Dm-crypt configuration with cryptkey

My partition table is as follows:

nvme0n1                   259:0    0 931.5G  0 disk  
├─nvme0n1p1               259:1    0     1M  0 part  
├─nvme0n1p2               259:2    0   640M  0 part  /boot/efi
├─nvme0n1p3               259:3    0     1G  0 part  
│ └─CryptBoot             254:4    0  1022M  0 crypt /boot
└─nvme0n1p4               259:4    0 929.9G  0 part  
  └─CryptLVM              254:0    0 929.9G  0 crypt 
    ├─CryptContainer-SWAP 254:1    0    16G  0 lvm   [SWAP]
    ├─CryptContainer-ROOT 254:2    0   160G  0 lvm   /
    └─CryptContainer-HOME 254:3    0 753.9G  0 lvm   /home

I am trying to avoid having to enter LUKS passphrase twice. I have embedded the luks key for /dev/nvme0n1p4 inside initramfs ( /etc/initcpio/keys/) and added a custom mkinitcpio hook named decryption-keys as shown below:

# This is /etc/initcpio/install/decryption-keys
function build {
  for file in /etc/initcpio/keys/*; do
    add_file "$file" "/$(basename $file)" 0400

Since I am using sd-encrypt I need to add rd.luks.key to /etc/default/grub, accordinfg to Archwiki : dm-crypt configuration. I tried rd.luks.key=rootfs:/CryptLVM.key but that did not work and I still needed to enter the passphrase for CryptLVM manually on boot. What am I doing wrong?

I don’t have any experience of using dmcrypt this way, however your post and the links you provided don’t seem to match up. Perhaps I’ve missed something. :man_shrugging:

So you’ve added the path to the keyfile like in the first link?

Add the keyfile to the initramfs image:



Where does this custom hook come from? I don’t see it mentioned in the links you posted. They say you need the encrypt or sd-encrypt hook.

Again from the first link:

Or, using the sd-encrypt hook:

GRUB_CMDLINE_LINUX="… rd.luks.key=device-UUID=/root/cryptlvm.keyfile"

decryption-keys is a custom hook in order to add files to the root of the initramfs without keeping the files in our root filesystem. This is borrowed from the Github Gist following the tutorial.

Perhaps rootfs:/ part in rd.luks.key=rootfs:/CryptLVM.key is unnecessary here. I will try and report.

You need the device UUID for sd-encrypt, and “rootfs” for encrypt, according to the wiki, no idea when it comes to the custom hook.

According to Archwiki : dm-crypt

So these two are equivalent. I tried the rd.luks.key=/CryptLVM.key and it works. @dmt Thanks for the help :slight_smile:

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.