You are not logged in.
Hello,
I'm trying to install arch on raid1 with full disk encryption (including /boot) while entering the passphrase during boot I get the error "error: Invalid passphrase.". When I do a live boot and mount the partitions everything works. What could be the issue here?
My setup is the following:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
loop0 7:0 0 688.5M 1 loop
sda 8:0 0 3.6T 0 disk
└─sda1 8:1 0 3.6T 0 part
└─md126 9:126 0 3.6T 0 raid1
└─HDD 254:1 0 3.6T 0 crypt /home
sdb 8:16 0 3.6T 0 disk
└─sdb1 8:17 0 3.6T 0 part
└─md126 9:126 0 3.6T 0 raid1
└─HDD 254:1 0 3.6T 0 crypt /home
nvme1n1 259:0 0 931.5G 0 disk
├─nvme1n1p1 259:2 0 1G 0 part
│ └─md127 9:127 0 1023.9M 0 raid1 /efi
└─nvme1n1p2 259:3 0 930.5G 0 part
└─md125 9:125 0 930.4G 0 raid1
└─SSD 254:0 0 930.4G 0 crypt /var/log
/
nvme0n1 259:1 0 931.5G 0 disk
├─nvme0n1p1 259:4 0 1G 0 part
│ └─md127 9:127 0 1023.9M 0 raid1 /efi
└─nvme0n1p2 259:5 0 930.5G 0 part
└─md125 9:125 0 930.4G 0 raid1
└─SSD 254:0 0 930.4G 0 crypt /var/logI have two SSDs and two HDDs. The SSDs have two partitions, the first one on each SSD is the FAT32 formatted EFI partition with --metadata=1.0. The second partition on each SSD is a encrypted btrfs partition with e.g. the root subvolume. On the HDDs the is only a encrypted btrfs partition with one subvolume (@home). All partitions are running in a raid1 configuration, which gives me /dev/md/{ESP,HDD,SSD}. I used grub-improved-luks2-git as a bootloader to support LUKS2 and Argon2id. mdadm.conf is stock.
Two things I spotted in /boot/grub/grub.cfg which might not be an issue is that insmod gcry_serpent seems to be there twice and insmod gcry_sha256 exists even though i used blake2b as a hashing algorithm.
Here are the relevant configs, any help is greatly appreciated:
crypttab.initramfs
# Configuration for encrypted block devices.
# See crypttab(5) for details.
# NOTE: Do not list your root (/) partition here, it must be set up
# beforehand by the initramfs (/etc/mkinitcpio.conf).
# <name> <device> <password> <options>
SSD /dev/md/SSD
HDD /dev/md/HDDfstab
# /dev/mapper/SSD UUID=8f6a6611-946d-45bc-8bc4-708735d4c31e
LABEL=SSD / btrfs rw,relatime,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ 0 0
# /dev/md127 UUID=666C-58CE
#/dev/md127 /efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2
/dev/md/ESP /efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2
# /dev/mapper/SSD UUID=8f6a6611-946d-45bc-8bc4-708735d4c31e
LABEL=SSD /var/log btrfs rw,relatime,compress=zstd:3,ssd,space_cache=v2,subvolid=258,subvol=/@var_log 0 0
# /dev/mapper/SSD UUID=8f6a6611-946d-45bc-8bc4-708735d4c31e
LABEL=SSD /.snapshots btrfs rw,relatime,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@snapshots 0 0
# /dev/mapper/HDD UUID=b309ef1e-b2d5-4d40-8296-9cffee12c72c
LABEL=HDD /home btrfs rw,relatime,compress=zstd:3,space_cache=v2,subvolid=256,subvol=/@home 0 0
# /dev/mapper/SSD UUID=8f6a6611-946d-45bc-8bc4-708735d4c31e
LABEL=SSD /swap btrfs rw,relatime,compress=zstd:3,ssd,space_cache=v2,subvolid=259,subvol=/@swap 0 0
/swap/swapfile none swap defaults 0 0grub
# GRUB boot loader configuration
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet"
GRUB_CMDLINE_LINUX="resume=/swap/swapfile"
# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"
# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y
# Set to 'countdown' or 'hidden' to change timeout behavior,
# press ESC key to display menu.
GRUB_TIMEOUT_STYLE=menu
# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console
# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE=auto
# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep
# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true
# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true
# Uncomment and set to the desired menu colors. Used by normal and wallpaper
# modes only. Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"
# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/path/to/wallpaper"
#GRUB_THEME="/path/to/gfxtheme"
# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"
# Uncomment to make GRUB remember the last selection. This requires
# setting 'GRUB_DEFAULT=saved' above.
#GRUB_SAVEDEFAULT=true
# Uncomment to disable submenus in boot menu
#GRUB_DISABLE_SUBMENU=ygrub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#
### BEGIN /etc/grub.d/00_header ###
insmod part_gpt
insmod part_msdos
if [ -s $prefix/grubenv ]; then
load_env
fi
if [ "${next_entry}" ] ; then
set default="${next_entry}"
set next_entry=
save_env next_entry
set boot_once=true
else
set default="0"
fi
if [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"
else
menuentry_id_option=""
fi
export menuentry_id_option
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fi
function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
function load_video {
if [ x$feature_all_video_module = xy ]; then
insmod all_video
else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
fi
}
if [ x$feature_default_font_path = xy ] ; then
font=unicode
else
insmod part_gpt
insmod part_gpt
insmod diskfilter
insmod mdraid1x
insmod cryptodisk
insmod luks2
insmod gcry_serpent
insmod gcry_serpent
insmod gcry_sha256
insmod btrfs
cryptomount -u 6eab933d-a391-4bc7-872e-d782c1688e91
set root='cryptouuid/6eab933da3914bc7872ed782c1688e91'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/6eab933da3914bc7872ed782c1688e91' 8f6a6611-946d-45bc-8bc4-708735d4c31e
else
search --no-floppy --fs-uuid --set=root 8f6a6611-946d-45bc-8bc4-708735d4c31e
fi
font="/@/usr/share/grub/unicode.pf2"
fi
if loadfont $font ; then
set gfxmode=auto
load_video
insmod gfxterm
fi
terminal_input console
terminal_output gfxterm
if [ x$feature_timeout_style = xy ] ; then
set timeout_style=menu
set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
set timeout=5
fi
### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/10_linux ###
menuentry 'Arch Linux' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-8f6a6611-946d-45bc-8bc4-708735d4c31e' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod part_gpt
insmod diskfilter
insmod mdraid1x
insmod cryptodisk
insmod luks2
insmod gcry_serpent
insmod gcry_serpent
insmod gcry_sha256
insmod btrfs
cryptomount -u 6eab933d-a391-4bc7-872e-d782c1688e91
set root='cryptouuid/6eab933da3914bc7872ed782c1688e91'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/6eab933da3914bc7872ed782c1688e91' 8f6a6611-946d-45bc-8bc4-708735d4c31e
else
search --no-floppy --fs-uuid --set=root 8f6a6611-946d-45bc-8bc4-708735d4c31e
fi
echo 'Loading Linux linux ...'
linux /@/boot/vmlinuz-linux root=UUID=8f6a6611-946d-45bc-8bc4-708735d4c31e rw rootflags=subvol=@ resume=/swap/swapfile loglevel=3 quiet
echo 'Loading initial ramdisk ...'
initrd /@/boot/amd-ucode.img /@/boot/initramfs-linux.img
}
submenu 'Advanced options for Arch Linux' $menuentry_id_option 'gnulinux-advanced-8f6a6611-946d-45bc-8bc4-708735d4c31e' {
menuentry 'Arch Linux, with Linux linux' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-linux-advanced-8f6a6611-946d-45bc-8bc4-708735d4c31e' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod part_gpt
insmod diskfilter
insmod mdraid1x
insmod cryptodisk
insmod luks2
insmod gcry_serpent
insmod gcry_serpent
insmod gcry_sha256
insmod btrfs
cryptomount -u 6eab933d-a391-4bc7-872e-d782c1688e91
set root='cryptouuid/6eab933da3914bc7872ed782c1688e91'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/6eab933da3914bc7872ed782c1688e91' 8f6a6611-946d-45bc-8bc4-708735d4c31e
else
search --no-floppy --fs-uuid --set=root 8f6a6611-946d-45bc-8bc4-708735d4c31e
fi
echo 'Loading Linux linux ...'
linux /@/boot/vmlinuz-linux root=UUID=8f6a6611-946d-45bc-8bc4-708735d4c31e rw rootflags=subvol=@ resume=/swap/swapfile loglevel=3 quiet
echo 'Loading initial ramdisk ...'
initrd /@/boot/amd-ucode.img /@/boot/initramfs-linux.img
}
menuentry 'Arch Linux, with Linux linux (fallback initramfs)' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-linux-fallback-8f6a6611-946d-45bc-8bc4-708735d4c31e' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod part_gpt
insmod diskfilter
insmod mdraid1x
insmod cryptodisk
insmod luks2
insmod gcry_serpent
insmod gcry_serpent
insmod gcry_sha256
insmod btrfs
cryptomount -u 6eab933d-a391-4bc7-872e-d782c1688e91
set root='cryptouuid/6eab933da3914bc7872ed782c1688e91'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/6eab933da3914bc7872ed782c1688e91' 8f6a6611-946d-45bc-8bc4-708735d4c31e
else
search --no-floppy --fs-uuid --set=root 8f6a6611-946d-45bc-8bc4-708735d4c31e
fi
echo 'Loading Linux linux ...'
linux /@/boot/vmlinuz-linux root=UUID=8f6a6611-946d-45bc-8bc4-708735d4c31e rw rootflags=subvol=@ resume=/swap/swapfile loglevel=3 quiet
echo 'Loading initial ramdisk ...'
initrd /@/boot/initramfs-linux-fallback.img
}
}
### END /etc/grub.d/10_linux ###
### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###
### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###
### BEGIN /etc/grub.d/30_uefi-firmware ###
if [ "$grub_platform" = "efi" ]; then
fwsetup --is-supported
if [ "$?" = 0 ]; then
menuentry 'UEFI Firmware Settings' $menuentry_id_option 'uefi-firmware' {
fwsetup
}
fi
fi
### END /etc/grub.d/30_uefi-firmware ###
### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###
### BEGIN /etc/grub.d/41_custom ###
if [ -f ${config_directory}/custom.cfg ]; then
source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then
source $prefix/custom.cfg
fi
### END /etc/grub.d/41_custom ###mkinitcpio.conf
# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run. Advanced users may wish to specify all system modules
# in this array. For instance:
# MODULES=(usbhid xhci_hcd)
MODULES=()
# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image. This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()
# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way. This is useful for config files.
FILES=()
# HOOKS
# This is the most important setting in this file. The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added. Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
## This setup specifies all modules in the MODULES setting above.
## No RAID, lvm2, or encrypted root is needed.
# HOOKS=(base)
#
## This setup will autodetect all modules for your system and should
## work as a sane default
# HOOKS=(base udev autodetect modconf block filesystems fsck)
#
## This setup will generate a 'full' image which supports most systems.
## No autodetection is done.
# HOOKS=(base udev modconf block filesystems fsck)
#
## This setup assembles a mdadm array with an encrypted root file system.
## Note: See 'mkinitcpio -H mdadm_udev' for more information on RAID devices.
# HOOKS=(base udev modconf keyboard keymap consolefont block mdadm_udev encrypt filesystems fsck)
#
## This setup loads an lvm2 volume group.
# HOOKS=(base udev modconf block lvm2 filesystems fsck)
#
## NOTE: If you have /usr on a separate partition, you MUST include the
# usr and fsck hooks.
HOOKS=(base systemd autodetect modconf kms keyboard sd-vconsole block mdadm_udev sd-encrypt filesystems resume fsck)
# COMPRESSION
# Use this to compress the initramfs image. By default, zstd compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="zstd"
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"
# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()
# MODULES_DECOMPRESS
# Decompress kernel modules during initramfs creation.
# Enable to speedup boot process, disable to save RAM
# during early userspace. Switch (yes/no).
#MODULES_DECOMPRESS="yes"Offline