I have artix installed with full disk encryption and the grub-improved-luks2-git bootloader from AUR. I need to add a keyfile so that I only have to enter the password once instead of twice. Here is a list of what I did:
sudo -i
mkdir /root/secrets
dd bs=512 count=4 if=/dev/urandom of=/root/secrets.x230.bin
chmod 000 /root/secrets.x230.bin
# "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" I replaced it with the value for /dev/sda2 from the command "ls -l /dev/disk/by-uuid"
cryptsetup luksAddKey /dev/disk/by-uuid/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx /root/secrets.x230.bin
# I tried using this command instead of the one above "cryptsetup luksAddKey /dev/sda2 /root/secrets.x230.bin"
# Edit /etc/mkinitcpio.conf
FILES=(/root/secrets.x230.bin)
HOOKS=(base udev autodetect modconf kms encrypt keyboard keymap consolefont block lvm2 filesystems fsck)
mkinitcpio -P
reboot
After that I expect to enter the password only once, but I am greeted with a second prompt to enter the disk password. I don't know if it makes sense, but I regenerated the grub file and reinstalled the bootloader by doing:
grub-mkconfig -o /boot/grub/grub.cfg
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub /dev/sda --recheck
But the problem remains. I also tried to unlock the disk with the key (/root/secrets.x230.bin) from the LiveCD and it works.
Tell me, what did I miss?
Oh god, I forgot to specify the key in the grub file...
It would be much more helpful if you posted what you did exactly to fix that instead of being... cryptic
(pun intended).
Edited
/etc/default/grub and added the path to the key in the
GRUB_CMDLINE_LINUX_DEFAULT line, so it looks like this:
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=d3412596-7138-4392-b6d9-2d0d3c433900:luks:allow-discards root=UUID=3eabad26-a765-414c-bd79-fc3bf66f58ac cryptkey=rootfs:/root/secrets/128.bin"
After that, regenerate the config:
grub-mkconfig -o /boot/grub/grub.cfg
Hmm... That didn't solve it for me. It still asks for password twice.
Hello,
I am not sure what exactly you are doing.
If you have an encrypted root and want to decrypt a second partition or volume, then on Artix it looks like the decryption key is not searched from what is in /etc/crypttab. On my side, I had to add the following lines at the end of /etc/conf.d/dmcrypt:
target='[name_of_the_volume]'
source=UUID='[volume_UUID]'
key='[path_to_the_encryption_key]'
If you have an encrypted boot and want to auto-decrypt your root partition or volume after deciphering your boot partition, then it is another procedure which I do not know yet.
Bichon,
what I want is the latter. I already have one partition that does get decrypted automatically after boot, but I haven't been successful setting stuff up so that I don't have to enter root part password twice.