Dropbear to remote unlock encrypted root

Hello

I would like to be able to unlock my desktop with the keyboard and remotely with dropbear.
Both /root and /home are encrypted with luks.
So far I installed dropbear, mkinitcpio-dropbear, mkinitcpio-busybox, mkinitcpio-netconf, mkinitcpio-nfs-utils, mkinitcipio-openswap and mkinitcpio-utils. Acording to the tutorials I found I tried to configure dropbear to start rigth at satartup and made it listen to port 222. As far as I can tell dropbear only starts after I typed the first password (which obviously is to late). And now I’m stuck.

Can someone help me out? (I do deliver the necessary informations, but I’m unsure what is necessary.)
Are there somewhere up to date instructions, that actually work?

Kind regards
klinge

And you will be stuck at that point - although it could be interesting what tutorials you used.

Why will you be stuck?
Because your dropbear will need the system to run it - which will only start and run after it is booted - which will never happen without you somehow unlocking the encrypted root at least.

IMO

… it would be a different matter if the system is already up and running
but just the desktop is “locked” somehow

At least a separate unencrypted boot partition with unencrypted kernel/initrd will be needed. Maybe it is easier to just leave the whole root unencrypted.

This one works.
dm-crypt/Specialties - ArchWiki

You just need to decide if you want a systemd based initramfs or a Busybox based initramfs. Of course you can’t use a system that also encrypts the initramfs images. It either needs to be on a unencrypted boot partition or the image needs to be on your ESP.

If you need Wifi it is way more complex, so first do it only over Ethernet.

If you enabled and started any dropbear service you did it wrong. Stop and start over. Also be prepared to manual open and chroot in your install from a live system, it might be necessary if you messed something up.

Hy xybbu

Thanks, that was one of the pages I used (but I started off with an other one). /boot is unencrypted and I believe the initramfs images are on /boot. Anyway I’m not sure if I got it correctly:

1. Install:
   mkinitcpio-netconf
   mkinitcpio-dropbear
   mkinitcpio-utils

2. Key:
   copy the public ssh key to /etc/dropbear/root_key

3. Initramfs hooks:
   Add netconf dropbear encryptssh hooks before filesystems to /etc/mkinitcpio.conf

4. Boot loader:
   Here I’n not sure the boot loader is /etc/default/grub correct?
   If I assign the ip with the router then I can just add ip=dhcp correct?
   And the correct line is GRUB_CMDLINE_LINUX_DEFAULT= correct?

What about the port dropbear is listening to, which one is it and can I change it somewhere?
Is that it?

This is good but not the only requirement. On a default Manjaro install, the Root partition will be opened by grub. It is important that the unlock happens later. The notable difference is that you will have multiple tries to put the correct password in. With grub you need to hard reset your system if you try the wrong password.

Make sure to replace encrypt with encryptssh. If you don’t have the encrypt hook, it can’t work.

If you use grub, the correct config file would be /etc/default/grub

Yes.

The user name is root and the port is 22. It can’t be changed with a config file.

However, if it works, you can create your own mkinitcpio-dropbear package with a customized dropbear command. (Or edit the dropbear_hook file and change it, keep in mind that it will be reverted if the package gets updated.)

If you use a busybox initramfs, and an old LUKS1 container. The problem with
mkinitcpio-utils is, that the package is extremely old. For example see:
Lacking support for LUKS2 devices with dm-integrity · Issue #19 · grazzolini/mkinitcpio-utils · GitHub
Nowadays a systemd based initramfs is more modern. However, if you don’t use it at the moment, you need also change your LUKS setup.

Thanks for your help. I did not find the time to fiddle with the machine, but two things are still unclear to me:

I have a new manual installation of manjaro. The only customisation is a separate partition for /home. I have 3 tries to get the password correct. And as far as I can tell I type the password after grub (there is a manjaro logo visible and the grub menu i already passed). So I guess that is fine.

I think I have LUKS 1 (I thought manjaro is up to date?) If I understood your link correctly that is good, is it?

whatever that might mean …

that is strange - for a default encrypted installation

Finally I got round fiddelying around with the configuration. Unfortunately it still does not work.
First the machine is not reachable with: ssh -i ~/.ssh/id_dropB root@MY IP -p 22. It does work after I unlocked the machine in question.
And the second funny thing is that I have to type the password twice to unlock the machine with the keyboard. I guess that is the case because I have a second hdd that is unlocked with a keyfile (it did work before I canged mkinitcpio.conf).
How can I find the mistake?

The identity file might not be accessible.
To me it looks like it is in your $HOME directory - while you are trying to connect as root
(which is … not ideal …)
Is such identity file even needed?

Personally, I never allow root logins via ssh - only specific users. They can elevate privileges later, after connection … just as you normally do when logged in locally.

… I also never run it on the standard port 22, except for local testing …

I managed to solve the first problem, I forgot to update grub, silly me.

Is it possible that the second problem that the hdd is not unlocked appears because it is the only hdd that is LUKS 2 encrypted?

I, for one, am still not clear how you set up your system, so that you can expect to run a ssh or dropbear instance before the initrd, which presumably contains these, will be even started, because Grub might be needed to first unlock the disk to get to the initrd and all the rest.
Or I have missed it …

We haven’t seen inxi -zv8 for example - which could make things more clear.

sudo inxi -zv8                                                                                                 ✔ 
[sudo] Passwort für ck: 
System:
  Kernel: 6.11.11-1-MANJARO arch: x86_64 bits: 64 compiler: gcc v: 14.2.1
    clocksource: hpet avail: acpi_pm parameters: BOOT_IMAGE=/vmlinuz-6.11-x86_64
    root=UUID=9c19faf4-cd28-4abd-b6e3-514001021619 rw quiet ip=dhcp
    cryptdevice=UUID=49d2b631-103d-43c7-a8de-067a8181d745:luks-49d2b631-103d-43c7-a8de-067a8181d745
    root=/dev/mapper/luks-49d2b631-103d-43c7-a8de-067a8181d745 splash
    apparmor=1 security=apparmor udev.log_priority=3
  Desktop: GNOME v: 47.2 tk: GTK v: 3.24.43 wm: gnome-shell
    tools: gsd-screensaver-proxy dm: GDM v: 47.0 Distro: Manjaro
    base: Arch Linux
Machine:
  Type: Desktop System: ASUS product: N/A v: N/A serial: N/A
  Mobo: ASUSTeK model: PRIME B550M-K v: Rev X.0x serial: <filter>
    part-nu: SKU uuid: f2d76f8f-1d5d-1ef6-6f56-7c10c99d2cdc
    UEFI: American Megatrends v: 2803 date: 04/28/2022
Battery:
  Message: No system battery data found. Is one present?
Memory:
  System RAM: total: 16 GiB available: 14.93 GiB used: 5.22 GiB (35.0%)
  Array-1: capacity: 128 GiB slots: 4 modules: 2 EC: None
    max-module-size: 32 GiB note: est.
  Device-1: DIMM_A1 type: no module installed
  Device-2: DIMM_A2 type: DDR4 detail: synchronous unbuffered (unregistered)
    size: 8 GiB speed: 2133 MT/s volts: curr: 1.2 min: 1.2 max: 1.2
    width (bits): data: 64 total: 64 manufacturer: Corsair
    part-no: CMK16GX4M2B3200C16 serial: N/A
  Device-3: DIMM_B1 type: no module installed
  Device-4: DIMM_B2 type: DDR4 detail: synchronous unbuffered (unregistered)
    size: 8 GiB speed: 2133 MT/s volts: curr: 1.2 min: 1.2 max: 1.2
    width (bits): data: 64 total: 64 manufacturer: Corsair
    part-no: CMK16GX4M2B3200C16 serial: N/A
PCI Slots:
  Slot: 0 type: PCIe status: available length: long volts: 3.3 bus-ID: 00:1f.7
  Slot: 1 type: PCIe status: available length: short volts: 3.3
    bus-ID: 00:1f.7
  Slot: 2 type: PCIe status: available length: short volts: 3.3
    bus-ID: 00:1f.7
CPU:
  Info: model: AMD Ryzen 7 5700G with Radeon Graphics socket: AM4 bits: 64
    type: MT MCP arch: Zen 3 gen: 3 level: v3 note: check built: 2021-22
    process: TSMC n7 (7nm) family: 0x19 (25) model-id: 0x50 (80) stepping: 0
    microcode: 0xA500011
  Topology: cpus: 1x dies: 1 clusters: 1 cores: 8 threads: 16 tpc: 2
    smt: enabled cache: L1: 512 KiB desc: d-8x32 KiB; i-8x32 KiB L2: 4 MiB
    desc: 8x512 KiB L3: 16 MiB desc: 1x16 MiB
  Speed (MHz): avg: 2390 min/max: 400/4673 boost: enabled
    base/boost: 3800/4650 scaling: driver: amd-pstate-epp governor: powersave
    volts: 1.4 V ext-clock: 100 MHz cores: 1: 2390 2: 2390 3: 2390 4: 2390
    5: 2390 6: 2390 7: 2390 8: 2390 9: 2390 10: 2390 11: 2390 12: 2390
    13: 2390 14: 2390 15: 2390 16: 2390 bogomips: 121423
  Flags: 3dnowprefetch abm adx aes aperfmperf apic arat avic avx avx2 bmi1
    bmi2 bpext cat_l3 cdp_l3 clflush clflushopt clwb clzero cmov cmp_legacy
    constant_tsc cpb cppc cpuid cqm cqm_llc cqm_mbm_local cqm_mbm_total
    cqm_occup_llc cr8_legacy cx16 cx8 de debug_swap decodeassists erms
    extapic extd_apicid f16c flushbyasid fma fpu fsgsbase fsrm fxsr fxsr_opt
    ht hw_pstate ibpb ibrs ibs invpcid irperf lahf_lm lbrv lm mba mca mce
    misalignsse mmx mmxext monitor movbe msr mtrr mwaitx nonstop_tsc nopl npt
    nrip_save nx ospke osvw overflow_recov pae pat pausefilter pclmulqdq
    pdpe1gb perfctr_core perfctr_llc perfctr_nb pfthreshold pge pku pni
    popcnt pse pse36 rapl rdpid rdpru rdrand rdseed rdt_a rdtscp rep_good sep
    sha_ni skinit smap smca smep ssbd sse sse2 sse4_1 sse4_2 sse4a ssse3
    stibp succor svm_lock syscall tce topoext tsc tsc_scale umip user_shstk
    v_spec_ctrl v_vmsave_vmload vaes vgif vmcb_clean vme vmmcall vpclmulqdq
    wbnoinvd wdt x2apic xgetbv1 xsave xsavec xsaveerptr xsaveopt xsaves
    xtopology
  Vulnerabilities:
  Type: gather_data_sampling status: Not affected
  Type: itlb_multihit status: Not affected
  Type: l1tf status: Not affected
  Type: mds status: Not affected
  Type: meltdown status: Not affected
  Type: mmio_stale_data status: Not affected
  Type: reg_file_data_sampling status: Not affected
  Type: retbleed status: Not affected
  Type: spec_rstack_overflow mitigation: Safe RET
  Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via
    prctl
  Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer
    sanitization
  Type: spectre_v2 mitigation: Retpolines; IBPB: conditional; IBRS_FW;
    STIBP: always-on; RSB filling; PBRSB-eIBRS: Not affected; BHI: Not
    affected
  Type: srbds status: Not affected
  Type: tsx_async_abort status: Not affected
Graphics:
  Device-1: Advanced Micro Devices [AMD/ATI] Cezanne [Radeon Vega Series /
    Radeon Mobile Series] vendor: ASUSTeK driver: amdgpu v: kernel arch: GCN-5
    code: Vega process: GF 14nm built: 2017-20 pcie: gen: 3 speed: 8 GT/s
    lanes: 16 link-max: gen: 4 speed: 16 GT/s ports: active: DVI-D-1
    empty: DP-1,HDMI-A-1 bus-ID: 0b:00.0 chip-ID: 1002:1638 class-ID: 0300
    temp: 31.0 C
  Device-2: Microdia PC-LM1E driver: snd-usb-audio,uvcvideo type: USB
    rev: 2.0 speed: 480 Mb/s lanes: 1 mode: 2.0 bus-ID: 1-1:2 chip-ID: 0c45:636d
    class-ID: 0102 serial: <filter>
  Display: unspecified server: X.org v: 1.21.1.14 with: Xwayland v: 24.1.4
    compositor: gnome-shell driver: X: loaded: amdgpu
    unloaded: modesetting,radeon alternate: fbdev,vesa dri: radeonsi
    gpu: amdgpu display-ID: :0 screens: 1
  Screen-1: 0 s-res: 1680x1050 s-size: <missing: xdpyinfo>
  Monitor-1: DVI-D-1 mapped: DVI-D-0 model: EIZO NANAO EV2216W
    serial: <filter> built: 2018 res: 1680x1050 hz: 60 dpi: 90 gamma: 1.2
    chroma: red: x: 0.643 y: 0.333 green: x: 0.329 y: 0.635 blue: x: 0.157
    y: 0.039 white: x: 0.314 y: 0.329 size: 474x297mm (18.66x11.69")
    diag: 566mm (22.3") ratio: 16:10 modes: 1680x1050, 1280x1024, 1440x900,
    1280x960, 1280x800, 1280x720, 1024x768, 800x600, 640x480
  API: EGL v: 1.5 hw: drv: amd radeonsi platforms: device: 0 drv: radeonsi
    device: 1 drv: swrast gbm: drv: radeonsi surfaceless: drv: radeonsi x11:
    drv: radeonsi inactive: wayland
  API: OpenGL v: 4.6 compat-v: 4.5 vendor: amd mesa v: 24.2.8-arch1.1
    glx-v: 1.4 direct-render: yes renderer: AMD Radeon Graphics (radeonsi
    renoir LLVM 18.1.8 DRM 3.59 6.11.11-1-MANJARO) device-ID: 1002:1638
    memory: 500 MiB unified: no
Audio:
  Device-1: Advanced Micro Devices [AMD/ATI] Renoir Radeon High Definition
    Audio vendor: ASUSTeK driver: snd_hda_intel v: kernel pcie: gen: 3
    speed: 8 GT/s lanes: 16 link-max: gen: 4 speed: 16 GT/s bus-ID: 0b:00.1
    chip-ID: 1002:1637 class-ID: 0403
  Device-2: Advanced Micro Devices [AMD] Family 17h/19h/1ah HD Audio
    vendor: ASUSTeK PRIME B450M-A driver: snd_hda_intel v: kernel pcie: gen: 3
    speed: 8 GT/s lanes: 16 link-max: gen: 4 speed: 16 GT/s bus-ID: 0b:00.6
    chip-ID: 1022:15e3 class-ID: 0403
  Device-3: Microdia PC-LM1E driver: snd-usb-audio,uvcvideo type: USB
    rev: 2.0 speed: 480 Mb/s lanes: 1 mode: 2.0 bus-ID: 1-1:2 chip-ID: 0c45:636d
    class-ID: 0102 serial: <filter>
  API: ALSA v: k6.11.11-1-MANJARO status: kernel-api with: aoss
    type: oss-emulator tools: alsactl,alsamixer,amixer
  Server-1: JACK v: 1.9.22 status: off tools: N/A
  Server-2: PipeWire v: 1.2.7 status: n/a (root, process) with:
    1: pipewire-pulse status: active 2: wireplumber status: active
    3: pipewire-alsa type: plugin tools: pactl,pw-cat,pw-cli,wpctl
Network:
  Device-1: Realtek RTL8111/8168/8211/8411 PCI Express Gigabit Ethernet
    vendor: ASUSTeK RTL8111H driver: r8169 v: kernel pcie: gen: 1
    speed: 2.5 GT/s lanes: 1 port: f000 bus-ID: 09:00.0 chip-ID: 10ec:8168
    class-ID: 0200
  IF: enp9s0 state: up speed: 1000 Mbps duplex: full mac: <filter>
  IP v4: <filter> scope: global broadcast: <filter>
  IP v6: <filter> type: dynamic mngtmpaddr proto kernel_ra scope: global
  IP v6: <filter> type: dynamic mngtmpaddr proto kernel_ra scope: global
  IP v6: <filter> virtual: proto kernel_ll scope: link
  Info: services: NetworkManager, systemd-timesyncd, wpa_supplicant
  WAN IP: <filter>
Bluetooth:
  Message: No bluetooth data found.
Logical:
  Message: No logical block device data found.
  Device-1: Archive maj-min: 254:3 type: LUKS dm: dm-3 size: 9.1 TiB
  Components:
  p-1: sda1 maj-min: 8:1 size: 9.1 TiB
  Device-2: Storage maj-min: 254:2 type: LUKS dm: dm-2 size: 3.64 TiB
  Components:
  p-1: sdb1 maj-min: 8:17 size: 3.64 TiB
  Device-3: luks-49d2b631-103d-43c7-a8de-067a8181d745 maj-min: 254:0
    type: LUKS dm: dm-0 size: 50 GiB
  Components:
  p-1: nvme0n1p7 maj-min: 259:7 size: 50 GiB
  Device-4: luks-21881492-5966-4042-8222-486cf5bda919 maj-min: 254:1
    type: LUKS dm: dm-1 size: 3.35 TiB
  Components:
  p-1: nvme0n1p8 maj-min: 259:8 size: 3.35 TiB
RAID:
  Message: No RAID data found.
Drives:
  Local Storage: total: 16.37 TiB used: 9.64 TiB (58.9%)
  SMART Message: Required tool smartctl not installed. Check --recommends
  ID-1: /dev/nvme0n1 maj-min: 259:0 vendor: Samsung model: SSD 990 PRO 4TB
    size: 3.64 TiB block-size: physical: 512 B logical: 512 B speed: 63.2 Gb/s
    lanes: 4 tech: SSD serial: <filter> fw-rev: 4B2QJXD7 temp: 38.9 C
    scheme: GPT
  ID-2: /dev/sda maj-min: 8:0 vendor: Seagate model: ST10000DM0004-1ZC101
    size: 9.1 TiB block-size: physical: 4096 B logical: 512 B speed: 6.0 Gb/s
    tech: HDD rpm: 7200 serial: <filter> fw-rev: DN01 scheme: GPT
  ID-3: /dev/sdb maj-min: 8:16 vendor: Seagate model: ST4000DM000-1F2168
    size: 3.64 TiB block-size: physical: 4096 B logical: 512 B speed: 6.0 Gb/s
    tech: HDD rpm: 5900 serial: <filter> fw-rev: CC52 scheme: GPT
  Optical-1: /dev/sr0 vendor: ASUS model: BC-12D2HT rev: 3.11
    dev-links: cdrom
  Features: speed: 48 multisession: yes audio: yes dvd: yes
    rw: cd-r,cd-rw,dvd-r,dvd-ram state: running
Partition:
  ID-1: / raw-size: 50 GiB size: 48.91 GiB (97.83%) used: 35.68 GiB (72.9%)
    fs: ext4 block-size: 4096 B dev: /dev/dm-0 maj-min: 254:0
    mapped: luks-49d2b631-103d-43c7-a8de-067a8181d745 label: N/A
    uuid: 9c19faf4-cd28-4abd-b6e3-514001021619
  ID-2: /boot raw-size: 1.37 GiB size: 1.31 GiB (95.85%)
    used: 273.9 MiB (20.4%) fs: ext4 block-size: 4096 B dev: /dev/nvme0n1p6
    maj-min: 259:6 label: N/A uuid: 6a814aff-70ea-4703-8621-8c4e8dd9f35e
  ID-3: /boot/efi raw-size: 400 MiB size: 96 MiB (24.00%)
    used: 37.8 MiB (39.4%) fs: vfat block-size: 512 B dev: /dev/nvme0n1p1
    maj-min: 259:1 label: N/A uuid: D295-A6DD
  ID-4: /home raw-size: 3.35 TiB size: 3.3 TiB (98.40%)
    used: 589.86 GiB (17.5%) fs: ext4 block-size: 4096 B dev: /dev/dm-1
    maj-min: 254:1 mapped: luks-21881492-5966-4042-8222-486cf5bda919
    label: N/A uuid: 4c4bf1c7-978b-40ff-85a3-06d8ba1723cb
  ID-5: /home/<filter>/Archiv raw-size: 9.1 TiB size: 9.02 TiB (99.20%)
    used: 7.42 TiB (82.3%) fs: ext4 block-size: 4096 B dev: /dev/dm-3
    maj-min: 254:3 mapped: Archive label: N/A uuid: N/A
  ID-6: /home/<filter>/Musik raw-size: 3.64 TiB size: 3.58 TiB (98.40%)
    used: 1.6 TiB (44.7%) fs: ext4 block-size: 4096 B dev: /dev/dm-2
    maj-min: 254:2 mapped: Storage label: N/A uuid: N/A
Swap:
  Kernel: swappiness: 60 (default) cache-pressure: 100 (default) zswap: no
  ID-1: swap-1 type: file size: 12 GiB used: 0 KiB (0.0%) priority: -2
    file: /swapfile
Unmounted:
  ID-1: /dev/nvme0n1p2 maj-min: 259:2 size: 16 MiB fs: N/A label: N/A
    uuid: N/A
  ID-2: /dev/nvme0n1p3 maj-min: 259:3 size: 242.81 GiB fs: ntfs label: N/A
    uuid: 1022AD2A22AD15AE
  ID-3: /dev/nvme0n1p4 maj-min: 259:4 size: 627 MiB fs: ntfs label: N/A
    uuid: D2722A8B722A73FF
  ID-4: /dev/nvme0n1p5 maj-min: 259:5 size: 619 MiB fs: ntfs label: N/A
    uuid: 282C496B2C49355A
USB:
  Hub-1: 1-0:1 info: hi-speed hub with single TT ports: 10 rev: 2.0
    speed: 480 Mb/s (57.2 MiB/s) lanes: 1 mode: 2.0 chip-ID: 1d6b:0002
    class-ID: 0900
  Device-1: 1-1:2 info: Microdia PC-LM1E type: video,audio
    driver: snd-usb-audio,uvcvideo interfaces: 4 rev: 2.0
    speed: 480 Mb/s (57.2 MiB/s) lanes: 1 mode: 2.0 power: 500mA
    chip-ID: 0c45:636d class-ID: 0102 serial: <filter>
  Device-2: 1-2:3 info: Logitech M500s Optical Mouse type: mouse,HID
    driver: hid-generic,usbhid interfaces: 2 rev: 2.0 speed: 12 Mb/s (1.4 MiB/s)
    lanes: 1 mode: 1.1 power: 300mA chip-ID: 046d:c093 class-ID: 0300
    serial: <filter>
  Device-3: 1-9:4 info: Alcor Micro Flash Card Reader/Writer
    type: mass storage driver: usb-storage interfaces: 1 rev: 2.0
    speed: 480 Mb/s (57.2 MiB/s) lanes: 1 mode: 2.0 power: 250mA
    chip-ID: 058f:6362 class-ID: 0806 serial: <filter>
  Hub-2: 2-0:1 info: super-speed hub ports: 4 rev: 3.1
    speed: 10 Gb/s (1.16 GiB/s) lanes: 1 mode: 3.2 gen-2x1 chip-ID: 1d6b:0003
    class-ID: 0900
  Hub-3: 3-0:1 info: hi-speed hub with single TT ports: 4 rev: 2.0
    speed: 480 Mb/s (57.2 MiB/s) lanes: 1 mode: 2.0 chip-ID: 1d6b:0002
    class-ID: 0900
  Device-1: 3-1:2 info: Microsoft Ergonomic Keyboard type: keyboard,HID
    driver: hid-generic,usbhid interfaces: 2 rev: 2.0
    speed: 1.5 Mb/s (183 KiB/s) lanes: 1 mode: 1.0 power: 100mA
    chip-ID: 045e:082c class-ID: 0300 serial: <filter>
  Hub-4: 4-0:1 info: super-speed hub ports: 2 rev: 3.1
    speed: 10 Gb/s (1.16 GiB/s) lanes: 1 mode: 3.2 gen-2x1 chip-ID: 1d6b:0003
    class-ID: 0900
  Hub-5: 5-0:1 info: hi-speed hub with single TT ports: 4 rev: 2.0
    speed: 480 Mb/s (57.2 MiB/s) lanes: 1 mode: 2.0 chip-ID: 1d6b:0002
    class-ID: 0900
  Hub-6: 6-0:1 info: super-speed hub ports: 2 rev: 3.1
    speed: 10 Gb/s (1.16 GiB/s) lanes: 1 mode: 3.2 gen-2x1 chip-ID: 1d6b:0003
    class-ID: 0900
Sensors:
  System Temperatures: cpu: 35.8 C mobo: N/A gpu: amdgpu temp: 32.0 C
  Fan Speeds (rpm): N/A
Repos:
  Packages: pm: pacman pkgs: 1625 libs: 496 tools: gnome-software,octopi,pamac
    pm: flatpak pkgs: 0
  Active pacman repo servers in: /etc/pacman.d/mirrorlist
    1: https://mirrors.xtom.de/manjaro/stable/$repo/$arch
    2: https://mirror.hostiko.network/manjaro/stable/$repo/$arch
    3: https://coresite.mm.fcix.net/manjaro/stable/$repo/$arch
    4: https://mirror.math.princeton.edu/pub/manjaro/stable/$repo/$arch
    5: https://mnvoip.mm.fcix.net/manjaro/stable/$repo/$arch
    6: https://mirror.ufam.edu.br/manjaro/stable/$repo/$arch
    7: https://manjaro.c3sl.ufpr.br/stable/$repo/$arch
    8: https://mirrors.ucr.ac.cr/manjaro/stable/$repo/$arch
Processes:
  CPU top: 5 of 417
  1: cpu: 8.7% command: fprintd pid: 12345 mem: 10.2 MiB (0.0%)
  2: cpu: 4.3% command: chrome pid: 11782 mem: 268.5 MiB (1.7%)
  3: cpu: 3.2% command: java pid: 9566 mem: 641.1 MiB (4.1%)
  4: cpu: 2.9% command: chrome pid: 10109 mem: 695.7 MiB (4.5%)
  5: cpu: 2.5% command: chrome pid: 10156 mem: 270.6 MiB (1.7%)
  Memory top: 5 of 417
  1: mem: 695.7 MiB (4.5%) command: chrome pid: 10109 cpu: 2.9%
  2: mem: 641.1 MiB (4.1%) command: java pid: 9566 cpu: 3.2%
  3: mem: 583.5 MiB (3.8%) command: thunderbird pid: 8057 cpu: 2.2%
  4: mem: 330.9 MiB (2.1%) command: gnome-shell pid: 1849 cpu: 1.0%
  5: mem: 318.6 MiB (2.0%) command: nautilus pid: 9280 cpu: 0.5%
Info:
  Processes: 417 Power: uptime: 2h 37m states: freeze,mem,disk suspend: deep
    avail: s2idle wakeups: 0 hibernate: platform avail: shutdown, reboot,
    suspend, test_resume image: 5.95 GiB services: gsd-power,
    power-profiles-daemon, upowerd Init: systemd v: 256 default: graphical
    tool: systemctl
  Compilers: clang: 18.1.8 gcc: 14.2.1 Shell: Sudo (sudo) v: 1.9.16p2
    default: Bash v: 5.2.37 running-in: gnome-terminal inxi: 3.3.36```

I see an unencrypted /boot partition
and an encrypted / and /home as well - and two unencrypted subdirectories mounted to the encrypted /home

So everything you need to connect and proceed needs to be present in the initrd already.

The file where this is set up is:
/etc/mkinitcpio.conf

the MODULES, BINARIES and FILES sections

Finally I figured it out.
Migrating from Ubuntu to Manjaro I added the new LUKS keyfile only to crypttab but forgot to add it to LUKS itself. Interestingly it did still worked as long as I just typed in the password once normaly, it opend all the volumes. Probably changing the initramfs hook from encrypt to encryptssh it stopped working (the password only opend root).

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.