Second LUKS password prompt

Fabian · 17 June 2026 18:02

Since some recent update, I’m getting two prompts for my hard drive password. The first is the usual one, on the screen with the manufacturer’s logo, as expected. Then I see the GRUB menu, then it gets partway through starting the system and asks me again:
Please enter passphrase for disk WD_BLACK … (luks-5f…)::
There’s a photo of this prompt in my other thread: Temperature sensor/fan control not fully working
This used to not happen, one password entry was enough.

Here are some relevant files:

[fabian@nova ~]$ cat /etc/mkinitcpio.conf | grep -v -e ^# -e ^$
MODULES=()
BINARIES=()
FILES=(/crypto_keyfile.bin)
HOOKS=(base systemd keyboard autodetect modconf block sd-vconsole sd-encrypt filesystems fsck)
[fabian@nova ~]$ cat /etc/default/grub | grep -v -e ^# -e ^$
GRUB_DEFAULT=saved
GRUB_TIMEOUT=1
GRUB_DISTRIBUTOR="Manjaro"
GRUB_CMDLINE_LINUX_DEFAULT="rd.luks.name=5f8bee24-4ef7-4133-a91d-725356237ac9=luks-5f8bee24-4ef7-4133-a91d-725356237ac9 luks.key=/crypto_keyfile.bin root=/dev/mapper/luks-5f8bee24-4ef7-4133-a91d-725356237ac9 splash snd-hda-intel.model=clevo-p950"
GRUB_CMDLINE_LINUX=""
GRUB_PRELOAD_MODULES="part_gpt part_msdos"
GRUB_TIMEOUT_STYLE=menu
GRUB_TERMINAL_INPUT=console
GRUB_GFXMODE=auto
GRUB_GFXPAYLOAD_LINUX=keep
GRUB_DISABLE_RECOVERY=true
GRUB_COLOR_NORMAL="light-gray/black"
GRUB_COLOR_HIGHLIGHT="green/black"
GRUB_THEME="/usr/share/grub/themes/manjaro/theme.txt"
GRUB_SAVEDEFAULT=true
GRUB_DISABLE_OS_PROBER=false
GRUB_ENABLE_CRYPTODISK=y

Their current state is the result of a post from last year. It used to work fine with this setup.
There is a file /etc/mkinitcpio.conf.pacnew, but that would empty the FILES parameter and replace the HOOKS entry sd-encrypt with microcode and kms, which seems like a bad idea to just copy, especially since I don’t understand what it means. It also has a different order of hooks, maybe some of that would be useful, but it used to work without that additional prompt with the order that I currently have.
I have also started Linux 6.6, there I have the same issue.
How do I get rid of this second prompt?

Yochanan · 17 June 2026 18:22

The old Busybox init hooks were replaced with the Systemd init hooks. See mkinitcpio - ArchWiki

If you haven’t manually added / removed / modified mkinitcpio.conf yourself, then the defaults for an encrypted root filesystem should be fine along with the optional plymouth hook that is added during a Manjaro install.

##   This will create a systemd based initramfs which loads an encrypted root filesystem.
#    HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)

Aragorn · 17 June 2026 18:31

No, sd-encrypt only replaces encrypt, and should only be used if you use the systemd hook instead of the base and udev hooks. Furthermore, if you use encryption, then you should also switch to the new rd.luks syntax in /etc/default/grub.

Given that this is all pretty incisive — especially for people unfamiliar with the innards of the mkinitcpio procedure to generate the initramfs — it is advised to stay with the old…

HOOKS=( base udev ... encrypt ...

… syntax. The Wiki page posted above by @Yochanan should tell you which hooks you need, and in what order.