I broke my LUKS boot setup, help!

unix stackexchange com/q/657663/29 you can get the bounty if you want. it’s not allowing links in my posts, so, you’ll have to enter it, and view it for other links

I broke my luks installation, I can get into it, but I have to decrypt and mount manually through the rescue shell after grub boots (and then systemd needs the password again). Below is just a copy of what’s in the SE Post.

SE Content

So I’ve read the arch wiki and I’m still a bit overwhelmed. In the wiki it feels like a lot of these are optional.

Here’s what I did. I used Manjaro to install into a single partition, which I may be regretting, and I enabled full disk encryption. What I observe when booting, to either windows or Linux, is I’m prompted for a password, and then I see the actual grub menu.

I’m not then certain which options will work. I think that LVM is enabled, but not 100% and I’m sure I selected ext4. I looked at modifying the grub.conf generation scripts, but I’m not sure where, nor am I sure if that’s the right place.

What’s the right answer for adding discard, no_read_workqueue, and no_write_workqueue on Manjaro?


here’s what my most current configuration is, but I keep getting dropped into a rescue shell. I’m trying to used the systemd cryptsetup to do all the things, which seems to suggest that I use luks.* parameters.

note: the name root is coming from my manual mounting in the rescue shell.

NAME        MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS                                MOUNTPOINT                                 UUID
loop0         7:0    0 450.2M  1 loop  /var/lib/snapd/snap/wickrme/543            /var/lib/snapd/snap/wickrme/543            
loop1         7:1    0  55.4M  1 loop  /var/lib/snapd/snap/core18/2074            /var/lib/snapd/snap/core18/2074            
loop2         7:2    0  65.1M  1 loop  /var/lib/snapd/snap/gtk-common-themes/1515 /var/lib/snapd/snap/gtk-common-themes/1515 
loop3         7:3    0  32.3M  1 loop  /var/lib/snapd/snap/snapd/12398            /var/lib/snapd/snap/snapd/12398            
zram0       253:0    0   1.5G  0 disk  [SWAP]                                     [SWAP]                                     
nvme0n1     259:0    0 953.9G  0 disk                                                                                        
├─nvme0n1p1 259:1    0   100M  0 part  /boot/efi                                  /boot/efi                                  6CEB-F417
├─nvme0n1p2 259:2    0    16M  0 part                                                                                        
├─nvme0n1p3 259:3    0 780.6G  0 part                                                                                        
├─nvme0n1p4 259:4    0   508M  0 part                                                                                        CA343C30343C223D
├─nvme0n1p5 259:5    0 146.5G  0 part                                                                                        74c51543-eb14-4f61-afeb-b5de6c10a32a
│ └─root    254:0    0 146.5G  0 crypt /                                          /                                          e0a93c98-88a8-4fc9-9948-acdb423d05fd
└─nvme0n1p6 259:6    0  18.6G  0 part  [SWAP]                                     [SWAP]                                     72db96da-87e4-4b17-a622-6a4d56b314c6
4 ❯ cryptsetup luksDump /dev/nvme0n1p5                                                                                                                                                                         # ~
LUKS header information for /dev/nvme0n1p5

Version:       	1
Cipher name:   	aes
Cipher mode:   	xts-plain64
Hash spec:     	sha256
Payload offset:	4096
MK bits:       	512
UUID:          	74c51543-eb14-4f61-afeb-b5de6c10a32a
❯ cat /etc/default/grub | grep -v -e '^[[:space:]]*$' -e '^#'                                                                                                                                                  # ~
GRUB_CMDLINE_LINUX_DEFAULT="quiet luks.uuid=74c51543-eb14-4f61-afeb-b5de6c10a32a luks.options=discard,no_read_workqueue,no_write_workqueue root=/dev/mapper/luks-e0a93c98-88a8-4fc9-9948-acdb423d05fd splash apparmor=1 security=apparmor udev.log_priority=3"
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

from what I understand systemd-cryptsetup-generator shouldn’t need more options, I do have an /etc/crypttab but everything is commented out.

I’m fairly confident that GRUB_CMDLINE_LINUX_DEFAULT is my only problem, I’m not certain what it should be though. google isn’t finding me a lot of (read no) examples of how to do this with the output of blkid or lsblk.

END SE Content

I restored /etc/cyrpttab because I was smart enough to make a backup

# /etc/crypttab: mappings for encrypted partitions.
# Each mapped device will be created in /dev/mapper, so your /etc/fstab
# should use the /dev/mapper/<name> paths for encrypted devices.
# See crypttab(5) for the supported syntax.
# NOTE: Do not list your root (/) partition here, it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf). The same applies
#       to encrypted swap, which should be set up with mkinitcpio-openswap
#       for resume support.
# <name>               <device>                         <password> <options>
#luks-74c51543-eb14-4f61-afeb-b5de6c10a32a UUID=74c51543-eb14-4f61-afeb-b5de6c10a32a     /crypto_keyfile.bin luks,allow-discards,no_read_workqueue,no_write_workqueue

got it, in my /etc/default/grub I had to do this

GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=74c51543-eb14-4f61-afeb-b5de6c10a32a:root:allow-discards,no-read-workqueue,no-write-workqueue quiet udev.log_priority=3"
1 Like

Glad you sorted it out, just a piece of advice: when tinkering with boot process, always pay attention to what kind of initrd images you have. If there’s systemd hook in HOOKS section of /etc/mkinitcpio, then you need luks.uuid-like kernel options. If that’s udev, then cryptdevice is your friend.
If you ever begin using dracut, you will again need luks.uuid-like options.

1 Like

any chance you can actually tell me what that would look like? is not having systemd in the initrd why my attempts at using the luks.* option didn’t work? if you use systemd, do you remove the udev option? trying to understand the full benefit of systemd, there, and why it isn’t the default. Also not sure why there are the rd.luks.* options, if I understood the documentation right, those aren’t the best way?

A short answer to your first question is yes. If you want a udev-based initrd, you should use a sequence of hooks like (base udev keyboard consolefont autodetect plymouth modconf block tpm2 plymouth-encrypt lvm2 resume filesystems). In case of systemd-based initrd, it should look like (base systemd keyboard sd-vconsole autodetect sd-plymouth modconf block sd-tpm2 sd-encrypt lvm2 filesystems).
rd.luks.* options do effect only on initrd time, before real root is mounted, while luks.* options influence on real root as well – if I remember it correctly.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.