Hello everyone,
My English is not so good, so here is a translation from deepl.
I want to reinstall Manjaro on my notebook with a fully encrypted system. I have followed this guide [root tip] [How To] Do a manual Manjaro installation, but encrypted the drives.
My partitions are:
sda1 - /boot/efi
sda2 - /boot - (LUKS 1) decrypted with password + keyfile
sda3 - swap - (LUKS 2) decrypted with keyfile (openswap.conf)
sda4 - /root - (LUKS 2) decrypted with keyfile (mkinitcipo.conf)
sdb1 - /home - (LUKS 2) decrypted with keyfile
After the installation is complete, the password for /boot is requested after the start. OK.
But then the password for /root (UUID=b338e30f-5c32-4e0c-a8a7-1ca87c6c6ae9) is requested. No matter what you enter here, /root will be mounted.
For testing purposes, I had Calamares create a system with the same partitions and settings. Here /root is also entered in /etc/cryptab. But here, too, the password request comes from /root.
Here are the following files:
lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 30G 0 disk
├─sda1 8:1 0 512M 0 part /boot/efi
├─sda2 8:2 0 1G 0 part
│ └─cryptboot 254:2 0 1022M 0 crypt /boot
├─sda3 8:3 0 6G 0 part
│ └─cryptswap 254:1 0 6G 0 crypt [SWAP]
└─sda4 8:4 0 22,5G 0 part
└─cryptroot 254:0 0 22,5G 0 crypt /
sdb 8:16 0 10G 0 disk
└─sdb1 8:17 0 10G 0 part
└─crypthome 254:3 0 10G 0 crypt /home
sr0 11:0 1 1024M 0 rom
/etc/default/grub
# GRUB boot loader configuration
GRUB_DEFAULT=saved
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Manjaro"
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=b338e30f-5c32-4e0c-a8a7-1ca87c6c6ae9:cryptroot root=/dev/mapper/cryptroot resume=UUID=26427ea3-f7d1-4c3d-80b2-46d14fdbcb5b udev.log_priority=3"
GRUB_CMDLINE_LINUX=""
# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"
# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y
# Set to 'countdown' or 'menu' to change timeout behavior,
# press ESC key to display menu.
GRUB_TIMEOUT_STYLE=hidden
# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console
# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command 'videoinfo'
GRUB_GFXMODE=auto
# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep
# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true
# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true
# Uncomment and set to the desired menu colors. Used by normal and wallpaper
# modes only. Entries specified as foreground/background.
GRUB_COLOR_NORMAL="light-gray/black"
GRUB_COLOR_HIGHLIGHT="green/black"
# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/usr/share/grub/background.png"
GRUB_THEME="/usr/share/grub/themes/manjaro/theme.txt"
# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"
# Uncomment to make GRUB remember the last selection. This requires
# setting 'GRUB_DEFAULT=saved' above.
GRUB_SAVEDEFAULT=true
# Uncomment to disable submenus in boot menu
#GRUB_DISABLE_SUBMENU=y
# Uncomment this option to enable os-prober execution in the grub-mkconfig command
#GRUB_DISABLE_OS_PROBER=false
# Uncomment to ensure that the root filesystem is mounted read-only so that
# systemd-fsck can run the check automatically. We use 'fsck' by default, which
# needs 'rw' as boot parameter, to avoid delay in boot-time. 'fsck' needs to be
# removed from 'mkinitcpio.conf' to make 'systemd-fsck' work.
# See also Arch-Wiki: https://wiki.archlinux.org/index.php/Fsck#Boot_time_checking
#GRUB_ROOT_FS_RO=true
/etc/mkinitcipo.conf
# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run. Advanced users may wish to specify all system modules
# in this array. For instance:
# MODULES=(usbhid xhci_hcd)
MODULES=()
# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image. This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()
# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way. This is useful for config files.
FILES=(/crypto_keyfile.bin)
# HOOKS
# This is the most important setting in this file. The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added. Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
## This setup specifies all modules in the MODULES setting above.
## No RAID, lvm2, or encrypted root is needed.
# HOOKS=(base)
#
## This setup will autodetect all modules for your system and should
## work as a sane default
# HOOKS=(base udev autodetect modconf block filesystems fsck)
#
## This setup will generate a 'full' image which supports most systems.
## No autodetection is done.
# HOOKS=(base udev modconf block filesystems fsck)
#
## This setup assembles a mdadm array with an encrypted root file system.
## Note: See 'mkinitcpio -H mdadm_udev' for more information on RAID devices.
# HOOKS=(base udev modconf keyboard keymap consolefont block mdadm_udev encrypt filesystems fsck)
#
## This setup loads an lvm2 volume group.
# HOOKS=(base udev modconf block lvm2 filesystems fsck)
#
## NOTE: If you have /usr on a separate partition, you MUST include the
# usr and fsck hooks.
HOOKS=(base udev autodetect modconf kms keymap keyboard consolefont block encrypt openswap resume filesystems fsck)
# COMPRESSION
# Use this to compress the initramfs image. By default, gzip compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"
#COMPRESSION="zstd"
# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()
# MODULES_DECOMPRESS
# Decompress kernel modules during initramfs creation.
# Enable to speedup boot process, disable to save RAM
# during early userspace. Switch (yes/no).
#MODULES_DECOMPRESS="yes"
/etc/openswap.conf
## cryptsetup open $swap_device $crypt_swap_name
## get uuid using e.g. lsblk -f
swap_device=/dev/disk/by-uuid/778f8644-74d6-4d27-9147-8c204b72bef0
crypt_swap_name=cryptswap
## one can optionally provide a keyfile device and path on this device
## to the keyfile
keyfile_device=/dev/mapper/cryptroot
keyfile_filename=crypto_keyfile.bin
## additional arguments are given to mount for keyfile_device
## has to start with --options (if so desired)
#keyfile_device_mount_options="--options=subvol=__active/__"
## additional arguments are given to cryptsetup
## --allow-discards options is desired in case swap is on SSD partition
cryptsetup_options="--type luks"
/etc/crypttab
# Configuration for encrypted block devices.
# See crypttab(5) for details.
# NOTE: Do not list your root (/) partition here, it must be set up
# beforehand by the initramfs (/etc/mkinitcpio.conf).
# <name> <device> <password> <options>
cryptboot UUID=ed8a1b36-9f1e-431b-9f8e-fc89a4197eb2 /crypto_keyfile.bin luks
crypthome UUID=38c8aaed-14a9-437e-b9fa-e611828ead49 /crypto_keyfile.bin luks
/etc/fstab
# /dev/mapper/cryptroot
UUID=8bf1cc62-b3fb-430a-ba7a-47421b97c508 / ext4 rw,relatime 0 0
# /dev/mapper/cryptboot
UUID=27d217bf-7fad-48c9-acc6-da433198b35f /boot ext4 rw,relatime 0 0
# /dev/sda1
UUID=98D2-88DD /boot/efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 0
# /dev/mapper/crypthome
UUID=51195a22-15cc-42e7-9a71-7237a9fa81e8 /home ext4 rw,relatime 0 0
# /dev/mapper/cryptswap
UUID=26427ea3-f7d1-4c3d-80b2-46d14fdbcb5b swap swap defaults 0 0
Does anyone have a tip on how I can prevent the password request from /root?