You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2025-12-19 13:04:01
- rafdre
- Member
- From: Gdansk
- Registered: 2013-09-21
- Posts: 79
[SOLVED] Encrypt LUKS volume during boot
Due to the fact that I installed Win10 on the same PC and use dual boot, I decided to encrypt ROOT for archlinux. Just in case some soft will try to access anything.
I moved everything (unencrypted archlinux) to the new encrypted partition using rsync and after few steps all works fine. I can boot the new system.
The only disadvantage which I want to solve is : every time I need to enter passwords to encrypt root and then system starts and I need to log in again to my account (those two different passwords).
My HOOKS looks like this:
HOOKS=(base systemd autodetect microcode modconf kms keyboard keymap sd-vconsole block sd-encrypt filesystems fsck)I use systemd-boot and not grub, so my entry in /boot/loader/entries/archluks.conf
looks like this:
title ArchLinux Encrypted
linux /vmlinuz-linux
initrd /initramfs-linux.img
options root="LABEL=ENCRYPTEDARCHLINUX" rw
options rd.luks.name=7fcf196c-cd1f-4f85-9769-ed38bc982ee4=root root=/dev/mapper/root rwCan anybody tell me which steps I need to execute in order to encrypt the volume without password?
I found using search some help, but this was related to GRUB which I do not use.
Where should I put my key which will encrypt the volume? Where should I put the link to this key file ?
I have unencrypted /boot and then all the rest in encrypted.
I found something here https://wiki.archlinux.org/title/Dm-cry … figuration, but need some additional explanation.
Do I need to add 'rd.luks.key' to boot entry archluks.conf ?
it says '/etc/cryptsetup-keys.d/name.key', but my /etc directory is in encrypted directory. so how it can be accessed ? I think this might work if I have other volumes encryted , but not root (/).
thanks in advance for all hints.
Last edited by rafdre (2025-12-24 07:34:28)
Offline
#2 2025-12-19 13:07:23
- system72
- Member
- Registered: 2025-11-22
- Posts: 572
- Website
Re: [SOLVED] Encrypt LUKS volume during boot
you can automatically unlock with tpm
https://wiki.archlinux.org/title/Dm-cry … ecure_Boot
https://wiki.archlinux.org/title/Dm-cry … ng_the_TPM
or you can have a display manager / getty auto log you in after boot
https://wiki.archlinux.org/title/Getty# … al_console
not sure what display manager ur using, if you are using one
Last edited by system72 (2025-12-19 13:08:57)
Offline
#3 2025-12-20 19:13:38
- rafdre
- Member
- From: Gdansk
- Registered: 2013-09-21
- Posts: 79
Re: [SOLVED] Encrypt LUKS volume during boot
thanks for links and hint.
I am using 'gdm.service - GNOME Display Manager'.
I do not want to log in without password since my kids use the same PC.
I will review the links and try
Offline
#4 2025-12-24 07:33:33
- rafdre
- Member
- From: Gdansk
- Registered: 2013-09-21
- Posts: 79
Re: [SOLVED] Encrypt LUKS volume during boot
after some tries all works fine.
My entry in /boot/loader/entries/archluks.conf looks like this:
title ArchLinux Encrypted
linux /vmlinuz-linux
initrd /initramfs-linux.img
options root=/dev/mapper/root rw rd.luks.name=7fcf196c-cd1f-4f85-9769-ed38bc982ee4=root rd.luks.options=tpm2-device=autoWhat I solved first was enabling Secure Boot (which I have not used before) and then :
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/<MYDEV>I removed ‘/etc/crypttab’ and '/etc/crypttab.initramfs' as they are not need in my setup.
Offline
Pages: 1