LUKS encrypted install, safe to update firmware?

I want to upgrade my firmware (Dell). My only worry is I have a LUKS encrypted Manjaro install and was also affected by the recent Error: cryptodisk not found. Press any key to continue... error after the major update.

My boot partition is unencrypted, running UEFI and disabled Secure Boot. Is it safe to use GNOME Firmware (gnome-firmware) to update my system firmware? I really need an answer because the last thing I want is a brick or an unbootable LUKS encrypted system.

The cryptodisk error is more or less misleading for the user. It more or less didn’t found the key to decrypt the harddrive. This post at the grub mailing list might explain it a little: [PATCH v5 5/9] cryptodisk: Improve cryptomount -u error message. Also on how grub gets installed in Manjaro/Arch plays a role: Re: [Regression] efi: Don't display a uefi-firmware entry if it's not su. So it is better to use a daily build of Gnome and update the system in a live-session. We have to see if gnome-firmware is part of the basic installation, though.

Anyhow, best is to make a backup and only update firmwares when needed.

Firmware of your hardware is not related to LUKS encryption, AFAIK…


I would expect gnome-firmware to update the UEFI without erasing user settings. What’s the worst that can happen if it does?

Other than that it should be a regular operation. Just don’t turn off your computer while it updates :wink: And keep bootable Linux USB drive ready to register the bootloader to boot again.

Your LUKS2 volume is totally independent of the boot, it does not rely on any hardware like TPM (safe assumption?) Say your computer died, you can still pull out the SSD/HDD and use it as before in another PC as long as there are no driver issues.

As far as I’m aware, and I might be mistaken, is that the update file is an .exe which is saved on the hard drive and detected by the firmware. I don’t know where this is saved, maybe under /boot which is unencrypted, or maybe under the encrypted part of the OS.

Not sure how GNOME Firmware goes about with the installation but I assume it’s the same process as manually downloading from the vendor’s website.

Do you have any ideas?

Also, I don’t really know what TPM does, is it something that is used? Can LUKS be suspended for the update?

You’re right, they are two separate things.

However the firmware update file is an .exe which is saved on the hard drive. The firmware detects this file to run the update. I just don’t know if there are any issues that could result from an encrypted hard drive, if the firmware would be able to install the update properly or not.

I have used GNOME Firmware since the past two years, but on an unencrypted Manjaro installation. Ever since I reinstalled it to have an encrypted installation, I have not tried this and I just want to make sure there are no implications with the drive being encrypted.

Thank you for explaining the cryptodisk issue :slight_smile:

With regards to the firmware update, I’m running GNOME, and gnome-firmware is installed by default. I’ve been updating my firmware for over two years with this but on an unencrypted installation. So now I want to know what implications there are when updating with a LUKS encrypted system, if it needs to be suspended (if possible at all), TPM issues, or anything else.

World / gnome-firmware · GitLab / fwupd - ArchWiki is the same thing.

If the firmware update really only is the UEFI update then it is completely external to your current system. It does not matter how you boot, have encryption or whatever. I only listed TPM etc. because that’s tied in with current firmware settings

Also, I don’t really know what TPM does

You don’t need to think about it here, you don’t use it.

Can LUKS be suspended for the update?

You don’t need to.

However the firmware update file is an .exe which is saved on the hard drive. The firmware detects this file to run the update.

If fwupd detects it correctly then takes care of the process? After you shutdown/leave the system no files on your encrypted partition will be used. The archwiki tells that the relevant files will be written to your unencrypted boot (ESP) partition.

Though what I read from your replies is that you want assurance through a detailed explanation of how the firmware update process works? In that case I’m out :\

1 Like

Linux does not use exe files, that is Micro$@$ only and will be detected and run by your Micro$@$ operating system, not your hardware’s firmware (aka UEFI-BIOS).

I tried the update and it all worked out. Thank you!

It seems like everything happened through the /boot, so would you know what might happen if /boot is encrypted?

No, the .exe file comes from the vendor. Linux filesystems can’t read it, but I think it can still be applied on the firmware upgrade. It did work in the end and I used LVFS through GNOME Firmware which comes installed by default. Thanks for helping out though, at first I thought firmware updates would be affected by LUKS encryption. :slight_smile:

File-format (.exe) is not related to filesystem used, linux can READ any file, but it can’t natively execute .exe applications because that is a file format for Micro$@$ operating systems only…
(To be able to execute .exe files you would need wine) :wink:

File-format is like the language a book is written in, a filesystem is like the pages of the book itself, so Linux can read the pages of any book but it can’t natively understand the language written inside…