Encrypted disk asks for password twice

EgidioCaprino · 2020-11-23 09:11:41

I installed Arch on an encrypted filesystem following this. When the system boots it asks for the password for decrypting the root device twice. Why is that happening and how could I fix it?

qinohe · 2020-11-25 02:08:46

You should have read a little further? https://wiki.archlinux.org/index.php/Dm … rase_twice

EgidioCaprino · 2020-11-25 10:09:05

That's specific for GRUB. I'm using systemd-boot.

schard · 2020-11-25 12:19:55

Show us the output of lsblk and your entire /etc/mkinitcpio.conf.

EgidioCaprino · 2020-11-25 17:05:09

~ % lsblk
NAME          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
nvme0n1       259:0    0 476.9G  0 disk  
├─nvme0n1p1   259:1    0   512M  0 part  
└─nvme0n1p2   259:2    0 476.4G  0 part  
  └─cryptroot 254:0    0 476.4G  0 crypt /

~ % cat /etc/mkinitcpio.conf
# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES=(piix ide_disk reiserfs)
MODULES=(i915)

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES=()

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
##   This setup specifies all modules in the MODULES setting above.
##   No raid, lvm2, or encrypted root is needed.
#    HOOKS=(base)
#
##   This setup will autodetect all modules for your system and should
##   work as a sane default
#    HOOKS=(base udev autodetect block filesystems)
#
##   This setup will generate a 'full' image which supports most systems.
##   No autodetection is done.
#    HOOKS=(base udev block filesystems)
#
##   This setup assembles a pata mdadm array with an encrypted root FS.
##   Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
#    HOOKS=(base udev block mdadm encrypt filesystems)
#
##   This setup loads an lvm2 volume group on a usb device.
#    HOOKS=(base udev block lvm2 filesystems)
#
##   NOTE: If you have /usr on a separate partition, you MUST include the
#    usr, fsck and shutdown hooks.
HOOKS=(base udev autodetect keyboard modconf block encrypt filesystems fsck)

# COMPRESSION
# Use this to compress the initramfs image. By default, gzip compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"

# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()

qinohe · 2020-11-25 20:37:07

Is nvme0n1p1 you boot partition? , not mounted?
Please show your boot entry and fstab.

EgidioCaprino · 2020-11-26 07:23:18

I'm sorry. I just realized I posted it from another Arch machine, not the one having the problem. This is the one with the problem:

~ % lsblk
NAME            MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda               8:0    0 931.5G  0 disk  
├─sda1            8:1    0   512M  0 part  /boot
└─sda2            8:2    0   931G  0 part  
  └─cryptroot   254:0    0   931G  0 crypt /
sdb               8:16   0 698.6G  0 disk  
└─sdb1            8:17   0 698.6G  0 part  
  └─external750 254:1    0 698.6G  0 crypt /mnt/external750
sr0              11:0    1  1024M  0 rom

~ % cat /etc/mkinitcpio.conf
# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES=(piix ide_disk reiserfs)
MODULES=()

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES=()

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
##   This setup specifies all modules in the MODULES setting above.
##   No raid, lvm2, or encrypted root is needed.
#    HOOKS=(base)
#
##   This setup will autodetect all modules for your system and should
##   work as a sane default
#    HOOKS=(base udev autodetect block filesystems)
#
##   This setup will generate a 'full' image which supports most systems.
##   No autodetection is done.
#    HOOKS=(base udev block filesystems)
#
##   This setup assembles a pata mdadm array with an encrypted root FS.
##   Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
#    HOOKS=(base udev block mdadm encrypt filesystems)
#
##   This setup loads an lvm2 volume group on a usb device.
#    HOOKS=(base udev block lvm2 filesystems)
#
##   NOTE: If you have /usr on a separate partition, you MUST include the
#    usr, fsck and shutdown hooks.
HOOKS=(base udev autodetect keyboard modconf block encrypt filesystems fsck)

# COMPRESSION
# Use this to compress the initramfs image. By default, gzip compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"

# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()

schard · 2020-11-26 08:15:24

And that explains everything. You have two separate dm-crypt containers. One for / and one for /mnt/external750.
So you're also prompted to enter the passphrase for the latter in order for systemd to mount it.
If you want that to happen automatically, you can create an appropriate entry in /etc/crypttab for the latter.

EgidioCaprino · 2020-11-26 09:46:39

But that's another disk I'm using for backups and later on during boot it asks for that password as well. So totally it's asking for 3 passwords for decrypting 2 disks. I don't want it to be decrypted automatically. This is what I followed for encrypting sdb1. I've added an entry to /etc/crypttab as specified in that page of the wiki.

Last edited by EgidioCaprino (2020-11-26 09:48:00)

schard · 2020-11-26 11:03:56

Please show your /etc/crypttab.

EgidioCaprino · 2020-11-26 12:08:51

It's this one:

~ % cat /etc/crypttab
# Configuration for encrypted block devices.
# See crypttab(5) for details.

# NOTE: Do not list your root (/) partition here, it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf).

# <name>       <device>                                     <password>              <options>
# home         UUID=b8ad5c18-f445-495d-9095-c9ec4f9d2f37    /etc/mypassword1
# data1        /dev/sda3                                    /etc/mypassword2
# data2        /dev/sda5                                    /etc/cryptfs.key
# swap         /dev/sdx4                                    /dev/urandom            swap,cipher=aes-cbc-essiv:sha256,size=256
# vol          /dev/sdb7                                    none

external750	UUID=449fd627-dabc-49d7-94a3-df49b60254f2	none	luks

EgidioCaprino · 2020-11-28 14:00:44

@schard @qinohe do you know how I can fix that problem?

qinohe · 2020-11-28 15:34:47

I don't. I was with schard on your '/mnt/external750', but your crypttab has no evidence of that also.
Sure something's not right for my passwd is only asked once and conditions look similar to yours, crypttab is the same...

EgidioCaprino · 2020-11-28 15:37:59

Could it be to HOOKS in /etc/mkinitcpio.conf, that they are loaded in the wrong order? I put them in the same order as the wiki.

qinohe · 2020-11-28 15:54:52

No, hooks and the order is correct;)
Have you done anything special that you can recall?
Maybe you can share what commands you used to setup the env., I know you pointed at the wiki, but that's not prove..;)

loqs · 2020-11-28 16:55:48

What is the output of

systemctl status systemd-cryptsetup@*

EgidioCaprino · 2020-11-28 16:59:22

@qinohe I had this problem since Arch was installed the first time.

@Ioqs this is it:

~ % systemctl status 'systemd-cryptsetup@*'
● systemd-cryptsetup@external750.service - Cryptography Setup for external750
     Loaded: loaded (/etc/crypttab; generated)
     Active: active (exited) since Fri 2020-11-20 20:22:01 CET; 1 weeks 0 days ago
       Docs: man:crypttab(5)
             man:systemd-cryptsetup-generator(8)
             man:systemd-cryptsetup@.service(8)
   Main PID: 479 (code=exited, status=0/SUCCESS)
      Tasks: 0 (limit: 17895)
     Memory: 0B
     CGroup: /system.slice/system-systemd\x2dcryptsetup.slice/systemd-cryptsetup@external750.service

Nov 20 20:21:45 lenovo systemd[1]: Starting Cryptography Setup for external750...
Nov 20 20:21:58 lenovo systemd-cryptsetup[479]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/dis>
Nov 20 20:22:01 lenovo systemd[1]: Finished Cryptography Setup for external750.

Do you see something wrong?

loqs · 2020-11-28 17:13:25

The output is fine, systemd-cryptsetup is only run for external750. That accounts for one password prompt.
Please try adding the boot parameter break=premount, are you prompted for a password before being dropped to the rescue shell. Change the parameter to break=postmount are you then prompted for a password.

EgidioCaprino · 2020-11-28 17:16:55

I don't have that parameter in my systemd-boot entry:

~ % cat /boot/loader/entries/arch.conf 
## This is just an example config file.
## Please edit the paths and kernel parameters according to your system.

title   Arch Linux
linux   /vmlinuz-linux
initrd	/amd-ucode.img
initrd  /initramfs-linux.img
#options root=PARTUUID=XXXX rootfstype=XXXX add_efi_memmap
options	cryptdevice=UUID=4337beaf-5f20-493a-9822-a59805ea8274:cryptroot root=/dev/mapper/cryptroot rw

Should I add it?

loqs · 2020-11-28 17:20:22

Add it for a single boot using Kernel_parameters#systemd-boot.

EgidioCaprino · 2020-11-28 17:43:26

I got prompted two times for the password in both cases.

This is with premount

This is with postmount

loqs · 2020-11-28 17:53:10

The first password attempt is rejected in both screenshots, the encrypt hook then prompts again for the password and that second attempt works.

EgidioCaprino · 2020-11-28 17:54:31

Exactly, that's my problem. It asks for the password twice, even if thats's correct on the first attempt.

loqs · 2020-11-28 17:59:03

If you boot from the installation media and open the encrypted volume using cryptsetup does the first password attempt get accepted?

qinohe · 2020-11-28 19:49:56

EgidioCaprino wrote:

I installed Arch on an encrypted filesystem following this.

No you did not, or at least there's something you're not telling us
Your picture clearly shows

No key available with this passphrase.

So you did set it up with a key but didn;t provide one??
Again, show the commands you used to setup your env. don't point to the wiki, I can read that myself...

Arch Linux

#1 2020-11-23 09:11:41

Encrypted disk asks for password twice

#2 2020-11-25 02:08:46

Re: Encrypted disk asks for password twice

#3 2020-11-25 10:09:05

Re: Encrypted disk asks for password twice

#4 2020-11-25 12:19:55

Re: Encrypted disk asks for password twice

#5 2020-11-25 17:05:09

Re: Encrypted disk asks for password twice

#6 2020-11-25 20:37:07

Re: Encrypted disk asks for password twice

#7 2020-11-26 07:23:18

Re: Encrypted disk asks for password twice

#8 2020-11-26 08:15:24

Re: Encrypted disk asks for password twice

#9 2020-11-26 09:46:39

Re: Encrypted disk asks for password twice

#10 2020-11-26 11:03:56

Re: Encrypted disk asks for password twice

#11 2020-11-26 12:08:51

Re: Encrypted disk asks for password twice

#12 2020-11-28 14:00:44

Re: Encrypted disk asks for password twice

#13 2020-11-28 15:34:47

Re: Encrypted disk asks for password twice

#14 2020-11-28 15:37:59

Re: Encrypted disk asks for password twice

#15 2020-11-28 15:54:52

Re: Encrypted disk asks for password twice

#16 2020-11-28 16:55:48

Re: Encrypted disk asks for password twice

#17 2020-11-28 16:59:22

Re: Encrypted disk asks for password twice

#18 2020-11-28 17:13:25

Re: Encrypted disk asks for password twice

#19 2020-11-28 17:16:55

Re: Encrypted disk asks for password twice

#20 2020-11-28 17:20:22

Re: Encrypted disk asks for password twice

#21 2020-11-28 17:43:26

Re: Encrypted disk asks for password twice

#22 2020-11-28 17:53:10

Re: Encrypted disk asks for password twice

#23 2020-11-28 17:54:31

Re: Encrypted disk asks for password twice

#24 2020-11-28 17:59:03

Re: Encrypted disk asks for password twice

#25 2020-11-28 19:49:56

Re: Encrypted disk asks for password twice

Board footer