Architect install - boot fails on encrypted volumes

The “What=” config is given in the override /etc/systemd/system/efi.mount.d/hd.conf
I did that to be able to use different settings, one for HD and one for the USB, by doing a simple rename of one or the other with a dot in-front :wink:
Did you reload the daemon after you added those units/files?

I do also…(click my avatar to see it mentioned)

Yes because i’ve given my ESP a label like that, so you will need to do that also, or use it’s UUID/PARTUUID :wink:
(I used a volume label to make it more robust between installs)

So will I, to see if i missed anything that needs to be added…
I didn’t notice anything i missed…

You do realize that the /etc/crypttab inside the initrd is a renamed /etc/crypttab.initramfs from your HD right?

I just added this piece, which might be the cause of the passwords not being recognized:

Hi, a couple of comments if I may:

This double-SSD LVM makes your setup basically not fully compatible with the HowTo instructions you quote (because you create a LVM first), and also not TriMoon’s (which uses no LVM). Which HowTo do you try to implement at current?

If you use sd-encrypt you need sd-lvm2 (instead of lvm2 for the LVM. See the following for cross-check:

My howto is generic anough to apply for all kinds of setup…
In fact my own setup config uses full disk encryption with an LVM inside, instead of an LVM with a luks container inside that :wink:
(See addendum with my mkinitcpio config)

His setup just doesn’t auto decrypt and doesn’t ask for password as far as i could tell…

Thanks for all the great feedback TriMoon and ion. Much appreciated. I may have bitten off more than I can chew here! :blush:

I checked and there are no newlines in the files containing my passwords for the encrypted lvols:


The only reason I went for LUKS on LVM was because I thought there was a big penalty for having FDE and I only needed particular information encrypted (home, swap, company data). Perhaps the hit is not as big as I’m thinking it would be (I have a i7-10875H based laptop) and maybe save myself the headache and go for FDE so I can completely follow TriMoon’s guide?

I’ll need to review… The contents of /etc/mkinitcpio.conf, efi.automount, efi.mount.d/hd.conf, boot.mount, boot.automount is exactly the same as TriMoon’s. What I am not entirely clear about though is what I need to put in /etc/systemd/system/efi.mount.d/hd.conf. I don’t think I can use the example file provided by TriMoon verbatim, but I’m not sure what I need to substitute based on my setup…

Output from lsblk --fs:
    └─nvme0n1p1                 LVM2_member LVM2 001                                   U2ff8Q-BLP0-FHBv-b9Pj-WZOK-Wpr3-3aG5T2                
      ├─vg02-lvol_lxd           ext4        1.0                                        4fea769e-abc4-4fcb-8208-6e7d17c1c950     46.4G     0% /mnt/var/lib/lxd
      ├─vg02-lvol_downloads     ext4        1.0                                        1efeee99-d440-47ee-8009-76f88430a60f                  
      ├─vg02-lvol_install_discs ext4        1.0                                        044d7519-8473-4b9a-9f0e-43bf913345e1     46.4G     0% /mnt/installDiscs
      ├─vg02-lvol_libvirt       ext4        1.0                                        0f7ad6ea-4cbc-4c75-90f2-6ace7aba66ea    139.1G     0% /mnt/var/lib/libvirt
      └─vg02-lvol_swap          crypto_LUKS 1                                          31906923-c04f-49e0-9dfd-74bcd6435475                  
    ├─nvme1n1p1                 vfat        FAT32                                      DBB9-D8DF                               281.1M    45% /mnt/boot
    └─nvme1n1p2                 LVM2_member LVM2 001                                   tcYhjG-vf2H-Lhxl-SvNb-dGw6-qbqZ-27q4UK                
      ├─vg01-lvol_home          ext4        1.0                                        29f47f99-d263-4076-b2a1-6b990c3a35e6      9.2G     1% /mnt/home
      ├─vg01-lvol_john          crypto_LUKS 1                                          5ba2e072-c74b-45f4-8e4e-4feae29b2e50                  
      ├─vg01-lvol_root          ext4        1.0                                        a319cae0-246f-46a3-a2d7-8c9e2fb6a49a     82.7G    10% /mnt
      └─vg01-lvol_corporate     crypto_LUKS 1                                          c6563ef6-38a5-49ab-95cf-6158bb49ffbb
Contents of crypttab.initramfs:
vg02-lvol_swap        UUID=31906923-c04f-49e0-9dfd-74bcd6435475    /etc/cryptfs-keys.d/swap
vg01-lvol_john        UUID=5ba2e072-c74b-45f4-8e4e-4feae29b2e50    /etc/cryptfs-keys.d/john
vg01-lvol_corporate   UUID=c6563ef6-38a5-49ab-95cf-6158bb49ffbb    /etc/cryptfs-keys.d/corporate
# /dev/mapper/vg01-lvol_root
UUID=a319cae0-246f-46a3-a2d7-8c9e2fb6a49a	/         	ext4      	rw,noatime	0 0

# /dev/mapper/vg01-lvol_home
UUID=29f47f99-d263-4076-b2a1-6b990c3a35e6	/home     	ext4      	rw,noatime	0 0

# /dev/mapper/cryptjohn
UUID=d410f2bb-ed79-4b46-9413-3c3fa9da82bd	/home/john	ext4      	rw,noatime	0 0

# /dev/mapper/vg02-lvol_downloads
UUID=1efeee99-d440-47ee-8009-76f88430a60f	/home/john/Downloads	ext4      	rw,noatime	0 0

# /dev/mapper/crypt_corporate
UUID=1ffd86e7-0d7c-4308-b055-ed41e5a9f979	/corporate	ext4      	rw,noatime	0 0

# /dev/mapper/vg02-lvol_lxd
UUID=4fea769e-abc4-4fcb-8208-6e7d17c1c950	/var/lib/lxd	ext4      	rw,noatime	0 0

# /dev/mapper/vg02-lvol_install_discs
UUID=044d7519-8473-4b9a-9f0e-43bf913345e1	/installDiscs	ext4      	rw,noatime	0 0

# /dev/mapper/vg02-lvol_libvirt
UUID=0f7ad6ea-4cbc-4c75-90f2-6ace7aba66ea	/var/lib/libvirt	ext4      	rw,noatime	0 0

# /dev/nvme1n1p1
UUID=DBB9-D8DF      	/boot     	vfat      	rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro	0 0

# /dev/mapper/crypt_swap
UUID=5474d6ab-a6bb-4a93-9ecb-dbed716ec0bd	none      	swap      	defaults,pri=-2	0 0

As for the UUIDs in my crypttab.initramfs, I got these from the output of lsblk --fs. I notice though that the UUIDs for these are different to those in my /etc/fstab. Should the UUIDs be the same?

Where is your ESP located?
If your ESP has a volume label that reads “ESP” you don’t need to change anything.
Otherwise you need to use your volume label instead of “ESP” in that config.
If it has no volume label then you need to change it, so it points to the partuuid of your ESP.

You can’t use the container names of your LV’s here like that because you need to use different names.
See man crypttab
Names used in there are container names created to access the contents of the encrypted partitions, so you should use names like:

  • luks_swap (will become accessible as /dev/mapper/luks_swap)
  • enc_john
  • corp_sensitive_data

etc, and use those names to mount those in your mount logic, eg. fstab

wrt: your fstab: You should not use UUID’s there, instead use the full device mapper path that are created by the above.

Eg, what your setup as posted uses is:

A disk
└─ An LVM
   └─ An LV
      └─ An encrypted container.  (Accessible as UUID or /dev/mapper/some_lv_name)
         └─ The decrypted data. (Accessible only as /dev/mapper/some_name_from_crypttab)

Thanks for sticking with me @TriMoon! I made it!!

I now have a system which boots into a graphical environment with all my encrypted and non-encrypted volumes mounted! :grin:

I made changes to the following files:

luks_swap        UUID=31906923-c04f-49e0-9dfd-74bcd6435475    /etc/cryptfs-keys.d/swap
luks_john        UUID=5ba2e072-c74b-45f4-8e4e-4feae29b2e50    /etc/cryptfs-keys.d/john
luks_corporate   UUID=c6563ef6-38a5-49ab-95cf-6158bb49ffbb    /etc/cryptfs-keys.d/corporate
/dev/mapper/luks_john	/home/john	ext4      	rw,noatime	0 0
# /dev/mapper/crypt_corporate
/dev/mapper/luks_corporate	/corporate	ext4      	rw,noatime	0 0
# /dev/mapper/crypt_swap
/dev/mapper/luks_swap	none      	swap      	defaults,pri=-2	0 0

For this next one, I wish I’d have figured out sooner that \x2d is of course the hex representation of “-”. :blush: For future readers, DBB9-D8Df is the UUID for my ESP from /dev/disk/by-uuid.

Description=ESP (HD)

# Do a fsck on the partition


The only outstanding item is that I still have to enter my password 3 times during the boot process to decrypt the 3 encrypted volumes. I’m not sure why the passwords are not being taken from /etc/cryptfs-keys.d

Did you put the passwords in those files using printf “%s” “somepassword” > yourpasswordfile?
Because if not you might have an un-intended newline which might be hard to notice :wink:
Also check the contents of the generated initrd if it actually has the correct files and contents with respect to this. Eg crypttab and password files.

Use systemd-escape for the translation in future :wink:

1 Like

No. :blush: I just “vi-ed” the file. Using hexdump, I saw that there was indeed a “0a” at the end of the line that wasn’t visible to the naked eye! Thanks for saving my bacon yet again!

I ran mkinitcpio -P again and presto, I’m no longer prompted for a password! For all those times I had to run mkinitcpio, I had to reboot, drop into a “live iso” session, run “manjaro-chroot -a” and then mkinitcpio. I presume that it’s not possible to run mkinitcpio from a booted system? I tried but the command just hangs.

Nice tip - thanks! I never knew about that functionality.

1 Like

I’m glad to hear you got it working as intended now.

If that was not possible it would mean every time you install something that runs that command automatically, it would make your system unable to start :wink:

You only need to use the chroot when you first setup your system so it operates on the correct files.

Added that tip to the howto also :face_with_hand_over_mouth:

Correction to what i said there:

Sadly, I’ve managed to break my system! I executed pacman -Syu, rebooted and I’m now back to getting stuck at
A start job is running for /dev/disk/by-uuid/<uuid> (*n* min *n* s / 1min 30s)

I’ve tried to run mkinitspio -P but I get errors on:
==> ERROR: ‘/lib/modules/5.4.80-2-MANJARO’ is not a valid kernel module directory

Output of /lib/modules

[manjaro /]# ls -l /lib/modules
total 20
drwxr-xr-x 4 root root 4096 Dec 31 11:58 5.4.85-1-MANJARO
drwxr-xr-x 4 root root 4096 Dec 27 09:02 5.9.11-3-MANJARO
drwxr-xr-x 4 root root 4096 Dec 31 11:59 5.9.16-1-MANJARO
drwxr-xr-x 2 root root 4096 Dec 31 11:58 extramodules-5.4-MANJARO
drwxr-xr-x 2 root root 4096 Dec 31 11:58 extramodules-5.9-MANJARO

I think I remember reading somewhere that I needed to do something extra if using systemd-boot to ensure no issues with updates. I’ll look into this…

That error in combination with the directory listing suggests you have a lingering older 5.4 kernel install somewhere…
But anyhow recap what you did to break your no-password boot in first place, it might be related :wink:

I couldn’t get to the root cause of what broke my setup…I decided to re-install to give myself some practice as well!

I now have an issue with the filesystem type for my ESP. I’m not sure what I’ve done differently with this install :confused:

Output of systemctl status efi.mount
efi.mount - ESP (HD)
     Loaded: loaded (/etc/systemd/system/efi.mount; static)
    Drop-In: /etc/systemd/system/efi.mount.d
     Active: failed (Result: exit-code) since Sat 2021-01-02 01:46:42 EST; 2min 32s ago
TriggeredBy: ● efi.automount
      Where: /efi
       What: /dev/disk/by-uuid/413C-67AE
       Docs: man:systemd.mount(5)

Jan 02 01:46:42 ja-clevo systemd[1]: Mounting ESP (HD)...
Jan 02 01:46:42 ja-clevo systemd[1]: efi.mount: Mount process exited, code=exited, status=32/n/a
Jan 02 01:46:42 ja-clevo mount[1138]: mount: /efi: wrong fs type, bad option, bad superblock on /dev/nvme1n1p1, missing codepage or helper program, or other error.
Jan 02 01:46:42 ja-clevo systemd[1]: efi.mount: Failed with result 'exit-code'.
Jan 02 01:46:42 ja-clevo mount[1139]: mount: /efi: wrong fs type, bad option, bad superblock on /dev/nvme1n1p1, missing codepage or helper program, or other error.
Jan 02 01:46:42 ja-clevo systemd[1]: Failed to mount ESP (HD).
Jan 02 01:46:42 ja-clevo systemd[1]: Mounting ESP (HD)...
Jan 02 01:46:42 ja-clevo systemd[1]: efi.mount: Mount process exited, code=exited, status=32/n/a
Jan 02 01:46:42 ja-clevo systemd[1]: efi.mount: Failed with result 'exit-code'.
Jan 02 01:46:42 ja-clevo systemd[1]: Failed to mount ESP (HD)
    # /dev/nvme1n1p1
UUID=413C-67AE          /boot           vfat            rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro       0 0
Output of bootctl
     Firmware: UEFI 2.70 (INSYDE Corp. 24579.12295)
  Secure Boot: disabled
   Setup Mode: setup
 Boot into FW: supported

Current Boot Loader:
      Product: systemd-boot 247.2-1-manjaro
     Features: ✓ Boot counting
               ✓ Menu timeout control
               ✓ One-shot menu timeout control
               ✓ Default entry control
               ✓ One-shot entry control
               ✓ Support for XBOOTLDR partition
               ✓ Support for passing random seed to OS
               ✓ Boot loader sets ESP partition information
WARNING: The boot loader reports different ESP UUID then detected!
          ESP: /dev/disk/by-partuuid/1f6ffee3-93ec-4fef-b9f4-61e93eae4bb6
         File: └─/EFI/systemd/systemd-bootx64.efi

Random Seed:
 Passed to OS: yes
 System Token: set

Boot Loaders Listed in EFI Variables:
        Title: Linux Boot Manager
           ID: 0x0000
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/1f6ffee3-93ec-4fef-b9f4-61e93eae4bb6
         File: └─/EFI/systemd/systemd-bootx64.efi

if that is correct then:

Suggests you are trying to load the ESP both on /efi and /boot at same time…

This shows the partuuid that the system is using as ESP…

I’m not sure how I managed to achieve that! :anguished:

I’m not sure how I would recover from this apart from reinstalling?

You’ve been doing so many things that i lost track :sweat_smile:
A fix could be to just remove the entry in the fstab, but not sure about that because i don’t know what else you did etc.
Maybe it is best indeed to just re-install the whole and start from scratch, and then never touch the boot related stuff like mount points again :wink:

A re-install is exactly what I did! All ok now.


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.