disk asks for password twice

The output is fine,  systemd-cryptsetup is only run for external750.  That accounts for one password prompt.
Please try adding the boot parameter break=premount,  are you prompted for a password before being dropped to the rescue shell.  Change the parameter to break=postmount are you then prompted for a password.

EgidioCaprino

Member

Registered: 2016-03-13

Posts: 102

Re: Encrypted disk asks for password twice

I don't have that parameter in my systemd-boot entry:

~ % cat /boot/loader/entries/arch.conf 
## This is just an example config file.
## Please edit the paths and kernel parameters according to your system.

title   Arch Linux
linux   /vmlinuz-linux
initrd	/amd-ucode.img
initrd  /initramfs-linux.img
#options root=PARTUUID=XXXX rootfstype=XXXX add_efi_memmap
options	cryptdevice=UUID=4337beaf-5f20-493a-9822-a59805ea8274:cryptroot root=/dev/mapper/cryptroot rw

Should I add it?

loqs

Member

Registered: 2014-03-06

Posts: 17,502

Re: Encrypted disk asks for password twice

Add it for a single boot using Kernel_parameters#systemd-boot.

EgidioCaprino

Member

Registered: 2016-03-13

Posts: 102

Re: Encrypted disk asks for password twice

I got prompted two times for the password in both cases.

This is with premount

This is with postmount

loqs

Member

Registered: 2014-03-06

Posts: 17,502

Re: Encrypted disk asks for password twice

The first password attempt is rejected in both screenshots,  the encrypt hook then prompts again for the password and that second attempt works.

EgidioCaprino

Member

Registered: 2016-03-13

Posts: 102

Re: Encrypted disk asks for password twice

Exactly, that's my problem. It asks for the password twice, even if thats's correct on the first attempt.

loqs

Member

Registered: 2014-03-06

Posts: 17,502

Re: Encrypted disk asks for password twice

If you boot from the installation media and open the encrypted volume using cryptsetup does the first password attempt get accepted?

qinohe

Member

From: Netherlands

Registered: 2012-06-20

Posts: 1,494

Re: Encrypted disk asks for password twice

I installed Arch on an encrypted filesystem following this.

No you did not, or at least there's something you're not telling us
Your picture clearly shows

No key available with this passphrase.

So you did set it up with a key but didn;t provide one??
Again, show the commands you used to setup your env. don't point to the wiki, I can read that myself...