Arch Linux

cerino

Member

Registered: 2025-04-03

Posts: 20

[SOLVED] Unlock and mount luks partition after multi-user.target

I have multiple luks partitions that need to be unlocked at boot.
The main partition is protected with a tpm+pin entry
The secondary partitions are unlocked by using a keyfile that is stored on the main partition.
When I configure /etc/crypttab and fstab to unlock and mount the secondary luks partitions, this causes a significant delay during boot, since the cryptsetup jobs for the unlock process start after the main partition has already been mounted.
By default, all crypttab unlock services have cryptsetup.target

But since I dont need the secondary partitions to be available right way, I want those unlock and mount services to run independent of the cryptsetup.target and only start unlocking after multi-user.target has been reached.
I tried to add After=multi-user.target in the relevant overwrite files, but no matter what I try, the partitions listed in crypttab still remain a dependency of cryptsetup.target during boot.

How do I correctly tell systemd to unlock and mount the secondary partitions at a later stage that does not delay the boot process?

SOLUTION:

Add the option "nofail" to both crypttab and fstab to prevent blocking the continuation of the boot process
Since the mount job for the secondary drive will timeout after the default 90 seconds if the password isn't entered in time (or rather a dependency appears to time out), this can be addressed by also setting x-systemd.device-timeout

Full fstab options required:

nofail,x-systemd.device-timeout=0

Last edited by cerino (2025-05-01 09:05:31)

dimich

Member

From: Kharkiv, Ukraine

Registered: 2009-11-03

Posts: 352

Re: [SOLVED] Unlock and mount luks partition after multi-user.target

I tried to add After=multi-user.target in the relevant overwrite files

See last paragraph of Example 2. Overriding vendor settings in systemd.unit man page:

Dependencies (After=, etc.) cannot be reset to an empty list, so dependencies can only be added in drop-ins. If you want to remove dependencies, you have to override the entire unit.

cerino

Member

Registered: 2025-04-03

Posts: 20

Re: [SOLVED] Unlock and mount luks partition after multi-user.target

Do I understand this correctly that I have to create a copy of the existing service and move it to /etc/systemd/system to add my changes?
If I am assuming correct about how this works, I should also remove the relevant lines from my /etc/crypttab and /etc/fstab since systemd would use those entries to auto generate cryptsetup and mount units?

Or would it be recommended to use the second referenced method and keep the auto generation?
To replace dependencies, one needs to overwrite the entire unit anyway

Last edited by cerino (2025-04-28 18:32:16)

dimich

Member

From: Kharkiv, Ukraine

Registered: 2009-11-03

Posts: 352

Re: [SOLVED] Unlock and mount luks partition after multi-user.target

Do I understand this correctly that I have to create a copy of the existing service and move it to /etc/systemd/system to add my changes?

Yes. You can copy/edit it either manually or with

# systemctl edit --full <unit-file>

If I am assuming correct about how this works, I should also remove the relevant lines from my /etc/crypttab and /etc/fstab since systemd would use those entries to auto generate cryptsetup and mount units?

Probably you can explicitly mask particular systemd-cryptsetup@* services in advance. Or play with 'noauto' parameter in crypttab. Sorry, I've never configured /etc/crypttab and systemd-cryptsetup-generator.

cerino

Member

Registered: 2025-04-03

Posts: 20

Re: [SOLVED] Unlock and mount luks partition after multi-user.target

Thank you, that works so far for editing the service file.

My remaining problem is that I cant seem to get systemd to continue to the graphical session without waiting for this cryptsetup service to finish.
I would like to reach the login tty before the service is finished unlocking the secondary partition
Do I actually have to use a timer to start after boot to solve this?

This is my current service file:

# Automatically generated by systemd-cryptsetup-generator

[Unit]
Description=Cryptography Setup for %I
Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)
SourcePath=/etc/crypttab

DefaultDependencies=no
IgnoreOnIsolate=true
Conflicts=umount.target
RequiresMountsFor=/keys/disks/secondary.key

[Service]
Type=oneshot
RemainAfterExit=yes
TimeoutSec=infinity
KeyringMode=shared
OOMScoreAdjust=500
ImportCredential=cryptsetup.*
ExecStart=/usr/bin/systemd-cryptsetup attach 'secondary' '/dev/disk/by-uuid/4762b5a2c-a423-456f-4261-f98c9367a63' '/keys/disks/secondary.key' ''
ExecStop=/usr/bin/systemd-cryptsetup detach 'secondary'

[Install]
WantedBy=multi-user.target

Compared to the default service file generated by systemd, I removed several Before conditions like Before=cryptsetup.target

How do I get this to not delay any other services?

Last edited by cerino (2025-04-29 21:49:42)

cerino

Member

Registered: 2025-04-03

Posts: 20

Re: [SOLVED] Unlock and mount luks partition after multi-user.target

According to systemd-analyze the cryptsetup service does not show as a dependency, but when I have it enabled (even with a sleep timer to rule out processing load) there is a 5 second gap before the user session starts and the tty becomes visible. When I disable the cryptsetup service, the tty login shows immediately.

cerino

Member

Registered: 2025-04-03

Posts: 20

Re: [SOLVED] Unlock and mount luks partition after multi-user.target

This delay is suspiciously exactly 5 seconds long before user-1001.slice is started next. This would make sense if the service that starts user-1001.slice is of type=idle, which would wait for other services for exactly 5 seconds.
But systemd-logind.service is not of type idle, so what else could cause this delay?

cerino

Member

Registered: 2025-04-03

Posts: 20

Re: [SOLVED] Unlock and mount luks partition after multi-user.target

Ok I found the issue: its the getty service which is of type idle and waits 5 seconds before starting when there is any other active service. Changing the type to simple solves the issue immediately, it never was a problem with the cryptsetup service

cerino

Member

Registered: 2025-04-03

Posts: 20

Re: [SOLVED] Unlock and mount luks partition after multi-user.target

To recap what steps are required to get encrypted disks to be unlocked duribg boot without causing a delay:

1. Remove the cryptsetup.target from the service files

# systemctl edit --full systemd-cryptsetup@secondarydisks.service

Comment out the line

Before=cryptsetup.target

Otherwise subsequent services will wait for the cryptsetup as part of this target to be finished.

2. Change getty type

# systemctl edit getty@

Add the following:

[Service]
Type=simple

If anyone knows a better way to change the target for the cryptsetup service e.g. by using an option in crypttab, that would make things even easier and would be greatly appreciated.

Last edited by cerino (2025-04-30 14:33:06)

cerino

Member

Registered: 2025-04-03

Posts: 20

Re: [SOLVED] Unlock and mount luks partition after multi-user.target

While this all works, I just found out there is a way more simple solutions that I overlooked.
Adding "nofail" to both crypttab and fstab will result in the same fast boot process as all these manual steps...