hello,
manjaro xfce asks for my luks password twice during bootup (first, grub asks for it, then the initrd asks for the password (for the swap (same as the other)) the second time)
I suggest that it isn’t supposed to happen. how do I fix this?
thank you for your replies in advance.
Hi @imre84,
While I’m not 
on this, I think it’s because both are encrypted separately, so have to be decrypted separately.
Not using, or really caring for encrypted discs, the only way I can think of to change this is to move the SWAP space to a non-encrypted partition.
Is this a fresh installation or did it work previously but just now this started to happen?
How did you install?
(automatic mode or did you create your partitions yourself?)
Please post output of
lsblk -f
for a start
@Mirdarthos
the default/automatic installation, when you check “encrypt the system”, creates a Luks1 encrypted contailer, which Grub can open/decrypt - inside this container is the root partition and the swap - so they are both decrypted at the same time - with just one password, using Grub.
If one does something else, one needs to take care of the decryption process yourself …
I had this issue as well, but found the solution is to use openswap and a keyfile to handle it. I provide my passphrase to grub and everything else gets handled automatically.
Yes, a swap file will decrypt that way, but It sounds like an encrypted SWAP partition, which is what my explanation is about.
This can also be a way of getting rid of the dual-authentication, but keeping SWAP encrypted.
Installing encrypted with a swap partition gets me in the same situation as @imre84 - have to supply the password for the swap partition separately.
It is made even more difficult because of plymouth - without hitting ESC you won’t even see the prompt for the password, the system just sits there …
I just assumed it would work the same way as with a swap file - and it can.
But some configuration needs to be done for that -
but this is not present or is incomplete as the installer does it.
Esp. this here:
(goes to section 2.2.3.1.2 - busybox based initramfs)
Either some package is missing (AUR - mkinitcpio-openswap)
or some hook in /etc/mkinitcpio/hooks/
With a systemd based initramfs (sd-encrypt hook in /etc/mkinitcpio.conf)
it should work as not just one device can be unlocked this way.
But that is as far as I got with analyzing this.
Using a swap file should be a work around.
I have encrypted / and swap partitions. I get prompted once for my password before the grub menu.
/etc/mkinitcpio.conf HOOKS:
HOOKS=(base udev autodetect microcode kms modconf block keyboard keymap consolefont plymouth encrypt openswap resume filesystems)
/etc/default/grub GRUB_CMDLINE_LINNUX_DEFAULT:
GRUB_CMDLINE_LINUX_DEFAULT='quiet splash rd.driver.pre=amdgpu cryptdevice=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx root=/dev/mapper/luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx rootflags=subvol=@ resume=/dev/mapper/luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx udev.log_priority=3'
/etc/crypttab:
# <name> <device> <password> <options>
luks-xxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx /crypto_keyfile.bin luks
luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx /crypto_keyfile.bin luks
This allows my system to work as I would expect it, but it was NOT the default from the Manjaro installer. I had to find the solution and implement it. There is a bit more to it, such as the filling the keyfile with random data, etc.
Mod edit:- Your attempt at formatting is appreciated. Please note that the three backtcks ``` both before and after the pasted content should be on their own lines to avoid unexpected misalignment of content.
Corrected for you in this instance. No charge.
See How to Post Command Output as Preformatted Text 
the partitions were created automatically for me.
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS
sda
|-sda1 vfat FAT32 EE16-CDAA 298,6M 0% /boot/efi
|-sda2 crypto_LUKS 1 a6456476-edde-4d61-af4a-1accda4d33ba
| `-luks-a6456476-edde-4d61-af4a-1accda4d33ba btrfs 16cb97b0-71ba-4729-b64f-cc052751b408 135,2G 93% /var/cache
| /var/log
| /home
| /
`-sda3 crypto_LUKS 1 87a3c2a8-5168-451e-bcef-4d2a8c5955f4
`-luks-87a3c2a8-5168-451e-bcef-4d2a8c5955f4 swap 1 swap 03d4d42b-dd49-4de9-bd71-aadeb217b628 [SWAP]
nvme0n1
|-nvme0n1p1 vfat FAT32 88E0-AD11
|-nvme0n1p2
|-nvme0n1p3 ntfs Windows DC669389669362D6
|-nvme0n1p4 ntfs B2D000EAD000B71F
`-nvme0n1p5 ntfs RECOVERY A82E062D2E05F4DA
To understand and see for myself, I installed a test system in a VM with the same setup - just with ext4 instead of btrfs.
And I got the same result as you did - had to open the encrypted swap separately.
After a bit of exploration I deleted the VM - I should have kept it, as I now realize.
What I took away from this is:
It could be remedied by changing the HOOKS array in /etc/mkinitcpio.conf
replacing the “encrypt” keyword with “sd-encrypt”
Section 1.2.4 - the above link goes to there directly
But I did not test it - it’s speculation as of now.
I’d have to reinstall a test system again and try. No time for that right now.
No - it’s not as easy as that - just tried. 
The way the installer does it results in a system where you have to supply the password twice.
Not ideal. Not nice. Perhaps no one has actually tested this and noticed this undesirable result?
… we are the guinea pigs? 
If you install again, but use a swap file instead of a swap partition, it should work.
But a swap file is not without other potential problems when you use btrfs.
I should have logged in to this forum on my smartphone before wrecking my main system.
sd-encrypt: it made things worse, needed to fix my system from a live cd (this was my first time dealing with both btrfs and manjaro from a live cd, so it was slightly scary for a split second)
this helped a lot, thanks. I actually disabled resuming (is this the same as hibernation? I hate hibernation. maybe justifiably so.)
I removed resume=… from GRUB_CMDLINE_LINUX_DEFAULT
and I removed openswap and resume from HOOKS=()
needed to run mkinitcpio -P and update-grub
on the live CD mkinitcpio gave too much warnings to my liking but booted fine(ish), so I reran both of these from the system
but anyhow I now can confirm, only grub asks for my luks password.
thank you for your help
while we’re at it, please take a look at this one as well: manjaro xfce asks for your luks password twice · Issue #38 · manjaro/issue-hub · GitHub is there a better place to report this bug?
#GRUB_CMDLINE_LINUX_DEFAULT='quiet cryptdevice=UUID=...:luks-... root=/dev/mapper/luks-... apparmor=1 security=apparmor resume=/dev/mapper/luks-... udev.log_priority=3'
GRUB_CMDLINE_LINUX_DEFAULT='quiet cryptdevice=UUID=...:luks-... root=/dev/mapper/luks-... apparmor=1 security=apparmor udev.log_priority=3'
#HOOKS=(base udev autodetect microcode kms modconf block keyboard keymap consolefont plymouth encrypt openswap resume filesystems)
HOOKS=(base udev autodetect microcode kms modconf block keyboard keymap consolefont plymouth encrypt filesystems)
eventually I’ll re-enable splash
Yes, resume = hibernation.
I use it without issue along with sleep, aka suspend. Your mileage may vary with either action.
Glad to hear you got it sorted.
You seem to be attributing your success to information given by @Kielcelaria – I have therefore marked their post as the solution to this topic.
If this presumption is mistaken, please feel free to mark another post as the solution.
Note that it is customary for the OP to indicate which post helped them the most to reach a resolution, which in turn helps others with a similar issue to quickly evaluate whether or not a topic will help them.
Regards.
Like @imre84 said:
Removing “openswap” from /etc/mkinitcpio.conf HOOKS array allowed this to work - just confirmed it on my test install.
This is totally unintuitive, counterintuitive even - because there is an encrypted swap partition which needs to be opened, however:
with “openswap” it doesn’t work, without it it does.
His last post should be the solution to this thread.
I am confused. I posted my mkinitcpio and grub lines which work 100%, allowing me to enter my passphrase 1 time and decrypt both / and swap. Not sure how my configuration is working yet when you tried it failed on your end. Something must be different. Did you use a keyfile?
Looking again at the post through fresh eyes, I’m forced to agree.
I do not know why it works for you.
Your configuration (what you posted) is - short of
in /etc/default/grub
exactly what the installer does.
keyfile /crypto_keyfile.bin - mentioned in /etc/crypttab with the two encrypted partitions as well
The HOOKS in /etc/mkinitcpio.conf does contain “openswap” as the installer does it - and this doesn’t work.
After removing it, it does work for me.
as @imre84 said it does for him as well
Counter-intuitive, yes.
But that is what it is - for me and for him.
In short again:
maybe I’m going to run some experiments on a VM during the weekend to see if I can have better results
EDIT:
I’ve used this iso:
d1b66b5a8638174ae8c745a1310df6e9991c217cfc76aa5f8dd933aa356acce0 manjaro-xfce-25.0.10-251013-linux612.iso
to install manjaro to a VM
I’ve chosen swap, no hibernation, yet I needed to remove hibernation (as above)
but removing hibernation wasn’t enough, with openswap present it still asks for my password twice
removing the openswap fixed the issue once again
(I’m not sure if hibernating would work without openswap given the fact that hibernation essentially saves your memory to your swap, so I haven’t tried)
EDIT2:
I modified the above VM to do hibernation but no openswap (it asks for the password once), when I hibernated it, for some reason it was aware of the fact that it is supposed to resume from hibernation (suprising, so the fact is stored outside of the swap (as well)?) but wasn’t able to do so. so I guess I was right there’s no point in hibernation if you don’t have openswap
EDIT3:
hibernation works, as long as you can put up with luks password being asked twice (and splash being disabled) and mouse cursor being corrupted after restoring from a hibernation
I absolutely do not want to sound like I am arguing, but I use hibernation, openswap and only enter my password once. I have two partitions, / and swap both encrypted. Not sure what is different on my configuration than yours, except I am Manjaro Plasma. Happy to dig in and provide any information or file settings as needed to help sort this out.
I would love to see an easy and fully functional solution that can be incorporated, or at least have a how to file created.
I’ve tried to follow your setup, I’ve used this iso to install:
8067253b7174aa3b0706ab4849dabf27288c5787cea7838ca037fec5a01fa1c5 manjaro-kde-25.0.10-251013-linux612.iso
#this is the default, same as yours:
HOOKS=(base udev autodetect microcode kms modconf block keyboard keymap consolefont plymouth encrypt openswap resume filesystems)
#this needed to be changed
#GRUB_CMDLINE_LINUX_DEFAULT='quiet cryptdevice=UUID=b342fdc8-5324-4104-92c1-2e6defc10857:luks-b342fdc8-5324-4104-92c1-2e6defc10857 root=/dev/mapper/luks-b342fdc8-5324-4104-92c1-2e6defc10857 resume=/dev/mapper/luks-3aba0831-dfd6-44f0-9388-5c49868dbe8e splash udev.log_priority=3'
GRUB_CMDLINE_LINUX_DEFAULT='quiet cryptdevice=UUID=b342fdc8-5324-4104-92c1-2e6defc10857:luks-b342fdc8-5324-4104-92c1-2e6defc10857 root=/dev/mapper/luks-b342fdc8-5324-4104-92c1-2e6defc10857 rootflags=subvol=@ resume=/dev/mapper/luks-3aba0831-dfd6-44f0-9388-5c49868dbe8e udev.log_priority=3'
it still asks for my password twice. if you’d like to take a look, I can upload the vbox image to google drive maybe you can spot the mistake I made
suggestion, to prove
or rather: confirm again
the point we both made
edit /etc/mkinitcpio.conf and remove the keyword “openswap”.
sudo mkinitcpio -P
sudo update-grub
reboot and see the effect, whether there is any …
For me, it does make that difference - I just confirmed again.