Arch Linux

izdener

Member

Registered: 2025-08-10

Posts: 5

Fresh Arch LUKS install prompts twice for decryption password

Hello, today I installed Arch Linux the hard way. I set up my two NVME SSDs with LUKS, generated separate key files. For the root disk, I added the key file path in the mkinitcpio.conf and regenerated with mkinitcpio -P linux command, but I still get the second prompt. The other disk decryption is working well, added it in the /etc/crypttab.

Any help is much appreciated.

---

I am new here.

kermit63

Member

Registered: 2018-07-04

Posts: 370

Re: Fresh Arch LUKS install prompts twice for decryption password

create a keyfile for the secondary drive, store the keyfile in the root drive, then instruct /etc/crypttab to use the stored keyfile.

for particulars, see:

man crypttab

---

Never argue with an idiot, they will drag you down to their level and then beat you with experience.
It is better to light a candle than curse the darkness.
A journey of a thousand miles begins with a single step.

izdener

Member

Registered: 2025-08-10

Posts: 5

Re: Fresh Arch LUKS install prompts twice for decryption password

create a keyfile for the secondary drive, store the keyfile in the root drive, then instruct /etc/crypttab to use the stored keyfile.

for particulars, see:

man crypttab

The secondary drive works fine with crypttab. I have problem concerning the main root drive. I separated the /boot/efi into /efi and /boot. So my bootloader is encrypted. And when I boot up, I got a prompt to enter the password for my encrypted main drive, Grub load, I pick Arch Linux, then I get the prompt again for the main drive. First, it asks for it with the UUID, then it asks for it with the partition name nvme0n1p2 - but it is the same drive.

So, I made 2 key files - 1st for the ROOT, 2nd for the DATA. I added the key file path to the mkinitcpio.conf, regenerated with the mkinitcpio - p linux command, added the secondary key file in the crypttab file, and I still get the decryption prompt twice.

---

I am new here.

topcat01

Member

Registered: 2019-09-17

Posts: 283

Re: Fresh Arch LUKS install prompts twice for decryption password

So, you have 3 encrypted partitions, namely, boot (nvme0n1p2), root, and data? If so, are you also mounting boot? The keyfiles might take care of / and /data, but how is /boot going to be decrypted? I don't think grub's decryption of /boot is available to the kernel later.

izdener

Member

Registered: 2025-08-10

Posts: 5

Re: Fresh Arch LUKS install prompts twice for decryption password

Well, for my 2 encrypted partitions, I made 2 keyfiles. root_keyfile.bin and steam_keyfile.bin. Then I added my root_keyfile.bin to the mkinitcpio.conf and regenerated my initramfs.
Concerning my data drive, I added the keyfile to crypttab. - That works flawlessly!
My problem IS, that even tho I added the keyfile to be decrypted to the mikinitcpio, which still ignores it, I added it to Grub as a cryptkey parameter. Regenerated my grub.cfg too. But still, I have to type in my password twice for the nvme0n1p2 disk, even tho I should've not been prompted. Everything is included. Maybe I am missing something.

Here is how my disks' partitions are laid out:

lsblk -b 

NAME           MAJ:MIN RM          SIZE RO TYPE  MOUNTPOINTS
zram0          252:0    0   16324231168  0 disk  [SWAP]
nvme1n1        259:0    0 2000398934016  0 disk 
└─nvme1n1p1    259:1    0 2000397795328  0 part 
  └─steam-data 253:1    0 2000395698176  0 crypt /media/steam-data
nvme0n1        259:2    0 1000204886016  0 disk 
├─nvme0n1p1    259:3    0     536870912  0 part  /efi
└─nvme0n1p2    259:4    0  999666221056  0 part 
  └─arch-linux 253:0    0  999664123904  0 crypt /var/tmp
                                                 /var/log
                                                 /var/spool
                                                 /var/lib/libvirt/images
                                                 /var/cache
                                                 /home
                                                 /opt
                                                 /srv
                                                 /

 cat /etc/mkinitcpio.conf 

# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES=(usbhid xhci_hcd)
MODULES=(btrfs)

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES=(/decrypt/root_keyfile.bin)

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
##   This setup specifies all modules in the MODULES setting above.
##   No RAID, lvm2, or encrypted root is needed.
#    HOOKS=(base)
#
##   This setup will autodetect all modules for your system and should
##   work as a sane default
#    HOOKS=(base udev autodetect modconf block filesystems fsck)
#
##   This setup will generate a 'full' image which supports most systems.
##   No autodetection is done.
#    HOOKS=(base udev modconf block filesystems fsck)
#
##   This setup assembles a mdadm array with an encrypted root file system.
##   Note: See 'mkinitcpio -H mdadm_udev' for more information on RAID devices.
#    HOOKS=(base udev modconf keyboard keymap consolefont block mdadm_udev encrypt filesystems fsck)
#
##   This setup loads an lvm2 volume group.
#    HOOKS=(base udev modconf block lvm2 filesystems fsck)
#
##   This will create a systemd based initramfs which loads an encrypted root filesystem.
#    HOOKS=(base systemd autodetect modconf kms keyboard sd-vconsole sd-encrypt block filesystems fsck)
#
##   NOTE: If you have /usr on a separate partition, you MUST include the
#    usr and fsck hooks.
HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt filesystems fsck grub-btrfs-overlayfs)

# COMPRESSION
# Use this to compress the initramfs image. By default, zstd compression
# is used for Linux ≥ 5.9 and gzip compression is used for Linux < 5.9.
# Use 'cat' to create an uncompressed image.
#COMPRESSION="zstd"
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"

# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()

# MODULES_DECOMPRESS
# Decompress loadable kernel modules and their firmware during initramfs
# creation. Switch (yes/no).
# Enable to allow further decreasing image size when using high compression
# (e.g. xz -9e or zstd --long --ultra -22) at the expense of increased RAM usage
# at early boot.
# Note that any compressed files will be placed in the uncompressed early CPIO
# to avoid double compression.
#MODULES_DECOMPRESS="no"

 cat /etc/crypttab 

# Configuration for encrypted block devices.
# See crypttab(5) for details.

# NOTE: Do not list your root (/) partition here, it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf).

# <name>       <device>                                     <password>              <options>
# home         UUID=b8ad5c18-f445-495d-9095-c9ec4f9d2f37    /etc/mypassword1
# data1        /dev/sda3                                    /etc/mypassword2
# data2        /dev/sda5                                    /etc/cryptfs.key
# swap         /dev/sdx4                                    /dev/urandom            swap,cipher=aes-cbc-essiv:sha256,size=256
# vol          /dev/sdb7                                    none

steam-data    UUID=XXXX-XXXX-XXXX-XXXX-XXXX               /decrypt/steam_keyfile.bin

 cat /etc/default/grub 

# GRUB boot loader configuration

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID=XXXXXX-XXXXXX-XXXXXX-XXXXX:arch-linux root=/dev/mapper/arch-linux cryptkey=rootfs:/decryt/root_keyfile.bin"
GRUB_CMDLINE_LINUX=""

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y

# Set to 'countdown' or 'hidden' to change timeout behavior,
# press ESC key to display menu.
GRUB_TIMEOUT_STYLE=menu

# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console

# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `videoinfo'
GRUB_GFXMODE=auto

# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep

# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true

# Uncomment and set to the desired menu colors.  Used by normal and wallpaper
# modes only.  Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"

# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/path/to/wallpaper"
#GRUB_THEME="/path/to/gfxtheme"

# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"

# Uncomment to make GRUB remember the last selection. This requires
# setting 'GRUB_DEFAULT=saved' above.
#GRUB_SAVEDEFAULT=true

# Uncomment to disable submenus in boot menu
#GRUB_DISABLE_SUBMENU=y

# Probing for other operating systems is disabled for security reasons. Read
# documentation on GRUB_DISABLE_OS_PROBER, if still want to enable this
# functionality install os-prober and uncomment to detect and include other
# operating systems.
#GRUB_DISABLE_OS_PROBER=false

---

I am new here.

topcat01

Member

Registered: 2019-09-17

Posts: 283

Re: Fresh Arch LUKS install prompts twice for decryption password

Does lsinitramfs show the key file as present in the initramfs?

izdener

Member

Registered: 2025-08-10

Posts: 5

Re: Fresh Arch LUKS install prompts twice for decryption password

Does lsinitramfs show the key file as present in the initramfs?

 lsinitramfs bash: lsinitramfs: command not found 

---

I am new here.

topcat01

Member

Registered: 2019-09-17

Posts: 283

Re: Fresh Arch LUKS install prompts twice for decryption password

Sorry my bad: https://man.archlinux.org/man/lsinitrd.1.en

kermit63

Member

Registered: 2018-07-04

Posts: 370

Re: Fresh Arch LUKS install prompts twice for decryption password

GRUB_ENABLE_CRYPTODISK=y

Try commenting out this line from /etc/default/grub, run grub-mkconfig -o /boot/grub/grub.cfg again, and see if it makes a difference.

---

Never argue with an idiot, they will drag you down to their level and then beat you with experience.
It is better to light a candle than curse the darkness.
A journey of a thousand miles begins with a single step.

frostschutz

Member

Registered: 2013-11-15

Posts: 1,642

Re: Fresh Arch LUKS install prompts twice for decryption password

cryptodisk y/n setting affects grub-install, so if you change this, you'll have to reinstall grub.

note you wont be able to boot at all if you have encrypted boot/grub, kernel/initrd, but cryptodisk=n

Last edited by frostschutz (2025-08-14 06:23:47)