Installed both the KDE and XFCE editions. Both setup with encryption at installation time
Both had an issue
After unlocking the initial screen with my encryption passphrase I get slot 0 opened and manjaro shows that it is starting. However it just sits there with a screen indicating Manjaro with 3 dots blinking in sequence.
After lots of reboots I accidentally discovered that pressing Esc brings a console that wants me to enter a passphrase
Enter passphrase for /dev/disk/by-uuid/f740f83a-0846-4b7b-a06d-3d42bb141750:
No key available with this passphrase.
Enter passphrase for /dev/disk/by-uuid/f740f83a-0846-4b7b-a06d-3d42bb141750:
No key available with this passphrase.
Enter passphrase for /dev/disk/by-uuid/f740f83a-0846-4b7b-a06d-3d42bb141750:
After this it then gives an error but continues to boot normally.
That device is the swap partition.
Resolved eventually by changing unlock_method="password" which is the default to ## unlock_method="password" in /etc/openswap.conf.
The default creates a catch-22 situation where the boot process expects you to enter a password in a prompt hidden by the bootsplash and at the same time it cannot verify the pass phrase since the root partition is not properly unlocked.
For reference here’s my config
/etc/openswap.conf
## cryptsetup open $swap_device $crypt_swap_name
## get uuid using e.g. lsblk -f
swap_device=/dev/disk/by-uuid/f740f83a-0846-4b7b-a06d-3d42bb141750
crypt_swap_name=luks-f740f83a-0846-4b7b-a06d-3d42bb141750
## unlock_method can be either password, keyfile or keyfile_raw
## keyfile will use the keyfile_device and keyfile_filename to unlock the swap
## keyfile_raw will use the keyfile_device and keyfile_block_number to unlock the swap
## password will prompt for the password to unlock the swap
## if unlock_method is not set, then method is keyfile if keyfile_device and keyfile_filename are set
## otherwise it is password
## unlock_method="password"
####### WARNING: There is a risk of data loss when using unlock_method="keyfile"
## You should double-check keyfile_device_mount_options,
## and note that this method is potentially dangerous regardless.
## https://docs.kernel.org/power/swsusp.html
## https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption#busybox-based_initramfs
## keyfile_device is the device that contains the keyfile
## set it to the device that contains the keyfile
## e.g. /dev/mapper/root-device
####### THIS OPTION IS MANDATORY IF unlock_method IS keyfile OR keyfile_raw
keyfile_device=/dev/mapper/luks-310ed4f0-a4f1-4b48-b117-c9166f679cdc
## keyfile_filename is the path to the keyfile on the keyfile_device
## e.g. /etc/swap.key
####### THIS OPTION IS MANDATORY IF unlock_method IS keyfile
keyfile_filename=crypto_keyfile.bin
## keyfile_block_number is the block number of the keyfile on the keyfile_device
## e.g. 12345
## on the ext4 filesystem, you can get the block number using
## debugfs $keyfile_device
## extents $keyfile_filename
## the relevant block number will appear under the Physical column in the output
####### THIS OPTION IS MANDATORY IF unlock_method IS keyfile_raw
#keyfile_block_number=
## key_size is the size of the key in bytes
## e.g., 4096
## This is the size of the keyfile and should match the actual size of the keyfile.
## You can get the size of the keyfile using: wc -c <keyfile_filename>
## The openswap script will fail if the keyfile is fragmented,
## so keyfile_length should not exceed the filesystem block size.
## For ext4 filesystems, keyfile_length should not exceed 4096 bytes,
## and it SHOULD be greater than ~200 bytes to avoid inode inlining.
####### THIS OPTION IS MANDATORY IF unlock_method IS keyfile_raw
#keyfile_length=4096
## additional arguments are given to mount for keyfile_device
## has to start with --options
## it is important to use the correct options for your filesystem
## to prevent any writes to the keyfile device and thus
## minimize the risk of data loss
#keyfile_device_mount_options="--options=subvol=__active/__"
keyfile_device_mount_options=--options=subvol=@
## additional arguments are given to cryptsetup
## --allow-discards options is desired in case swap is on SSD partition
cryptsetup_options="--type luks"
but the good thing with disabling is that one will be now aware there’s a 2nd prompt for passphrase even though it will not accept the correct passphrase but at least will continue with boot up after failing.