Luks encrypted device not mapped during boot

Support
1

I encounter problems when trying fix a system, which was broken during update. The update basically crashed, most likely due to not having enough memory (i.e. swap file too small).

After the crash, the system wouldn’t boot. Then I proceeded like this:

  1. Boot live system
  2. cryptsetup luksOpen /dev/ and mount from dev/mapper/
  3. chroot
  4. remove package, where update previously failed
  5. reinstall everything successfully
  6. exit chroot, umount, reboot

I am then asked to enter the passphrase for the device. But then it stops with message

ERROR: device '/dev/mapper/<mapped device>' not found

I also checked my crypttab (which was not changed) and this looks very ok to me.

This is my system:

sh-5.2# inxi --admin --verbosity=8 --filter --no-host --width
12System:
  12Kernel 6.10.13-3-MANJARO 12arch x86_64 12bits 64 12compiler gcc 12v 14.2.1
    12clocksource tsc 12avail acpi_pm 12parameters BOOT_IMAGE=/boot/vmlinuz-x86_64
    lang=en_US keytable=de tz=UTC misobasedir=manjaro
    misolabel=MANJARO_KDE_2412 quiet systemd.show_status=1 splash driver=free
    nouveau.modeset=1 i915.modeset=1 radeon.modeset=1
  12Desktop KDE Plasma 12v ERR-101 12tk Qt 12v N/A 12dm N/A 12Distro Manjaro
    12base Arch Linux
12Machine:
  12Type Laptop 12System Acer 12product TravelMate B117-M 12v V1.24 12serial <filter>
    12Chassis 12type 10 12serial N/A
  12Mobo Acer 12model Lepus_BA 12v V1.24 12serial <filter>
    12part-nu TravelMate B117-M_108C_1.24 12uuid f8f6e022-35af-2f48-90a6-0000ff00703c
    12UEFI Insyde 12v 1.24 12date 10/25/2018
12Battery:
  12ID-1 BAT1 12charge 33.7 Wh (81.2%) 12condition 41.5/48.9 Wh (84.8%) 12volts 17.0
    12min 15.2 12model LGC AC14B8K 12type Li-ion 12serial <filter> 12status charging
12Memory:
  12System RAM 12total 4 GiB 12available 3.74 GiB 12used 2.63 GiB (70.3%) 12igpu 32 MiB
  12Array-1 12capacity 8 GiB 12slots 2 12modules 2 12EC None 12max-module-size 4 GiB
    12note est.
  12Device-1 ChannelA-DIMM0 12type DDR3 12detail synchronous 12size 2 GiB
    12speed 1600 MT/s 12volts 12min 1.5 12max 1.5 12width (bits) 12data 8 12total 8
    12manufacturer Hynix/Hyundai 12part-no N/A 12serial N/A
  12Device-2 ChannelB-DIMM0 12type DDR3 12detail synchronous 12size 2 GiB
    12speed 1600 MT/s 12volts 12min 1.5 12max 1.5 12width (bits) 12data 8 12total 8
    12manufacturer Hynix/Hyundai 12part-no N/A 12serial N/A
12PCI Slots:
  12Message No PCI Slot data found.
12CPU:
  12Info 12model Intel Pentium N3710 12socket CHV 12bits 64 12type MCP 12arch Airmont
    12level v2 12built 2015-17 12process Intel 14nm 12family 6 12model-id 0x4C (76)
    12stepping 4 12microcode 0x411
  12Topology 12cpus 1x 12dies 1 12clusters 2 12cores 4 12smt <unsupported> 12cache
    12L1 224 KiB 12desc d-4x24 KiB; i-4x32 KiB 12L2 2 MiB 12desc 2x1024 KiB
  12Speed (MHz) 12avg 2560 12min/max 480/2560 12base/boost 1600/1660 12scaling
    12driver intel_cpufreq 12governor schedutil 12volts 3.8 V 12ext-clock 83 MHz 12cores
    121 2560 122 2560 123 2560 124 2560 12bogomips 12805
  12Flags 3dnowprefetch acpi aes aperfmperf apic arat arch_perfmon bts clflush
    cmov constant_tsc cpuid cx16 cx8 de ds_cpl dtes64 dtherm dts epb ept erms
    est flexpriority fpu fxsr ht ibpb ibrs ida lahf_lm lm mca mce md_clear mmx
    monitor movbe msr mtrr nonstop_tsc nopl nx pae pat pbe pclmulqdq pdcm pebs
    pge pni popcnt pse pse36 pti rdrand rdtscp rep_good sep smep ss sse sse2
    sse4_1 sse4_2 ssse3 stibp syscall tm tm2 tpr_shadow tsc tsc_adjust
    tsc_deadline_timer tsc_known_freq tsc_reliable vme vmx vnmi vpid xtopology
    xtpr
  12Vulnerabilities
  12Type gather_data_sampling 12status Not affected
  12Type itlb_multihit 12status Not affected
  12Type l1tf 12status Not affected
  12Type mds 12mitigation Clear CPU buffers; SMT disabled
  12Type meltdown 12mitigation PTI
  12Type mmio_stale_data 12status Unknown: No mitigations
  12Type reg_file_data_sampling 12status Not affected
  12Type retbleed 12status Not affected
  12Type spec_rstack_overflow 12status Not affected
  12Type spec_store_bypass 12status Not affected
  12Type spectre_v1 12mitigation usercopy/swapgs barriers and __user pointer
    sanitization
  12Type spectre_v2 12mitigation Retpolines; IBPB: conditional; IBRS_FW; STIBP:
    disabled; RSB filling; PBRSB-eIBRS: Not affected; BHI: Not affected
  12Type srbds 12status Not affected
  12Type tsx_async_abort 12status Not affected
12Graphics:
  12Device-1 Intel Atom/Celeron/Pentium Processor x5-E8000/J3xxx/N3xxx
    Integrated Graphics 12vendor Acer Incorporated ALI 12driver i915 12v kernel
    12arch Gen-8 12process Intel 14nm 12built 2014-15 12ports 12active eDP-1 12empty DP-1,
    DP-2, HDMI-A-1, HDMI-A-2 12bus-ID 00:02.0 12chip-ID 8086:22b1 12class-ID 0300
  12Device-2 Chicony HD WebCam 12driver uvcvideo 12type USB 12rev 2.0 12speed 480 Mb/s
    12lanes 1 12mode 2.0 12bus-ID 1-4:3 12chip-ID 04f2:b577 12class-ID 0e02
  12Display 12server X.org 12v 1.21.1.18 12with Xwayland 12v 24.1.8 12driver 12X
    12loaded modesetting 12alternate fbdev,vesa 12dri crocus 12gpu i915 12display-ID :0
  12Monitor-1 eDP-1 12model ChiMei InnoLux 0x1132 12built 2013 12res 1366x768 12dpi 136
    12gamma 1.2 12chroma 12red 12x 0.573 12y 0.333 12green 12x 0.325 12y 0.584 12blue 12x 0.161
    12y 0.141 12white 12x 0.314 12y 0.329 12size 256x144mm (10.08x5.67")
    12diag 294mm (11.6") 12ratio 16:9 12modes 1366x768
  12API EGL 12v 1.5 12hw 12drv intel crocus 12platforms 12device 0 12drv crocus 12device 1
    12drv swrast 12gbm 12drv crocus 12surfaceless 12drv crocus 12inactive wayland,x11
  12API OpenGL 12v 4.6 12compat-v 4.5 12vendor mesa 12v 25.1.4-arch1.1 12note incomplete
    (EGL sourced) 12renderer Mesa Intel HD Graphics 405 (BSW), llvmpipe (LLVM
    20.1.6 128 bits)
  12API Vulkan 12Message No Vulkan data available.
  12Info 12Tools 12api clinfo, eglinfo, glxinfo, vulkaninfo
    12de kscreen-console,kscreen-doctor 12wl wayland-info 12x11 xdpyinfo, xprop, xrandr
12Audio:
  12Device-1 Intel Atom/Celeron/Pentium Processor x5-E8000/J3xxx/N3xxx Series
    High Definition Audio 12vendor Acer Incorporated ALI 12driver snd_hda_intel
    12v kernel 12bus-ID 00:1b.0 12chip-ID 8086:2284 12class-ID 0403
  12API ALSA 12v k6.10.13-3-MANJARO 12status kernel-api 12with aoss 12type oss-emulator
    12tools alsactl,alsamixer,amixer
  12Server-1 JACK 12v 1.9.22 12status off 12tools N/A
  12Server-2 PipeWire 12v 1.4.5 12status off 12with pipewire-media-session 12status off
    12tools pw-cli
  12Server-3 PulseAudio 12v 17.0-43-g3e2bb 12status off 12with 121 pulseaudio-alsa
    12type plugin 122 pulseaudio-jack 12type module 12tools pacat,pactl
12Network:
  12Device-1 Intel Wireless 7265 12driver iwlwifi 12v kernel 12pcie 12gen 1
    12speed 2.5 GT/s 12lanes 1 12bus-ID 02:00.0 12chip-ID 8086:095a 12class-ID 0280
  12IF wlp2s0 12state up 12mac <filter>
  12IP v4 <filter> 12type dynamic noprefixroute 12scope global 12broadcast <filter>
  12IP v6 <filter> 12type dynamic noprefixroute 12scope global
  12IP v6 <filter> 12type dynamic noprefixroute 12scope global
  12IP v6 <filter> 12type noprefixroute 12scope link
  12Info 12services No services found.
  12WAN IP <filter>
12Bluetooth:
  12Device-1 Intel Bluetooth wireless interface 12driver btusb 12v 0.8 12type USB
    12rev 2.0 12speed 12 Mb/s 12lanes 1 12mode 1.1 12bus-ID 1-5:4 12chip-ID 8087:0a2a
    12class-ID e001
  12Report rfkill 12ID hci0 12rfk-id 2 12state down 12bt-service N/A 12rfk-block
    12hardware no 12software no 12address see --recommends
12Logical:
  12Message No logical block device data found.
12RAID:
  12Message No RAID data found.
12Drives:
  12Local Storage 12total 261.53 GiB 12used 69.86 GiB (26.7%)
  12ID-1 /dev/sda 12maj-min 8:0 12vendor Samsung 12model SSD 840 EVO 250GB
    12family based SSDs 12size 232.89 GiB 12block-size 12physical 512 B 12logical 512 B
    12sata 3.1 12speed 6.0 Gb/s 12tech SSD 12serial <filter> 12fw-rev CB6Q 12temp 34 C
  12SMART yes 12state enabled 12health PASSED 12on 142d 8h 12cycles 2755
    12written 5.16 TiB
  12ID-2 /dev/sdb 12maj-min 8:16 12vendor SanDisk 12model Ultra Fit 12size 28.64 GiB
    12block-size 12physical 512 B 12logical 512 B 12type USB 12rev 3.0 12spd 5 Gb/s 12lanes 1
    12mode 3.2 gen-1x1 12tech N/A 12serial <filter> 12fw-rev 1.00
  12SMART Message Unknown USB bridge. Flash drive/Unsupported enclosure?
  12Message No optical or floppy data found.
12Partition:
  12ID-1 / 12raw-size 100 GiB 12size 97.87 GiB (97.87%) 12used 69.86 GiB (71.4%)
    12fs ext4 12block-size 4096 B 12dev /dev/dm-0 12maj-min 254:0 12mapped tmp 12label N/A
    12uuid N/A
12Swap:
  12Alert No swap data was found.
12Unmounted:
  12ID-1 /dev/sda1 12maj-min 8:1 12size 300 MiB 12fs fat (32 bit) 12label N/A
    12uuid EF2D-725F
  12ID-2 /dev/sda2 12maj-min 8:2 12size 100 GiB 12fs N/A 12label N/A
    12uuid 29fdfcca-132c-4086-817d-32213e24c3be
  12ID-3 /dev/sda3 12maj-min 8:3 12size 132.59 GiB 12fs N/A 12label N/A
    12uuid fe92912b-e39a-45aa-8ca5-80c32bcf2563
  12ID-4 /dev/sdb1 12maj-min 8:17 12size 3.87 GiB 12fs N/A 12label MANJARO_KDE_2412
    12uuid 2024-11-04-04-24-27-00
  12ID-5 /dev/sdb2 12maj-min 8:18 12size 4 MiB 12fs N/A 12label MISO_EFI 12uuid 8BF0-EDB3
12USB:
  12Hub-1 1-0:1 12info hi-speed hub with single TT 12ports 7 12rev 2.0
    12speed 480 Mb/s (57.2 MiB/s) 12lanes 1 12mode 2.0 12chip-ID 1d6b:0002 12class-ID 0900
  12Device-1 1-3:2 12info Realtek RTS5129 Card Reader Controller
    12type <vendor specific> 12driver rtsx_usb,rtsx_usb_ms,rtsx_usb_sdmmc
    12interfaces 1 12rev 2.0 12speed 480 Mb/s (57.2 MiB/s) 12lanes 1 12mode 2.0
    12power 500mA 12chip-ID 0bda:0129 12class-ID ff00 12serial <filter>
  12Device-2 1-4:3 12info Chicony HD WebCam 12type video 12driver uvcvideo
    12interfaces 2 12rev 2.0 12speed 480 Mb/s (57.2 MiB/s) 12lanes 1 12mode 2.0 12power 500mA
    12chip-ID 04f2:b577 12class-ID 0e02
  12Device-3 1-5:4 12info Intel Bluetooth wireless interface 12type bluetooth
    12driver btusb 12interfaces 2 12rev 2.0 12speed 12 Mb/s (1.4 MiB/s) 12lanes 1 12mode 1.1
    12power 100mA 12chip-ID 8087:0a2a 12class-ID e001
  12Hub-2 2-0:1 12info super-speed hub 12ports 6 12rev 3.0 12speed 5 Gb/s (596.0 MiB/s)
    12lanes 1 12mode 3.2 gen-1x1 12chip-ID 1d6b:0003 12class-ID 0900
  12Device-1 2-1:2 12info SanDisk Ultra Fit 12type mass storage 12driver usb-storage
    12interfaces 1 12rev 3.0 12speed 5 Gb/s (596.0 MiB/s) 12lanes 1 12mode 3.2 gen-1x1
    12power 896mA 12chip-ID 0781:5583 12class-ID 0806 12serial <filter>
12Sensors:
  12System Temperatures 12cpu 53.0 C 12mobo N/A
  12Fan Speeds (rpm) N/A
12Repos:
  12Packages 1656 12pm pacman 12pkgs 1651 12libs 430 12tools pamac 12pm flatpak 12pkgs 5
  12Active pacman repo servers in /etc/pacman.d/mirrorlist
    121 https: //www.mirrorservice.org/sites/repo.manjaro.org/repos/stable/$repo/$arch
    122 https: //mirrors.ft.uam.es/manjaro/stable/$repo/$arch
    123 https: //ftp.lysator.liu.se/pub/manjaro/stable/$repo/$arch
    124 https: //fastmirror.pp.ua/manjaro/stable/$repo/$arch
    125 https: //volico.mm.fcix.net/manjaro/stable/$repo/$arch
    126 https: //edgeuno-bog2.mm.fcix.net/manjaro/stable/$repo/$arch
    127 https: //mirror.freedif.org/Manjaro/stable/$repo/$arch
    128 https: //mirror.kamtv.ru/manjaro/stable/$repo/$arch
12Processes:
  12Message No process data available.
12Info:
  12Processes 0 12Power 12uptime 21m 12states freeze,mem,disk 12suspend deep 12avail s2idle
    12wakeups 0 12hibernate platform 12avail shutdown, reboot, suspend, test_resume
    12image 1.45 GiB 12Init systemd 12v 257 12default graphical 12tool systemctl
  12Compilers 12clang 20.1.6 12gcc 15.1.1 12Client systemd 12inxi 3.3.38

I kindly ask for same help!

2

If you installation is a default Manjaro installation - you will have two encrypted containers - system and swap

Which mapped device? the system or the swap

With a default Manjaro it is named luks-<uuid> where the uuid is the one for an open luks container.

In openswap.conf you will have a swap_device and a keyfile_device - which one is named in the error message?

Also - because Manjaro uses GRUB and grub - historically has issues with luks2 - a luks container created by the installer with grub as loader will be using luks (1) encryption.

3

Understood. My bad, sorry! This is the full message:

ERROR: device '/dev/mapper/luks-<UUID>' not found
 Skipping fsck.
mount: /new_root: filesystem was mounted, but any subsequent operation failed: Unknown error 5001.
You are being dropped into an emergency shell.
sh: can't access tty: job control turned off

This refers to the system partition.

4

The following might be useful;

From the chroot environment (as described in the linked article) you can attempt to complete the interrupted update, and perform other diagnostic and/or repair procedures as may be needed.

Please also note that kernel 6.10 reached EOL some 8 months ago, and was removed from the Manjaro repositories at that time.

It is advised to move to the 6.12 (LTS) kernel.

Regards.

1 Like
5

I am confused, this is what I get from the command line:

sh-5.2# ls /usr/lib/modules
5.10.237-1-MANJARO  5.15.185-1-MANJARO  5.4.294-1-MANJARO  6.1.141-1-MANJARO

In addition, I’ve already conducted the steps suggested here

sh-5.2# [ -f /var/lib/pacman/db.lck ] && rm -f /var/lib/pacman/db.lck
pacman -Syyu
update-grub
:: Synchronizing package databases...
 core                                  142.8 KiB   382 KiB/s 00:00 [####################################] 100%
 extra                                   8.5 MiB  10.4 MiB/s 00:01 [####################################] 100%
 multilib                              148.1 KiB   370 KiB/s 00:00 [####################################] 100%
:: Starting full system upgrade...
 there is nothing to do
Generating grub configuration file ...
Found theme: /usr/share/grub/themes/manjaro/theme.txt
Found linux image: /boot/vmlinuz-6.1-x86_64
Found initrd image: /boot/intel-ucode.img /boot/initramfs-6.1-x86_64.img
Found initrd fallback image: /boot/initramfs-6.1-x86_64-fallback.img
Found linux image: /boot/vmlinuz-5.15-x86_64
Found initrd image: /boot/intel-ucode.img /boot/initramfs-5.15-x86_64.img
Found initrd fallback image: /boot/initramfs-5.15-x86_64-fallback.img
Found linux image: /boot/vmlinuz-5.10-x86_64
Found initrd image: /boot/intel-ucode.img /boot/initramfs-5.10-x86_64.img
Found initrd fallback image: /boot/initramfs-5.10-x86_64-fallback.img
Found linux image: /boot/vmlinuz-5.4-x86_64
Found initrd image: /boot/intel-ucode.img /boot/initramfs-5.4-x86_64.img
Found initrd fallback image: /boot/initramfs-5.4-x86_64-fallback.img
Warning: os-prober will not be executed to detect other bootable partitions.
Systems on them will not be added to the GRUB boot configuration.
Check GRUB_DISABLE_OS_PROBER documentation entry.
Adding boot menu entry for UEFI Firmware Settings ...
Found memtest86+ image: /boot/memtest86+/memtest.bin
done
sh-5.2#

Rebooting ends at the same error.

6

A possibility is that kernel 6.10 is being recognised from the Manjaro Installer ISO you booted with – which indicates another likely complication – your Manjaro ISO is out of date.

Generally, the latest available ISO is recommended. I’d suggest downloading a fresh ISO and creating a new Installer USB; or even better, a Ventoy USB.

7

@soundofthunder
The kernel used on the live ISO, which is used to chroot into the defunct system is actually of no consequence, as long as it is not really ancient.

@dano
If you want us to help you to try and fix your system, please provide the following:

straight after booting the ISO - not in chroot yet and nothing mounted:

lsblk -f

Then please tell what exact steps you use to chroot.
First you’d have to open the encrypted container and then mount it,
as well as mount the separate EFI Partition to the correct place within that file system structure
and then manjaro-chroot to that location.
manjaro-chroot -a
will NOT work (unless the automatism has been improved recently)

But it seems you are in chroot correctly.

From within or from without, check the contents of
/etc/fstab
and
/etc/default/grub
and
/etc/mkinitcpio.conf

of the defunct system

I would do it like this:

cryptsetup open /dev/whatever encrypted
mount /dev/mapper/encrypted /mnt
mount /dev/name_of_EFI_partition /mnt/boot/efi
(this depends on what is in /etc/fstab but should be correct)
manjaro-chroot /mnt /bin/bash

… and then check the contents of the files mentioned above

8

This is the requested output regarding the chroot steps:

>> lsblk -f                                                                                       ✔ 
NAME   FSTYPE   FSVER    LABEL            UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
loop0  squashfs 4.0                                                                  0   100% /run/miso/sfs/livefs
loop1  squashfs 4.0                                                                  0   100% /run/miso/sfs/mhwdfs
loop2  squashfs 4.0                                                                  0   100% /run/miso/sfs/desktopfs
loop3  squashfs 4.0                                                                  0   100% /run/miso/sfs/rootfs
sda                                                                                           
├─sda1 vfat     FAT32                     EF2D-725F                                           
├─sda2 crypto_L 1                         29fdfcca-132c-4086-817d-32213e24c3be                
└─sda3 crypto_L 1                         fe92912b-e39a-45aa-8ca5-80c32bcf2563                
sdb    iso9660  Joliet E MANJARO_KDE_2504 2025-06-23-07-30-54-00                     0   100% /run/miso/bootmnt
├─sdb1 iso9660  Joliet E MANJARO_KDE_2504 2025-06-23-07-30-54-00                              
└─sdb2 vfat     FAT12    MISO_EFI         ECC9-5CDB                                           
 >> sudo cryptsetup luksOpen /dev/sda2 tmp                                                      
Enter passphrase for /dev/sda2: 
 >> sudo mount /dev/mapper/tmp /mnt                                                        
 >> sudo mount /dev/sda1 /mnt/boot/efi                                                       
 >> sudo manjaro-chroot /mnt                                                                     
sh-5.2#

From within, this is the mentioned files’ content:

sh-5.2# cat /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a device; this may
# be used with UUID= as a more robust way to name devices that works even if
# disks are added and removed. See fstab(5).
#
# <file system>             <mount point>  <type>  <options>  <dump>  <pass>
UUID=EF2D-725F                            /boot/efi      vfat    umask=0077 0 2
tmpfs                                     /tmp           tmpfs   defaults,noatime,mode=1777 0 0
/dev/mapper/sda3_crypt /run/media/schnuffel/Data/  ext4    defaults   0       2
/dev/mapper/luks-29fdfcca-132c-4086-817d-32213e24c3be / ext4 defaults,noatime 0 1
/swapfile none swap defaults 0 0
sh-5.2# 

sh-5.2# cat /etc/default/grub
# GRUB boot loader configuration

GRUB_DEFAULT=saved
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Manjaro"
GRUB_CMDLINE_LINUX_DEFAULT="quiet cryptdevice=UUID=29fdfcca-132c-4086-817d-32213e24c3be:luks-29fdfcca-132c-4086-817d-32213e24c3be root=/dev/mapper/luks-29fdfcca-132c-4086-817d-32213e24c3be apparmor=1 security=apparmor udev.log_priority=3"
GRUB_CMDLINE_LINUX=""

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to enable booting from LUKS encrypted devices
#GRUB_ENABLE_CRYPTODISK=y

# Set to 'countdown' or 'menu' to change timeout behavior,
# press ESC key to display menu.
GRUB_TIMEOUT_STYLE=hidden

# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console

# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command 'videoinfo'
GRUB_GFXMODE=auto

# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep

# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true

# Uncomment and set to the desired menu colors.  Used by normal and wallpaper
# modes only.  Entries specified as foreground/background.
GRUB_COLOR_NORMAL="light-gray/black"
GRUB_COLOR_HIGHLIGHT="green/black"

# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/usr/share/grub/background.png"
GRUB_THEME="/usr/share/grub/themes/manjaro/theme.txt"

# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"

# Uncomment to make GRUB remember the last selection. This requires
# setting 'GRUB_DEFAULT=saved' above.
GRUB_SAVEDEFAULT=true

# Uncomment to disable submenus in boot menu
#GRUB_DISABLE_SUBMENU=y

# Uncomment this option to enable os-prober execution in the grub-mkconfig command
#GRUB_DISABLE_OS_PROBER=false

# Uncomment to ensure that the root filesystem is mounted read-only so that
# systemd-fsck can run the check automatically. We use 'fsck' by default, which
# needs 'rw' as boot parameter, to avoid delay in boot-time. 'fsck' needs to be
# removed from 'mkinitcpio.conf' to make 'systemd-fsck' work.
# See also Arch-Wiki: https://wiki.archlinux.org/index.php/Fsck#Boot_time_checking
#GRUB_ROOT_FS_RO=true
GRUB_ENABLE_CRYPTODISK=y
sh-5.2# 

sh-5.2# cat /etc/mkinitcpio.conf
# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES=(usbhid xhci_hcd)
MODULES=()

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES=(/crypto_keyfile.bin)

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
##   This setup specifies all modules in the MODULES setting above.
##   No RAID, lvm2, or encrypted root is needed.
#    HOOKS=(base)
#
##   This setup will autodetect all modules for your system and should
##   work as a sane default
#    HOOKS=(base udev autodetect modconf block filesystems fsck)
#
##   This setup will generate a 'full' image which supports most systems.
##   No autodetection is done.
#    HOOKS=(base udev modconf block filesystems fsck)
#
##   This setup assembles a mdadm array with an encrypted root file system.
##   Note: See 'mkinitcpio -H mdadm_udev' for more information on RAID devices.
#    HOOKS=(base udev modconf keyboard keymap consolefont block mdadm_udev encrypt filesystems fsck)
#
##   This setup loads an lvm2 volume group.
#    HOOKS=(base udev modconf block lvm2 filesystems fsck)
#
##   This will create a systemd based initramfs which loads an encrypted root filesystem.
#    HOOKS=(base systemd autodetect modconf kms keyboard sd-vconsole sd-encrypt block filesystems fsck)
#
##   NOTE: If you have /usr on a separate partition, you MUST include the
#    usr and fsck hooks.
HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block filesystems fsck)

# COMPRESSION
# Use this to compress the initramfs image. By default, zstd compression
# is used for Linux ≥ 5.9 and gzip compression is used for Linux < 5.9.
# Use 'cat' to create an uncompressed image.
#COMPRESSION="zstd"
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"

# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()

# MODULES_DECOMPRESS
# Decompress loadable kernel modules and their firmware during initramfs
# creation. Switch (yes/no).
# Enable to allow further decreasing image size when using high compression
# (e.g. xz -9e or zstd --long --ultra -22) at the expense of increased RAM usage
# at early boot.
# Note that any compressed files will be placed in the uncompressed early CPIO
# to avoid double compression.
#MODULES_DECOMPRESS="no"
sh-5.2#

I’d say a hook for opening the encrypted system partition is missing. What do you think?

9

one thing that immediately stands out from your /etc/fstab:

Don’t do that.

Mount what you need to a permanent mount point - not to something transient like /run

Deactivate the line for now and see how that affects the boot process.

The next thing I see is probably even more important:

/etc/mkinitcpio.conf has this HOOKS line:

There is no encrypt hook, but there should be.

Add it and then regenerate the initrds and update-grub.

mkinitcpio -P
update-grub

Yes, exactly what I think. :grinning:

It cannot work without it.

There is a commented out example line in the file, a bit further up.

1 Like
10

Ok, thanks. I am not sure where this got lost.

Anyway, I’ve copied the hooks from a similar setup, containing the missing ‘encrypted’ hook.

Then I made a terrible mistake, i.e. changing a second thing before confirming the first issue being resolved…

I reinstalled grub due to a message from pacman package upgrade, stating that one may consider reinstalling grub.

In details I conducted these steps:

sh-5.2# grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB
Installing for x86_64-efi platform.
Installation finished. No error reported.
sh-5.2# grub-mkconfig -o /boot/grub/grub.cfg 
Generating grub configuration file ...
Found theme: /usr/share/grub/themes/manjaro/theme.txt
Found linux image: /boot/vmlinuz-6.1-x86_64
Found initrd image: /boot/intel-ucode.img /boot/initramfs-6.1-x86_64.img
Found initrd fallback image: /boot/initramfs-6.1-x86_64-fallback.img
Found linux image: /boot/vmlinuz-5.15-x86_64
Found initrd image: /boot/intel-ucode.img /boot/initramfs-5.15-x86_64.img
Found initrd fallback image: /boot/initramfs-5.15-x86_64-fallback.img
Found linux image: /boot/vmlinuz-5.10-x86_64
Found initrd image: /boot/intel-ucode.img /boot/initramfs-5.10-x86_64.img
Found initrd fallback image: /boot/initramfs-5.10-x86_64-fallback.img
Found linux image: /boot/vmlinuz-5.4-x86_64
Found initrd image: /boot/intel-ucode.img /boot/initramfs-5.4-x86_64.img
Found initrd fallback image: /boot/initramfs-5.4-x86_64-fallback.img
Warning: os-prober will not be executed to detect other bootable partitions.
Systems on them will not be added to the GRUB boot configuration.
Check GRUB_DISABLE_OS_PROBER documentation entry.
Adding boot menu entry for UEFI Firmware Settings ...
Found memtest86+ image: /boot/memtest86+/memtest.bin
done
sh-5.2# update-grub
Generating grub configuration file ...
Found theme: /usr/share/grub/themes/manjaro/theme.txt
Found linux image: /boot/vmlinuz-6.1-x86_64
Found initrd image: /boot/intel-ucode.img /boot/initramfs-6.1-x86_64.img
Found initrd fallback image: /boot/initramfs-6.1-x86_64-fallback.img
Found linux image: /boot/vmlinuz-5.15-x86_64
Found initrd image: /boot/intel-ucode.img /boot/initramfs-5.15-x86_64.img
Found initrd fallback image: /boot/initramfs-5.15-x86_64-fallback.img
Found linux image: /boot/vmlinuz-5.10-x86_64
Found initrd image: /boot/intel-ucode.img /boot/initramfs-5.10-x86_64.img
Found initrd fallback image: /boot/initramfs-5.10-x86_64-fallback.img
Found linux image: /boot/vmlinuz-5.4-x86_64
Found initrd image: /boot/intel-ucode.img /boot/initramfs-5.4-x86_64.img
Found initrd fallback image: /boot/initramfs-5.4-x86_64-fallback.img
Warning: os-prober will not be executed to detect other bootable partitions.
Systems on them will not be added to the GRUB boot configuration.
Check GRUB_DISABLE_OS_PROBER documentation entry.
Adding boot menu entry for UEFI Firmware Settings ...
Found memtest86+ image: /boot/memtest86+/memtest.bin
done
sh-5.2#

After reboot I stuck at this error now:

error: symbol 'grub_is_cli_need_auth' not found.
Entering rescue mode...

From grub documentation I understand that I’ve conducted the correct steps in order to fix this (grub-install, grub-mkconfig, update-grub).

I apologize for my clumsiness. How can I fix this?

@Nachlese:

I followed your guide and removed this line. It is a personal data partition for which mounting can occur much later by other means. Thanks!

11

The order, the place where in the line of parameters the “encrypt” HOOK is added, is (from my understanding) not arbitrary.
It should be at a certain place - although it is only supposed to ensure that the “cryptsetup” binary is included in the initrd.

I could only search for that error/message and find the same as you.
I do not know what it means (right now) nor how to attack/resolve it.

12

This is the takeover from the other system:

HOOKS=(base udev autodetect modconf kms block keyboard keymap consolefont encrypt filesystems fsck)
13

I’d add it before “block”.
But I have no backups I could look at from previous encrypted Arch or Manjaro installations.

The Arch wiki probably has got to say something about this. :man_shrugging:

14

I posted the grub error in the archlinux forum (grub error symbol 'grub_is_cli_need_auth' not found / Newbie Corner / Arch Linux Forums)

Any other suggestions?

15

I also noticed this in /etc/default/grub:

From seeing/reading it
it should definitely be uncommented in your situation.

Again - I have no reference from an older installation anymore to compare and know what it was and what definitely did work.
But I always did my installations with unencrypted /boot - so that was never a factor.

I also don’t know why it would have changed without your involvement or knowledge -
same goes for the HOOKS in /etc/mkinitcpio.conf

1 Like
16

Ok, thanks!

I’ve tried to uncomment this:

… to no avail.

As for the changed hooks, I might have made a mistake when maintaining pacnews. This is the only reason I could imagine for now, but this is really a guess.

17

It is the main grub configuration file.
After changing the file, regenerate the Grub configuration.
From within chroot

update-grub
or
grub-mkconfig -o /boot/grub/grub.cfg

ps:

a freshly installed encrypted system (in a VM) has got these values in this order present:

/etc/mkinitcpio.conf

HOOKS=(base udev autodetect microcode kms modconf block keyboard keymap consolefont plymouth encrypt filesystems fsck)

ignore plymouth if you dont use it

/etc/default/grub

# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y

HTH

1 Like
18

Following @Nachlese summary:

  1. /etc/default/grub

Please note that the parameter was always enabled in my setup (cf. the bottom of the posted configuration /etc/default/grub above). I also tweaked it (disabled it) and figured out that it is not possible to install grub when encrypted disks are present (grub will report the mismatch).

  1. update-grub: I’ve always conducted this step at any change of the configuration. Sorry for the imprecise report.
  2. /etc/mkinitcpio.conf: I have adopted it according to your suggestion and ran mkinitcpio -P to regenerate the images and once again update-grub.

Unfortunately, nothing helped!

I stuck at boot (after being prompted for passphrase and having successfully encrypted my system partition) with missing symbol grub_is_cli_need_auth.

19

This looks relevant:

Cannot access GRUB: grub_cli_set_auth_needed not found [SOLVED] - Newbie - EndeavourOS

… different boot loader ID …
I think the original ID was Manjaro - you now used GRUB.

Your ESP was mounted prior to entering chroot?

I’m almost ignorant when it comes to UEFI stuff.
Other people can help far better.

ps:
you will not get any more answers to your thread in the Arch Forum after they quickly found out that you are not asking about Arch but about Manjaro.

20

Thanks for the hint! I’ve figured it already out and changed it to Manjaro.

I mounted ESP with sudo mount /dev/sda1 /mnt/boot/efi after mounting my system partition with sudo mount /dev/mapper/tmp /mnt.

:flushed: