Plymouth password on new installation

I’ve just done a fresh install of Manjaro KDE. I want to use full disk encryption and since this notebook is for an inexperienced user, I want to have a nice looking gui for the password. Unfortunately, all I get is a text prompt. Apparently plymouth will run after I enter the correct password.

Opensuse Tumbleweed behaves like Manjaro. With Fedora Workstation and Linux Mint I get a graphical password dialog. I’ve done a test installation of all these systems in VirtualBox and always get the same behavior. But especially for this user I’d prefer Manjaro.

According to the Plymouth entry in the ArchWiki everything is set up correctly. The notebook has UEFI, no secure boot. This is my first encounter with Plymouth, I don’t need it on my own system. I don’t mind reinstalling Manjaro again, but how should I do it?

Thanks for your help.

To get a graphical password prompt with Plymouth on Manjaro KDE, ensure Plymouth is installed and configured correctly. Use plymouth-set-default-theme -R your-theme to set and apply your theme, then update the initramfs with sudo mkinitcpio -P. Finally, enable Plymouth at boot by adding plymouth to the HOOKS section in /etc/mkinitcpio.conf and regenerating the initramfs.

I’m a bit confused, doesn’t mkinitcpio regenerate the initramfs? If I understand it correctly, plymouth-set-default-theme also regenerate the initramfs?

$ plymouth-set-default-theme
manjaro

I’ve changed the theme for testing. Now I have a different theme, but I still have to enter the password at a text prompt.

$ plymoth-set-default-theme -R glow
==> Building image from preset: /etc/mkinitcpio.d/linux69.preset: 'default'
==> Using default configuration file: '/etc/mkinitcpio.conf'
  -> -k /boot/vmlinuz-6.9-x86_64 -g /boot/initramfs-6.9-x86_64.img
==> Starting build: '6.9.5-1-MANJARO'
  -> Running build hook: [base]
  -> Running build hook: [udev]
  -> Running build hook: [autodetect]
  -> Running build hook: [kms]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
  -> Running build hook: [keyboard]
  -> Running build hook: [keymap]
  -> Running build hook: [consolefont]
==> WARNING: consolefont: no font found in configuration
  -> Running build hook: [plymouth]
  -> Running build hook: [encrypt]
==> WARNING: Possibly missing firmware for module: 'qat_420xx'
  -> Running build hook: [openswap]
  -> Running build hook: [resume]
  -> Running build hook: [filesystems]
==> Generating module dependencies
==> Creating zstd-compressed initcpio image: '/boot/initramfs-6.9-x86_64.img'
  -> Early uncompressed CPIO image generation successful
==> Initcpio image generation successful
==> Building image from preset: /etc/mkinitcpio.d/linux69.preset: 'fallback'
==> Using default configuration file: '/etc/mkinitcpio.conf'
  -> -k /boot/vmlinuz-6.9-x86_64 -g /boot/initramfs-6.9-x86_64-fallback.img -S autodetect
==> Starting build: '6.9.5-1-MANJARO'
  -> Running build hook: [base]
  -> Running build hook: [udev]
  -> Running build hook: [kms]
==> WARNING: Possibly missing firmware for module: 'ast'
  -> Running build hook: [modconf]
  -> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: 'aic94xx'
==> WARNING: Possibly missing firmware for module: 'bfa'
==> WARNING: Possibly missing firmware for module: 'qed'
==> WARNING: Possibly missing firmware for module: 'qla1280'
==> WARNING: Possibly missing firmware for module: 'qla2xxx'
==> WARNING: Possibly missing firmware for module: 'wd719x'
==> WARNING: Possibly missing firmware for module: 'xhci_pci'
  -> Running build hook: [keyboard]
  -> Running build hook: [keymap]
  -> Running build hook: [consolefont]
==> WARNING: consolefont: no font found in configuration
  -> Running build hook: [plymouth]
  -> Running build hook: [encrypt]
==> WARNING: Possibly missing firmware for module: 'qat_420xx'
  -> Running build hook: [openswap]
  -> Running build hook: [resume]
  -> Running build hook: [filesystems]
==> Generating module dependencies
==> Creating zstd-compressed initcpio image: '/boot/initramfs-6.9-x86_64-fallback.img'
  -> Early uncompressed CPIO image generation successful
==> Initcpio image generation successful

This is the mkinitcpio.conf right after installation of the system.

$ grep "^[^#]" /etc/mkinitcpio.conf
MODULES=(crc32c)
BINARIES=()
FILES=(/crypto_keyfile.bin)
HOOKS=(base udev autodetect kms modconf block keyboard keymap consolefont plymouth encrypt openswap resume filesystems)

Is he really in need for a Boot Encryption?

I mean for a Laptop it can makes sense, when he is using it outside of his home.

But when a problem occurred, you run into additional steps to fix a problem.
Im not sure if a user, as “you called” inexperienced user want this feature.

I personally recommend a Bios Password instead and use Veracrypt for additional data protection.

The most people who actually using Bootencryption are not aware that the files are unencrypted while the Laptop is running… so the only protection you get is while the Laptop is shutdown and physically stolen.

Are you really implying that full disk encryption is only for advanced users? The encryption itself has never caused me any problems. It’s there, just use it.

First of all, this is a technical question for me. I’ve just learned about Plymouth and I like how it hides all the technical stuff, but you can still access it. So I would like a solution, or at least an explanation if there is no solution.

[…] so the only protection you get is while the Laptop is shutdown and physically stolen.

Well, that’s a pretty good reason. In this case, the person is processing GDPR-relevant data. But it’s all voluntary, so there’s no money for it (in Germany we call that “Ehrenamt”).

I’m the guy who fixes his friends’ computers. Of course, everyone uses Windows, and I don’t usually evangelize for Linux. But I get more and more fully functional computers that are not supported by Windows 11. Now I’m looking for a good solution for them.

Can’t be done.

Let me explain:
with full disk encryption, you rely solely on Grub to get to and open your device, to prompt you for your password, to get to the initrd - which is the earliest time you can deploy plymouth, because plymouth can be included in the initrd via the HOOKS in /etc/mkinitcpio.conf.
Before the password (from Grub) you can’t get to anything.
… which is presumably precisely the point of the exercise …

Best you could do is set a nice or even a matching Grub background - but before Grub has opened/decrypted your device, there is no way to use anything on it - plymouth included.

If you want to put in the work and convert the fully encrypted system to one where /boot is unencrypted
(it’s easily done)
then you could have a plymouth password prompt.