You are not logged in.

#1 2023-08-20 12:18:42

wvk
Member
Registered: 2023-08-20
Posts: 7

[SOLVED] Cannot decrypt root volume at boot after upgrade

Hello everyone, first post for me here, please pardon me if I formulate the issue in an incorrect or partial way.
Also wanted to take the chance to say thank you to everyone involved for the great documentation and troubleshooting that allowed me to fix many issues over time without ever having the need to personally start a new topic.

The issue: My Arch setup has an encrypted root volume and everything worked totally fine on this front until now. This morning I ran a system update as usual (sudo pacman -Syu) and after I shut down my computer. A while after I came back to the computer and at boot I was prompted as usual to enter the password to decrypt the root volume. I tried to enter the password multiple times by rebooting, but I am unable to decrypt the volume. The output is always the same:

IO error while decrypting keyslot.
Keyslot open failed.
Device /dev/nvme0n1p2 is not a valid LUKS device.

The volume is the correct one.

What I tried:
I have btrfs snapshots in my grub configuration. I tried to boot from previous snapshots, but I still get the same error.
I accessed the system from a live USB. From here I am able to decrypt the volume and access all files normally.

(From the live USB) I checked mkinitcpio.conf and it looks like it used to be, in particular:

MODULES=(btrfs)
HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt filesystems fsck)

fstab is also unaltered

# Static information about the filesystems.
# See fstab(5) for details.

# <file system> <dir> <type> <options> <dump> <pass>
# /dev/mapper/cryptroot
UUID=da6376ba-6764-480f-bbcd-f70276a9a218	/         	btrfs     	rw,noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=256,subvol=/@	0 0

# /dev/nvme0n1p1
UUID=B0F8-8FB2      	/boot     	vfat      	rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro	0 2

# /dev/mapper/cryptroot
UUID=da6376ba-6764-480f-bbcd-f70276a9a218	/home     	btrfs     	rw,noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=257,subvol=/@home	0 0

# /dev/mapper/cryptroot
UUID=da6376ba-6764-480f-bbcd-f70276a9a218	/swap     	btrfs     	rw,noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=258,subvol=/@swap	0 0

/swap/swapfile      	none      	swap      	defaults  	0 0

same for grub, in particular

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID=22514181-31e5-4b5c-ab00-fff36152a1be:cryptroot root=/dev/mapper/cryptroot"

and blkid, in particular UUID of /dev/nvme0n1p2 matches the of cryptdevice in the grub configuration file:

/dev/nvme0n1p1: UUID="B0F8-8FB2" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="EFI system partition" PARTUUID="275336a7-61c7-4a77-8202-1357fbd8fd35"
/dev/nvme0n1p2: UUID="22514181-31e5-4b5c-ab00-fff36152a1be" TYPE="crypto_LUKS" PARTLABEL="Linux filesystem" PARTUUID="68cc264c-2423-408d-8d44-c3cf5367ddd7"
/dev/sdb1: UUID="EABC-0074" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="e817cf79-01"
/dev/mmcblk0p1: UUID="9C33-6BBD" BLOCK_SIZE="512" TYPE="exfat"
/dev/loop0: BLOCK_SIZE="1048576" TYPE="squashfs"
/dev/mapper/cryptroot: UUID="da6376ba-6764-480f-bbcd-f70276a9a218" UUID_SUB="725bc22a-dccf-47f6-b73a-f8291dd15898" BLOCK_SIZE="4096" TYPE="btrfs"
/dev/sda2: SEC_TYPE="msdos" LABEL_FATBOOT="ARCHISO_EFI" LABEL="ARCHISO_EFI" UUID="A611-4F3D" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="a6db746a-02"
/dev/sda1: BLOCK_SIZE="2048" UUID="2023-04-01-06-07-22-00" LABEL="ARCH_202304" TYPE="iso9660" PARTUUID="a6db746a-01"

This is the output of grep -i upgraded /var/log/pacman.log with the timestamp of today. Last update was on August 16th and everything worked fine the last few days.

[2023-08-20T11:18:23+0200] [ALPM] upgraded glibc (2.38-2 -> 2.38-3)
[2023-08-20T11:18:25+0200] [ALPM] upgraded util-linux-libs (2.39.1-1 -> 2.39.2-1)
[2023-08-20T11:18:25+0200] [ALPM] upgraded device-mapper (2.03.22-1 -> 2.03.22-2)
[2023-08-20T11:18:25+0200] [ALPM] upgraded hwdata (0.372-1 -> 0.373-1)
[2023-08-20T11:18:25+0200] [ALPM] upgraded kbd (2.6.1-1 -> 2.6.2-1)
[2023-08-20T11:18:25+0200] [ALPM] upgraded util-linux (2.39.1-1 -> 2.39.2-1)
[2023-08-20T11:18:25+0200] [ALPM] upgraded mesa (1:23.1.5-1 -> 1:23.1.6-1)
[2023-08-20T11:18:25+0200] [ALPM] upgraded electron24 (24.6.5-2 -> 24.8.0-1)
[2023-08-20T11:18:26+0200] [ALPM] upgraded electron25 (25.3.2-2 -> 25.6.0-1)
[2023-08-20T11:18:26+0200] [ALPM] upgraded firefox (116.0.2-1 -> 116.0.3-1)
[2023-08-20T11:18:26+0200] [ALPM] upgraded intel-media-driver (23.3.0-1 -> 23.3.1-1)
[2023-08-20T11:18:26+0200] [ALPM] upgraded xdg-utils (1.1.3+25+g8ae0263-1 -> 1.1.3+45+g301a1a4-1)
[2023-08-20T11:18:26+0200] [ALPM] upgraded karchive (5.108.0-1 -> 5.109.0-1)
[2023-08-20T11:18:26+0200] [ALPM] upgraded libgit2 (1:1.7.0-3 -> 1:1.7.1-1)
[2023-08-20T11:18:27+0200] [ALPM] upgraded linux (6.4.10.arch1-1 -> 6.4.11.arch2-1)
[2023-08-20T11:18:30+0200] [ALPM] upgraded linux-headers (6.4.10.arch1-1 -> 6.4.11.arch2-1)
[2023-08-20T11:18:30+0200] [ALPM] upgraded lvm2 (2.03.22-1 -> 2.03.22-2)
[2023-08-20T11:18:30+0200] [ALPM] upgraded nvidia (535.98-2 -> 535.98-4)
[2023-08-20T11:18:30+0200] [ALPM] upgraded openvpn (2.6.5-1 -> 2.6.6-1)
[2023-08-20T11:18:31+0200] [ALPM] upgraded oxygen-icons (1:5.108.0-1 -> 1:5.109.0-1)
[2023-08-20T11:18:31+0200] [ALPM] upgraded python-tqdm (4.65.0-3 -> 4.66.1-1)
[2023-08-20T11:18:32+0200] [ALPM] upgraded thunderbird (115.1.0-1 -> 115.1.1-1)
[2023-08-20T11:18:32+0200] [ALPM] upgraded vala (0.56.11-1 -> 0.56.12-1)
[2023-08-20T11:18:32+0200] [ALPM] upgraded xorg-xwayland (23.1.2-1 -> 23.2.0-1)

I see some packages that have been upgraded that I could assume to be related to the issue (device-mapper?, lvm2?), but here is where my knowledge ends. Any idea of what could be causing the issue, and how to solve it?

Many thanks in advance!

Last edited by wvk (2023-08-21 20:06:20)

Offline

#2 2023-08-20 14:43:43

wvk
Member
Registered: 2023-08-20
Posts: 7

Re: [SOLVED] Cannot decrypt root volume at boot after upgrade

Edit/follow up:
I booted again in the live USB environment and I rolled back linux (6.4.11.arch2-1 back to 6.4.10.arch1-1) and linux-headers (6.4.11.arch2-1 back to 6.4.10.arch1-1) (I thought the issue happens right at boot so it might be related to the new kernel). Bingo, I am now able to decrypt the root volume and access my system again!

Since I am really new here:
Q1: Should I report this somewhere or is this totally irrelevant?
Q2: Am I understanding snapshots incorrectly? Do snapshot contain a 'snapshot' of a full system, or is the kernel excluded from this? Or are modules loaded even before booting the system, so that when I was trying to boot from a snapshot modules related to the decryption of the boot volume were already loaded with the latest kernel and made it impossible to boot at all?

Any clarification would be greatly appreciated, and apologies if I used terminology incorrectly or asked very dumb questions!

Offline

#3 2023-08-20 15:44:12

loqs
Member
Registered: 2014-03-06
Posts: 18,053

Re: [SOLVED] Cannot decrypt root volume at boot after upgrade

Offline

#4 2023-08-20 16:00:46

wvk
Member
Registered: 2023-08-20
Posts: 7

Re: [SOLVED] Cannot decrypt root volume at boot after upgrade

Seems like it:

lspci | grep Realtek
03:00.0 Unassigned class [ff00]: Realtek Semiconductor Co., Ltd. RTS525A PCI Express Card Reader (rev 01)

Laptop is a Dell XPS 9560.

Offline

Board footer

Powered by FluxBB