You are not logged in.
Followed the steps to encrypt my formerly unencrypted root partition using dm-crypt (LUKS2) following the guide https://wiki.archlinux.org/title/Dm-cry … ile_system.
In order to do that I used an archiso live boot from usb.
Shrinked, encrypted, resized back
The disk seems to have been successfully encrypted. No error messages, I can decrypt it from the live boot. No apparent data loss.
I followed the steps to modify mkinitcpio and to add the appropriate kernel modules.
Had issues with the grub config so I added rEFInd and removed grub. Bootloader now works.
My problem now is unencrypting at boot: it doesn't seem to ask for passphrase to unlock the root partition and it times out.
A start job is running for /dev/disk/by-uuid/d88...d8=recryptit times out and then
...
[OK] Finished virtual console setup
[TIME] Timed out waiting for device /dev/disk/by-uuid/90f...5f
[DEPEND] Dependency failed for Cryptography setup for luks-d88...d8=recrypt
[DEPEND] Dependency failed for local encrypted volumes
[OK] Stopped dispatch password requests to console directory watch
[OK] Started emergency shell
...
...
Cannot open access to console, the root account is locked(partial because had to transcribe from photo)
***
# cryptsetup open /dev/nvme0n1p2 recrypt
# mount /dev/mapper/recrypt /mnt
# mount /dev/nvme0n1p1 /mnt/boot
# lsblk -f
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS
loop0 squashfs 4.0 0 100% /run/archiso/airootfs
nvme0n1
├─nvme0n1p1 vfat FAT32 92B6-806A 760.4M 26% /mnt/boot
└─nvme0n1p2 crypto_LUKS 2 d88f4db9-fe4f-4fd8-acd3-2ca7251e3cd8
└─recrypt ext4 1.0 90f0e6a2-ee17-45f3-863c-bd21c2bbcc5f 14.1G 92% /mntfrom now on all the paths are from chroot
# arch-chroot /mnt zsh
# /etc/crypttab
# Configuration for encrypted block devices.
# See crypttab(5) for details.
# NOTE: Do not list your root (/) partition here, it must be set up
# beforehand by the initramfs (/etc/mkinitcpio.conf).
# <name> <device> <password> <options>
# home UUID=b8ad5c18-f445-495d-9095-c9ec4f9d2f37 /etc/mypassword1
# data1 /dev/sda3 /etc/mypassword2
# data2 /dev/sda5 /etc/cryptfs.key
# swap /dev/sdx4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256
#a vol /dev/sdb7 none
#
#recrypt UUID=d88f4db9-fe4f-4fd8-acd3-2ca7251e3cd8 none timeout=180
recrypt UUID=d88f4db9-fe4f-4fd8-acd3-2ca7251e3cd8tried both with and without 'password' and 'options' arguments
# /etc/mkinitcpio.conf
# vim:set ft=sh:
# MODULES
# The following modules are loaded before any boot hooks are
# run. Advanced users may wish to specify all system modules
# in this array. For instance:
# MODULES=(usbhid xhci_hcd)
MODULES=()
# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image. This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()
# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way. This is useful for config files.
FILES=()
# HOOKS
# This is the most important setting in this file. The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added. Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
## This setup specifies all modules in the MODULES setting above.
## No RAID, lvm2, or encrypted root is needed.
# HOOKS=(base)
#
## This setup will autodetect all modules for your system and should
## work as a sane default
# HOOKS=(base udev autodetect microcode modconf block filesystems fsck)
#
## This setup will generate a 'full' image which supports most systems.
## No autodetection is done.
# HOOKS=(base udev microcode modconf block filesystems fsck)
#
## This setup assembles a mdadm array with an encrypted root file system.
## Note: See 'mkinitcpio -H mdadm_udev' for more information on RAID devices.
# HOOKS=(base udev microcode modconf keyboard keymap consolefont block mdadm_udev encrypt filesystems fsck)
#
## This setup loads an lvm2 volume group.
# HOOKS=(base udev microcode modconf block lvm2 filesystems fsck)
#
## This will create a systemd based initramfs which loads an encrypted root filesystem.
# HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)
#
## NOTE: If you have /usr on a separate partition, you MUST include the
# usr and fsck hooks.
HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)
# COMPRESSION
# Use this to compress the initramfs image. By default, zstd compression
# is used for Linux ≥ 5.9 and gzip compression is used for Linux < 5.9.
# Use 'cat' to create an uncompressed image.
#COMPRESSION="zstd"
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"
# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()
# MODULES_DECOMPRESS
# Decompress loadable kernel modules and their firmware during initramfs
# creation. Switch (yes/no).
# Enable to allow further decreasing image size when using high compression
# (e.g. xz -9e or zstd --long --ultra -22) at the expense of increased RAM usage
# at early boot.
# Note that any compressed files will be placed in the uncompressed early CPIO
# to avoid double compression.
#MODULES_DECOMPRESS="no"# /boot/refind_linux.conf
"Boot with standard options" "root=UUID=90f0e6a2-ee17-45f3-863c-bd21c2bbcc5f ro cryptdevice=UUID=d88f4db9-fe4f-4fd8-acd3-2ca7251e3cd8:recrypt:allow-discards quiet"
"Boot to single-user mode" "root=UUID=90f0e6a2-ee17-45f3-863c-bd21c2bbcc5f ro cryptdevice=UUID=d88f4db9-fe4f-4fd8-acd3-2ca7251e3cd8:recrypt:allow-discards quiet single"
"Boot with minimal options_noallowdiscards" "root=UUID=90f0e6a2-ee17-45f3-863c-bd21c2bbcc5f ro cryptdevice=UUID=d88f4db9-fe4f-4fd8-acd3-2ca7251e3cd8:recrypt"
"Boot to terminal_ro_now" "root=UUID=90f0e6a2-ee17-45f3-863c-bd21c2bbcc5f ro cryptdevice=UUID=d88f4db9-fe4f-4fd8-acd3-2ca7251e3cd8:recrypt:allow-discards systemd.unit=multi-user.target"
"Boop" "rd.luks.uuid=d88f4db9-fe4f-4fd8-acd3-2ca7251e3cd8=recrypt ro root=UUID=90f0e6a2-ee17-45f3-863c-bd21c2bbcc5f"
"Boop2" "rd.luks.uuid=d88f4db9-fe4f-4fd8-acd3-2ca7251e3cd8=recrypt ro root=UUID=90f0e6a2-ee17-45f3-863c-bd21c2bbcc5f rd.luks.options=password-echo=no rootflags=x-systemd.device-timeout=80"
"Boop3" "rd.luks.uuid=d88f4db9-fe4f-4fd8-acd3-2ca7251e3cd8=recrypt rd.luks.options=password-echo=no rootflags=x-systemd.device-timeout=80 ro root=UUID=90f0e6a2-ee17-45f3-863c-bd21c2bbcc5f" tried to boot using each entry but none of these works. The last three are the ones that give me the error message that I reported at the beginning of the post.
Lemme know if I can provide more logs, brain is foggy today.
Thanks!
Last edited by nanacoin (2026-05-18 21:50:01)
Offline
since your using systemd and sd-encrypt you need to use:
rd.luks.name=d88f4db9-fe4f-4fd8-acd3-2ca7251e3cd8=recrypt root=/dev/mapper/recryptyou have both cryptdevice= and rd.luks.uuid= which from what ive read dont work with refind, also anything in crypttab is only accessible after the luks volume is unlocked so no need to put anything in there either, thats for if you have any other volumes other than root that need unlocking.
see sections 4.3 and 4.4: https://wiki.archlinux.org/title/Dm-cry … initcpio_3
EDIT: for discards you will also need:
rd.luks.options=discardLast edited by jonno2002 (2026-05-18 20:01:42)
Offline
yay! I added a new refind_linux.conf entry like you suggested
"Boot4" "rd.luks.name=d88f4db9-fe4f-4fd8-acd3-2ca7251e3cd8=recrypt root=/dev/mapper/recrypt"and now it asks for password and successfully boots!
(I also commented out the crypttab entry)
I was assuming that rd.luks.name would have been '/dev/nvme0n1p2' rather than the uuid ^^' but still I didn't think to try it out
Thank you so much! I'll change the title to mark as solved
Last edited by nanacoin (2026-05-19 04:46:04)
Offline