[SOLVED] Cryptsetup intermittant decryption issues at boot time

Xeauron · 2026-01-02 15:18:15

Hi All,

I'm not 100% sure what the issue is at the moment as I've not had time to read up / debug.
But this morning when turning my main computer on which I've not done for a couple of weeks now, cryptsetup repeatedly failed to unlock my drives at boot time.

I have it setup so that when I unlock the computer at boot, it uses locally stored key files to unlock all the secondary drives.

Journal entry:

Jan 02 08:27:45 main systemd-cryptsetup[1302]: Failed to activate with key file '/etc/cryptsetup-keys.d/[keyfile_name].key'. (Key data incorrect?)

So I rolled back the package cryptsetup:

cryptsetup-2.8.3-1 -> cryptsetup-2.8.1-1

Everything unlocks now no problem.

At first I thought the HDD was on its way out as the last time I had issues with my OS, files couldn't be read from the drive causing KDE to behave wierd. My SSD was on its way out.

I'm still investigating whether this is the case as my Keepass and Kwallet are also acting weird.

In Keepass I have to keep re-selecting the key file for some reason before I enter my password each time I unlock.
And Kwallet has a password remembered, that doesn't work when you click OK to unlock an external drive, yet when I type the password in manually (same one that's stored in Kwallet) it works.

SO further investigation needed as soon as I get chance.
Just thought I'd post this here in case anyone else had the same issue.

Thanks.

EDIT: edited post as it's not a PSA.

Last edited by Xeauron (2026-01-20 12:29:09)

Lone_Wolf · 2026-01-03 11:37:33

Please post a full journal of a boot where you encountered this issue.
https://wiki.archlinux.org/title/System … ing_output has details about limiting the output to specific dates/boots .

Moderator Note

While this has some characteristisc of a PSA there are indications of an underlying problem.
Moving to System Administration.

Xeauron · 2026-01-09 21:27:16

Hi, apologies for the time taken to get back and thanks for the response.
I've not had time due to work.

It started happening again earlier this week when I turned it on briefly. Drives wouldn't unlock, then when I got into KDE dolphin hung, flatpaks refused to launch and it generally misbehaved.

I re-upgraded cryptsetup to the latest version as that clearly isn't the problem.

It's also worth mentioning I've got dropbear running during early boot so I can ssh in with my phone and remote unlock the PC.
Pasting the password in via my phone also failed on the 8th Jan I think it was - had to type the password in manually.

I've just started it up again and everything unlocked no problem, and everything's working fine - you'd never know there's a problem - very weird and annoying.

Examples from systemd-cryptsetup from a few previous boots.
I sorted out the permissions on the key files.

The drive in question is a 1TB Western Digital Blue.
FIle System: BTRFS
Encryption: Luks2

All other drives which are a mix of Seagate, Crucial and one Samsung M.2.
All on Ext4 with Luks2

$> journalctl -t systemd-cryptsetup

-- Boot 876488ba9b6542a6b263388c50554886 --
Jan 02 09:21:22 archlinux systemd-cryptsetup[582]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/05a74bd3-38be-4784-9f0a-88027fa324a4.
Jan 02 09:21:26 main systemd-cryptsetup[1272]: Key file /etc/cryptsetup-keys.d/980.key is world-readable. This is not a good idea!
Jan 02 09:21:26 main systemd-cryptsetup[1272]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/f91171ee-7ae1-4663-b32a-47b989770e08.
Jan 02 09:21:26 main systemd-cryptsetup[1272]: /etc/cryptsetup-keys.d/980.key has 0644 mode that is too permissive, please adjust the ownership and access mode.
Jan 02 09:21:26 main systemd-cryptsetup[1297]: Key file /etc/cryptsetup-keys.d/b2.key is world-readable. This is not a good idea!
Jan 02 09:21:26 main systemd-cryptsetup[1298]: Key file /etc/cryptsetup-keys.d/c480.key is world-readable. This is not a good idea!
Jan 02 09:21:26 main systemd-cryptsetup[1297]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/726c2e06-38cd-400d-b47c-dce81a8680b3.
Jan 02 09:21:26 main systemd-cryptsetup[1298]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/133678fc-22fe-4d7c-b8d2-3cde6dbe93b0.
Jan 02 09:21:26 main systemd-cryptsetup[1297]: /etc/cryptsetup-keys.d/b2.key has 0644 mode that is too permissive, please adjust the ownership and access mode.
Jan 02 09:21:26 main systemd-cryptsetup[1298]: /etc/cryptsetup-keys.d/c480.key has 0644 mode that is too permissive, please adjust the ownership and access mode.
Jan 02 09:21:26 main systemd-cryptsetup[1307]: Key file /etc/cryptsetup-keys.d/b1.key is world-readable. This is not a good idea!
Jan 02 09:21:26 main systemd-cryptsetup[1307]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/ba4cb25a-a760-41b5-8f3a-301a69f34dd9.
Jan 02 09:21:26 main systemd-cryptsetup[1307]: /etc/cryptsetup-keys.d/b1.key has 0644 mode that is too permissive, please adjust the ownership and access mode.
-- Boot 7b17ee62a2eb4d64918f9f5dea881128 --
Jan 02 09:25:21 archlinux systemd-cryptsetup[578]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/05a74bd3-38be-4784-9f0a-88027fa324a4.
Jan 02 09:25:25 main systemd-cryptsetup[1294]: Key file /etc/cryptsetup-keys.d/980.key is world-readable. This is not a good idea!
Jan 02 09:25:25 main systemd-cryptsetup[1294]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/f91171ee-7ae1-4663-b32a-47b989770e08.
Jan 02 09:25:25 main systemd-cryptsetup[1294]: /etc/cryptsetup-keys.d/980.key has 0644 mode that is too permissive, please adjust the ownership and access mode.
Jan 02 09:25:25 main systemd-cryptsetup[1310]: Key file /etc/cryptsetup-keys.d/b1.key is world-readable. This is not a good idea!
Jan 02 09:25:25 main systemd-cryptsetup[1310]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/ba4cb25a-a760-41b5-8f3a-301a69f34dd9.
Jan 02 09:25:25 main systemd-cryptsetup[1310]: /etc/cryptsetup-keys.d/b1.key has 0644 mode that is too permissive, please adjust the ownership and access mode.
Jan 02 09:25:25 main systemd-cryptsetup[1323]: Key file /etc/cryptsetup-keys.d/c480.key is world-readable. This is not a good idea!
Jan 02 09:25:25 main systemd-cryptsetup[1323]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/133678fc-22fe-4d7c-b8d2-3cde6dbe93b0.
Jan 02 09:25:25 main systemd-cryptsetup[1323]: /etc/cryptsetup-keys.d/c480.key has 0644 mode that is too permissive, please adjust the ownership and access mode.
Jan 02 09:25:25 main systemd-cryptsetup[1330]: Key file /etc/cryptsetup-keys.d/b2.key is world-readable. This is not a good idea!
Jan 02 09:25:25 main systemd-cryptsetup[1330]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/726c2e06-38cd-400d-b47c-dce81a8680b3.
Jan 02 09:25:25 main systemd-cryptsetup[1330]: /etc/cryptsetup-keys.d/b2.key has 0644 mode that is too permissive, please adjust the ownership and access mode.
-- Boot b8b4cb8978fa41289180103e21b2c836 --
Jan 08 20:43:29 archlinux systemd-cryptsetup[585]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/05a74bd3-38be-4784-9f0a-88027fa324a4.
Jan 08 20:43:34 main systemd-cryptsetup[1287]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/f91171ee-7ae1-4663-b32a-47b989770e08.
Jan 08 20:43:34 main systemd-cryptsetup[1314]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/ba4cb25a-a760-41b5-8f3a-301a69f34dd9.
Jan 08 20:43:34 main systemd-cryptsetup[1317]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/726c2e06-38cd-400d-b47c-dce81a8680b3.
Jan 08 20:43:34 main systemd-cryptsetup[1318]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/133678fc-22fe-4d7c-b8d2-3cde6dbe93b0.
-- Boot ae82f68c885c4cc2baed0b1e1e8441c5 --
Jan 08 20:53:18 archlinux systemd-cryptsetup[588]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/05a74bd3-38be-4784-9f0a-88027fa324a4.
Jan 08 20:53:23 main systemd-cryptsetup[1293]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/f91171ee-7ae1-4663-b32a-47b989770e08.
Jan 08 20:53:23 main systemd-cryptsetup[1306]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/133678fc-22fe-4d7c-b8d2-3cde6dbe93b0.
Jan 08 20:53:23 main systemd-cryptsetup[1314]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/726c2e06-38cd-400d-b47c-dce81a8680b3.
Jan 08 20:53:23 main systemd-cryptsetup[1339]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/ba4cb25a-a760-41b5-8f3a-301a69f34dd9.
-- Boot a3986b1f53f44bdd87947d1b7abe7793 --
Jan 08 22:55:39 archlinux systemd-cryptsetup[590]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/05a74bd3-38be-4784-9f0a-88027fa324a4.
Jan 08 22:55:44 main systemd-cryptsetup[1298]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/ba4cb25a-a760-41b5-8f3a-301a69f34dd9.
Jan 08 22:55:44 main systemd-cryptsetup[1294]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/f91171ee-7ae1-4663-b32a-47b989770e08.
Jan 08 22:55:44 main systemd-cryptsetup[1299]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/133678fc-22fe-4d7c-b8d2-3cde6dbe93b0.
Jan 08 22:55:44 main systemd-cryptsetup[1304]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/726c2e06-38cd-400d-b47c-dce81a8680b3.
Jan 08 22:55:54 main systemd-cryptsetup[1298]: Failed to activate with key file '/etc/cryptsetup-keys.d/b1.key'. (Key data incorrect?)
Jan 08 22:55:54 main systemd-cryptsetup[1298]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/ba4cb25a-a760-41b5-8f3a-301a69f34dd9.
Jan 08 22:55:54 main systemd-cryptsetup[1294]: Failed to activate with key file '/etc/cryptsetup-keys.d/980.key'. (Key data incorrect?)
Jan 08 22:55:54 main systemd-cryptsetup[1294]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/f91171ee-7ae1-4663-b32a-47b989770e08.
Jan 08 22:55:59 main systemd-cryptsetup[1298]: Failed to activate with specified passphrase. (Passphrase incorrect?)
Jan 08 22:55:59 main systemd-cryptsetup[1294]: Failed to activate with specified passphrase. (Passphrase incorrect?)
Jan 08 22:56:46 main systemd-cryptsetup[1298]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/ba4cb25a-a760-41b5-8f3a-301a69f34dd9.
Jan 08 22:56:47 main systemd-cryptsetup[1294]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/f91171ee-7ae1-4663-b32a-47b989770e08.
Jan 08 22:56:51 main systemd-cryptsetup[1298]: Failed to activate with specified passphrase. (Passphrase incorrect?)
Jan 08 22:56:51 main systemd-cryptsetup[1298]: Too many attempts to activate; giving up.
Jan 08 22:56:52 main systemd-cryptsetup[1294]: Failed to activate with specified passphrase. (Passphrase incorrect?)
Jan 08 22:56:52 main systemd-cryptsetup[1294]: Too many attempts to activate; giving up.
-- Boot 52e63b3fe1c94ddd984a45aab17ba3e0 --
Jan 08 23:09:50 archlinux systemd-cryptsetup[584]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/05a74bd3-38be-4784-9f0a-88027fa324a4.
Jan 08 23:09:55 main systemd-cryptsetup[1285]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/f91171ee-7ae1-4663-b32a-47b989770e08.
Jan 08 23:09:55 main systemd-cryptsetup[1308]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/726c2e06-38cd-400d-b47c-dce81a8680b3.
Jan 08 23:09:55 main systemd-cryptsetup[1309]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/133678fc-22fe-4d7c-b8d2-3cde6dbe93b0.
Jan 08 23:09:55 main systemd-cryptsetup[1307]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/ba4cb25a-a760-41b5-8f3a-301a69f34dd9.
Jan 08 23:10:03 main systemd-cryptsetup[1285]: Failed to activate with key file '/etc/cryptsetup-keys.d/980.key'. (Key data incorrect?)
Jan 08 23:10:03 main systemd-cryptsetup[1285]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/f91171ee-7ae1-4663-b32a-47b989770e08.
Jan 08 23:10:05 main systemd-cryptsetup[1308]: Failed to activate with key file '/etc/cryptsetup-keys.d/b2.key'. (Key data incorrect?)
Jan 08 23:10:05 main systemd-cryptsetup[1308]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/726c2e06-38cd-400d-b47c-dce81a8680b3.
Jan 08 23:10:18 main systemd-cryptsetup[1308]: Failed to activate with specified passphrase. (Passphrase incorrect?)
Jan 08 23:10:20 main systemd-cryptsetup[1285]: Failed to activate with specified passphrase. (Passphrase incorrect?)
Jan 08 23:10:20 main systemd-cryptsetup[1308]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/726c2e06-38cd-400d-b47c-dce81a8680b3.
Jan 08 23:10:21 main systemd-cryptsetup[1285]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/f91171ee-7ae1-4663-b32a-47b989770e08.
Jan 08 23:10:26 main systemd-cryptsetup[1308]: Failed to activate with specified passphrase. (Passphrase incorrect?)
Jan 08 23:10:26 main systemd-cryptsetup[1308]: Too many attempts to activate; giving up.
Jan 08 23:10:29 main systemd-cryptsetup[1285]: Failed to activate with specified passphrase. (Passphrase incorrect?)
Jan 08 23:10:29 main systemd-cryptsetup[1285]: Too many attempts to activate; giving up.
-- Boot 74c9103cf551435f853eef9c6fb1d272 --
Jan 09 20:23:28 archlinux systemd-cryptsetup[586]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/05a74bd3-38be-4784-9f0a-88027fa324a4.
Jan 09 20:23:32 main systemd-cryptsetup[1282]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/f91171ee-7ae1-4663-b32a-47b989770e08.
Jan 09 20:23:32 main systemd-cryptsetup[1299]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/133678fc-22fe-4d7c-b8d2-3cde6dbe93b0.
Jan 09 20:23:32 main systemd-cryptsetup[1309]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/ba4cb25a-a760-41b5-8f3a-301a69f34dd9.
Jan 09 20:23:32 main systemd-cryptsetup[1313]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/726c2e06-38cd-400d-b47c-dce81a8680b3.

I take monthly backups, and I've kept the last 2 so I'm thinking I might DD the earlier image to a spare 1TB SSD and see how I get on, unless anyone here has any idea why cryptsetup keeps crapping the bed.

I can't test the WD SSD drive properly as it requires Windows 10/11 or Mac OS and I don't have either, though I might see about a VM, but it's getting the time to sit down and build a Win10 VM ect.

The drive cloned with ddrescue fine - 100% read, zero failures (I use ddrescue purely because I prefer the progress readout stats it provides).

Thanks for any advice anyway, really appreciate it.

EDIT

Just rebooted and it's failed again.

Won't even open my Keepass database with the correct password (carefully checked). Think it might be failing to read the 2FA key file from the drive maybe.
This has all the hallmarks of a dying SSD - only when it boots with out issue, everything seems to work with no problems - all programs work and files read fine.

EDIT 2: 10/01/2026

Just restored from my December 2nd 2025 backup on a different (samsung 870 EVO) SSD and everything worked fine first boot, then on reboot not after about 10 minutes of me checking things, the problem returned.
So I'm pretty sure it's not the SSD now.

$> uname -a     
Linux main 6.17.9-arch1-1 #1 SMP PREEMPT_DYNAMIC Mon, 24 Nov 2025 15:21:09 +0000 x86_64 GNU/Linux

The only thing indicating there's a problem is cryptsetup.
This is depressing.

I'm going to revert back to an even earlier version of cryptsetup, see if that helps.

cryptsetup 2.8.0-1 (From aug)

EDIT 3: 11/01/2026

Stood up a Win11 VM and ran the Sandisk test app on the WD drive (aaparently it uses Sandisk NAND) and everythig came back green including no issues in the S.M.A.R.T stats.

If one of the drives fails to unlock, I hit Ctrl+Alt+Del and log in again. Repeat this process until everythig unlocks which usually works on the 2nd login attempt and the PC appears to work perfectly - used it for hours without issue.

Culprets now are:
1. BTRFS (has the file system corrupted?)
2. RAM (possible initramfs is being loaded into bad RAM)
This probably isn't it, but worth checking.
3. Cryptsetup (No issues on my laptop with virtually the same setup, hence this is last on the list)

I'm going to run memtest86 on the RAM now, then I'll read up on BTRFS and see if there's an integrity checker ect.
I'm just not convinced it's cryptsetup at this point

Not so long ago BTRFS was taking about 6 - 8 seconds to create shapshots, now it's instant again which makes me think it might be the BTRFS file system.

EDIT 4: 20/01/2026

Bought a new case so I could get at the components more easily (and it was about time after about 14 years).
Memtest was crashing, so I reset BIOS defaults, then tested each stick which passed, then 2 sticks which passed, then all 4 for 2 passes, all good.

The OS is now booting consistently which is great, just not sure what the problem actually was.
Possibly a loose SATA connection, maybe a loose RAM connection or possibly a BIOS setting, I've put those back now and everything still seems fine.

Fingers crossed the problem is resolved now - everything seems to be working - all good.

Last edited by Xeauron (2026-01-20 12:35:42)

Arch Linux

#1 2026-01-02 15:18:15