You are not logged in.
Hi everyone. I'm having some trouble with a new installation (while following the Installation page, system encryption page, and UKI page).
The setup I'm aiming for is: 2 partitions (ESP on /boot and root), a swapfile, systemd-boot, LUKS on the /root partition, and UKI's. Ideally, I also want to enable Secure Boot, TPM, and suspend to both ram and disk, but as far as I understand this can be done after I have a working system.
I've been going back and forth between the installation and encryption pages as noted: I partitioned the drive, created a luks partition then mounted root and esp, installed the system, configured mkinitcpio and built the UKI's, installed the bootloader, then finally set root password and reboot. Upon booting, I don't see a prompt to enter the LUKS password, instead I get
A start job is running for /dev/mapper/cryptrootI'm showing the contents of my /etc/cmdline.d/root.conf:
options cryptdevice=UUID=<luks-uuid>:cryptroot root=/dev/mapper/cryptroot rwWhat am I getting wrong? I know the answer is somewhere, but I feel like the wiki is not pointing me in the right direction on this one at all.
Any help would be appreciated. Thanks in advance!
Last edited by snowflake161 (2025-04-04 10:07:30)
Offline
You should have /efi outside of encryption, with a single file, UKI. that's it. /boot is inside encryption.
Last edited by qu@rk (2025-04-02 17:03:39)
Offline
You should have /efi outside of encryption, with a single file, efistub. that's it. /boot is inside encryption.
It is outside of encryption. Right now there are definitely unneeded files in there but the cleaning was optional according to the wiki, so I'm going to leave it for afterwards.
Anyway, I found my way out of this one.
I edited /etc/cmdline.d/root.conf from:
options cryptdevice=UUID=<luks-uuid>:cryptroot root=/dev/mapper/cryptroot rwto:
rd.luks.name=device-UUID=root root=/dev/mapper/rootaccording to this section. Then I finally managed to type the password and boot into the system.
I felt like this wasn't clear while jumping back and forth all the relevant pages. Also, I've been searching for documentation to see all of the possible options in this parameter, but all I got was articles on this forum and others (different problems than mine though). I'm still struggling a little in finding the right questions for search.
Now, can someone help me with the options needed to enable suspend to swapfile? Is this possible? All of the articles I've read use the example of a separate swap partition I think.
Offline
The general idea is to not have anything outside encryption, but the UKI binary which gets signed with uki-sbsign hook.
For suspend to swap:
https://wiki.archlinux.org/title/Dm-cry … sk_support
Last edited by qu@rk (2025-04-02 17:01:46)
Offline