I have a ZFS pool comprising a mirror comprising two partitions encypted with dm-crypt.

$ zpool list -v data2
NAME                        SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP    HEALTH  ALTROOT
data2                       3.6T  1.00T   2.6T        -         -     0%    27%  1.00x    ONLINE  -
  mirror-0                  3.6T  1.00T   2.6T        -         -     0%  27.5%      -    ONLINE
    luks-aaaaaaaaaaaaaaaa   3.6T      -      -        -         -      -      -      -    ONLINE
    luks-bbbbbbbbbbbbbbbb   3.6T      -      -        -         -      -      -      -    ONLINE

I've been using iostat to monitor performance while scrubbing and noticed something funny about the IOPS figures:

$ iostat -dxy -N --human sda sdb dm-2 dm-3 10
[...]
Device            r/s     rkB/s   rrqm/s  %rrqm r_await rareq-sz     w/s     wkB/s   wrqm/s  %wrqm w_await wareq-sz     d/s     dkB/s   drqm/s  %drqm d_await dareq-sz     f/s f_await  aqu-sz  %util
dm-2          1862.50    232.5M     0.00   0.0%   11.22   127.8k   11.00    159.2k     0.00   0.0%    1.23    14.5k    0.00      0.0k     0.00   0.0%    0.00     0.0k    0.00    0.00   20.92  99.7%
dm-3          1859.80    232.2M     0.00   0.0%   11.21   127.8k   11.20    159.2k     0.00   0.0%    1.39    14.2k    0.00      0.0k     0.00   0.0%    0.00     0.0k    0.00    0.00   20.86  99.3%
sda            468.10    232.5M  1394.10  74.9%   10.73   508.6k   11.00    159.2k     0.00   0.0%    1.08    14.5k    0.00      0.0k     0.00   0.0%    0.00     0.0k    0.40    8.75    5.04  81.5%
sdb            467.00    232.2M  1392.50  74.9%   10.70   509.1k   11.20    159.2k     0.00   0.0%    1.27    14.2k    0.00      0.0k     0.00   0.0%    0.00     0.0k    0.40   12.25    5.02  81.8%

The rkB/s (data read per second) match between each device mapper device and its underlying disk. This is as expected. But the r/s (reads per second) column looks rather strange... If I understand correctly, I'm getting ~450 IOPS out of each disk. But are ~1800 IOPS recorded for each device mapper device! I'd have thought that reading a single disk block from the device mapper device would correspond to reading a single block from the underling device... Here's a graph of the IOPS over time. Orange/Blue lines are the disks, Yellow/Green lines are the dm-crypt devices. Another interesting thing is that the operations rate on one disk is dropping during the scrub, but not the other. Maybe that's fine, I don't know whether the layout of data on a device in a mirror vdev is literally mirrored or whether each device can have data laid out differently. But the other weird thing is that the IOPS of both device mapper devices are idential, rather than one being some multiple of one disk, and the other the same multiple of the other... My only idea is that this is something to do with differing physical sector sizes of the disks (4096), logical sizes (512) and the ZFS pool's ashift parameter (which I set to 12 to match the physical sector size of the disks). But 1800 is ~4× 470, not 8×, so I don't see the direct relation between the two figures...

In order to do that, I think it's possible to make the password hash dependent on the TPM: that way, an attacker would need to invoke the TPM for every password hash, limiting the speed of password cracking to the speed of the TPM (alternatively, an attacker could attack the TPM itself and try to dump those keys, but let's assume this is not feasible; if it is possible, the password itself is still a protection). This setup seems theoretically possible, but I'm wondering if it is already implemented in **LUKS/GRUB/...** today or if I would need to program it myself. If it is already implemented, please explain how to set up such a system, preferably on **Arch Linux**.

I just received a new USB flash drive, and set up 2 encrypted partitions on it. I used dm-crypt (LUKS mode) through cryptsetup. With an additional non-encrypted partition, the drive has the following structure: - /dev/sdb1, encrypted, hiding an ext4 filesystem labelled "Partition 1". - /dev/sdb2, encrypted, hiding another ext4 filesystem, labelled "Partition 2". - /dev/sdb3, clear, visible ext4 filesystem labelled "Partition 3". Because the labels are attached to the ext4 filesystems, the first two remain completely invisible as long as the partitions haven't been decrypted. This means that, in the meantime, the LUKS containers have no labels. This is particularly annoying when using GNOME (automount), in which case the partitions appear as "*x GB Encrypted*" and "*y GB Encrypted*" until I decide to unlock them. This isn't really a blocking problem, but it's quite annoying, since I really like my labels and would love to see them appear even when my partitions are still encrypted. Therefore, is there a way to attach labels to dm-crypt+LUKS containers, just like we attach labels to ext4 filesystems? Does the dm-crypt+LUKS header have some room for that, and if so, how can I set a label? *Note that I don't want to expose my ext4 labels before decryption, that would be silly. I'd like to add other labels to the containers, which could appear while the ext4 labels are hidden.*

That is, when a device-mapping is created manually with the dm-crypt target, is the resulting device smaller than the backing device? What is the missing space used for? Will the answer change depending on which crypto mode/algorithm is used?

### Question In GRUB one can use the [cryptomount](https://www.gnu.org/software/grub/manual/grub/grub.html#cryptomount) command to mount a LUKS partition. Is there a way to pass this decrypted partition to linux such that it appears as a device mapper (/dev/mapper/xxx) entry without having to run [cryptsetup luksOpen](https://man7.org/linux/man-pages/man8/cryptsetup-open.8.html) ? If it's not possible with GRUB, are there other bootloaders that support this? ### Notes Some distributions support [cryptdevice/cryptkey](https://wiki.archlinux.org/title/Dm-crypt/System_configuration#Using_encrypt_hook) parameters, however this [doesn't appear to be a standard linux kernel parameter](https://www.kernel.org/doc/html/latest/search.html?q=cryptdevice) (and isn't supported by the distribution I use). There is also the [dm-mod.create](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-init.html) kernel parameter but it appears that it only supports cleartext passphrase (viewable from /proc/cmdline) or use a linux keyring entry. Both of these methods would need to decrypt the partition again in order for linux to mount it though, right? Or else why would they need the key?

I recently installed Ubuntu on an old SSD, as I wanted to test out some software on a different OS. After installing Ubuntu (using debootstrap, arch-chroot and apt), my EFI's NVRAM boot order got messed up, and the TPM2 will not now automatically unlock my Arch root and swap partitions. I am prompted to enter a recovery key or password. So, I know I need to update the PCR registers in the TPM. But I have a couple of questions: - How should I replace the entries in the old TPM2 PCR slots, instead of adding new ones? - Can someone explain why the TPM chip now fails to unlock my partitions, and what I should try and avoid doing again in future? My primary OS is Arch Linux, set up following a couple of articles: - [LUKS on a partition with TPM2 and Secure Boot](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LUKS_on_a_partition_with_TPM2_and_Secure_Boot) . - [Installing Archlinux with LUKS, SecureBoot, TPM](https://jpetazzo.github.io/2024/02/23/archlinux-luks-tpm-secureboot-install/) systemd-boot is used as bootloader. Two dm-crypt partitions are unlocked with the TPM at boot: - root - swap (allows for suspend and resume). After installing Ubuntu, both the root and swap volumes would not unlock with the TPM. ---- # How to invalidate the TPM PCR Registers # One thing I realised that I'd done incorrectly done was to install Ubuntu (into /media/ubuntu) before mounting /efi onto /media/ubuntu/boot/efi. So, after first installing Ubuntu with debootstrap, I then ran: - mount --bind /efi /media/ubuntu/boot/efi - arch-chroot /media/ubuntu - apt install grub-efi-amd64 (This removes grub-pc) - grub-install So, I now have one /efi partition, an encrypted /boot partition for Arch Linux, and the Ubuntu partition has a /boot folder. (There's a Windows bootloader too, so yeah, it's a mess...) grub's os-probe doesn't detect my Arch Linux install, so I had to get back in by pressing F11 at early boot and selecting Linux Boot Manager. At this point, systemd asks me to enter the unlock password or recovery key for my root partition. (I have both currently, so getting in isn't an issue, unless and until I reboot remotely). # My setup # _I've put down quite a lengthy list of diagnostic commands, which should be pretty helpful for anyone diagnosing something similar in future (me included, no doubt!)_ **Update:** The TPM was enrolled to unlock the encrypted partition on PCR 7, like so:

# Install the TPM tools
pacman -S tpm2-tools

# Check the name of the kernel module for our TPM
systemd-cryptenroll --tpm2-device=list

# Generate a recovery key (not mandatory but strongly recommended)
systemd-cryptenroll --recovery-key /dev/gpt-auto-root-luks

# Generate a key in the TPM2 and add it to a key slot in the LUKS device
systemd-cryptenroll --tpm2-device=auto /dev/gpt-auto-root-luks --tpm2-pcrs=7

# This is the command to use later, to remove the (insecure) initial password
#systemd-cryptenroll /dev/gpt-auto-root-luks --wipe-slot=password

My partition tables are quite busy:

$ lsblk
NAME        MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sdb           8:16   0 238.5G  0 disk  
├─sdb1        8:17   0   128G  0 part  /media/ubuntu
├─sdb2        8:18   0   110G  0 part  
└─sdb3        8:19   0   527M  0 part  
nvme0n1     259:0    0 931.5G  0 disk  
├─nvme0n1p1 259:1    0   100M  0 part  
├─nvme0n1p2 259:2    0    16M  0 part  
├─nvme0n1p3 259:3    0 165.4G  0 part  
├─nvme0n1p4 259:4    0   507M  0 part  
├─nvme0n1p5 259:5    0     1G  0 part  
├─nvme0n1p6 259:6    0    32G  0 part  
│ └─swap    254:1    0    32G  0 crypt [SWAP]
├─nvme0n1p7 259:7    0   227G  0 part  
│ └─root    254:0    0   227G  0 crypt /
└─nvme0n1p8 259:8    0 505.5G  0 part  
  └─data    254:3    0 505.5G  0 crypt /var/lib/docker
                                       /media/data

$ sudo fdisk -l /dev/nvme0n1 /dev/sdb
Disk /dev/nvme0n1: 931.51 GiB, 1000204886016 bytes, 1953525168 sectors
Disk model: Samsung SSD 980 PRO 1TB                 
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt

Device             Start        End    Sectors   Size Type
/dev/nvme0n1p1      2048     206847     204800   100M EFI System (/efi)
/dev/nvme0n1p2    206848     239615      32768    16M Microsoft reserved
/dev/nvme0n1p3    239616  347119443  346879828 165.4G Microsoft basic data (Win 10)
/dev/nvme0n1p4 347119616  348157951    1038336   507M Windows recovery environment
/dev/nvme0n1p5 348157952  350255103    2097152     1G Linux extended boot (/boot)
/dev/nvme0n1p6 350255104  417363967   67108864    32G Linux swap
/dev/nvme0n1p7 417363968  893417471  476053504   227G Linux root (x86-64) (/)
/dev/nvme0n1p8 893417472 1953523711 1060106240 505.5G Linux filesystem (/media/data)

Disk /dev/sdb: 238.47 GiB, 256060514304 bytes, 500118192 sectors
Disk model: M4-CT256M4SSD2  
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos

Device     Boot     Start       End   Sectors  Size Id Type
/dev/sdb1            2048 268437503 268435456  128G 83 Linux (/media/ubuntu)
/dev/sdb2  *    268437504 499035680 230598177  110G  7 HPFS/NTFS/exFAT
/dev/sdb3       499036160 500115455   1079296  527M 27 Hidden NTFS WinRE

Secure Boot is installed, but not enabled:

$ sbctl status
Installed:	✓ sbctl is installed
Owner GUID:	1fd4cb4a-55ff-42f6-8dbb-285bfedf56de
Setup Mode:	✓ Disabled
Secure Boot:	✗ Disabled
Vendor Keys:	microsoft

My boot logs showing kernel command line and TPM related entries (showing it's loaded early):

$ sudo journalctl -k --grep='Command line|tpm|TPM'
Aug 30 06:10:03 archlinux kernel: Command line: initcall_blacklist=acpi_cpufreq_init amd_pstate=passive nvidia_drm.modeset=1 nvidia_drm.fbdev=1 ip=:::::eth0:dhcp
Aug 30 06:10:03 archlinux kernel: efi: ACPI=0xbd440000 ACPI 2.0=0xbd440014 TPMFinalLog=0xbd40a000 SMBIOS=0xbde22000 SMBIOS 3.0=0xbde21000 MEMATTR=0xb7f14018 ESRT=0xb7f14898 RNG=0xbcd38f18 INITRD=0xb6d12f18 TPMEvent>
Aug 30 06:10:03 archlinux kernel: ACPI: TPM2 0x00000000BCD50000 00004C (v04 ALASKA A M I    00000001 AMI  00000000)
Aug 30 06:10:03 archlinux kernel: ACPI: Reserving TPM2 table memory at [mem 0xbcd50000-0xbcd5004b]
Aug 30 06:10:03 archlinux kernel: tpm_crb MSFT0101:00: Disabling hwrng
Aug 30 06:10:03 archlinux systemd: systemd 256.5-1-arch running in system mode (+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +K>
Aug 30 06:10:03 archlinux systemd: Starting TPM PCR Barrier (initrd)...
Aug 30 06:13:19 ryzenbeast systemd: systemd 256.5-1-arch running in system mode (+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +>
Aug 30 06:13:19 ryzenbeast systemd: Expecting device /dev/tpm0...
Aug 30 06:13:19 ryzenbeast systemd: Listening on TPM PCR Measurements.
Aug 30 06:13:19 ryzenbeast systemd: Listening on Make TPM PCR Policy.
Aug 30 06:13:19 ryzenbeast systemd: Starting TPM PCR Machine ID Measurement...
Aug 30 06:13:19 ryzenbeast systemd: Starting Early TPM SRK Setup...

Kernel Modules and Hooks:

# mkinitcpio.conf
MODULES=(nvidia nvidia_modeset nvidia_uvm nvidia_drm)
HOOKS=(base systemd autodetect microcode modconf keyboard keymap consolefont sd-vconsole block sd-tinyssh encryptssh sd-encrypt filesystems resume fsck)

LUKS header key slots:

$ sudo systemd-cryptenroll /dev/disk/by-partlabel/archlinux
SLOT TYPE    
   0 password
   1 recovery
   2 tpm2
$ sudo systemd-cryptenroll /dev/disk/by-partlabel/swap
SLOT TYPE    
   0 password
   1 tpm2

Signed files:

$ sbctl verify
Verifying file database and EFI images in /efi...
✓ /boot/EFI/Linux/arch-linux-fallback.efi is signed
✓ /boot/EFI/Linux/arch-linux.efi is signed
✗ /efi/EFI/Boot/bootx64.efi is not signed (this became signed after running bootctl install)
✓ /efi/EFI/systemd/systemd-bootx64.efi is signed
✓ /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed is signed
✗ /efi/EFI/GRUB/grubx64.efi is not signed
✗ /efi/EFI/Manjaro/grubx64.efi is not signed
✗ /efi/EFI/Microsoft/Boot/Resources/bootres.dll is not signed
✗ /efi/EFI/Microsoft/Boot/Resources/en-US/bootres.dll.mui is not signed
✗ /efi/EFI/Microsoft/Boot/bg-BG/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/bg-BG/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/bootmgfw.efi is not signed
✗ /efi/EFI/Microsoft/Boot/bootmgr.efi is not signed
✗ /efi/EFI/Microsoft/Boot/cs-CZ/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/cs-CZ/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/cs-CZ/memtest.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/da-DK/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/da-DK/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/da-DK/memtest.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/de-DE/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/de-DE/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/de-DE/memtest.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/el-GR/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/el-GR/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/el-GR/memtest.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/en-GB/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/en-GB/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/en-US/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/en-US/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/en-US/memtest.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/es-ES/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/es-ES/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/es-ES/memtest.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/es-MX/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/es-MX/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/et-EE/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/et-EE/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/fi-FI/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/fi-FI/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/fi-FI/memtest.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/fr-CA/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/fr-CA/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/fr-FR/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/fr-FR/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/fr-FR/memtest.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/hr-HR/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/hr-HR/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/hu-HU/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/hu-HU/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/hu-HU/memtest.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/it-IT/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/it-IT/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/it-IT/memtest.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/ja-JP/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/ja-JP/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/ja-JP/memtest.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/kd_02_10df.dll is not signed
✗ /efi/EFI/Microsoft/Boot/kd_02_10ec.dll is not signed
✗ /efi/EFI/Microsoft/Boot/kd_02_1137.dll is not signed
✗ /efi/EFI/Microsoft/Boot/kd_02_14e4.dll is not signed
✗ /efi/EFI/Microsoft/Boot/kd_02_15b3.dll is not signed
✗ /efi/EFI/Microsoft/Boot/kd_02_1969.dll is not signed
✗ /efi/EFI/Microsoft/Boot/kd_02_19a2.dll is not signed
✗ /efi/EFI/Microsoft/Boot/kd_02_1af4.dll is not signed
✗ /efi/EFI/Microsoft/Boot/kd_02_8086.dll is not signed
✗ /efi/EFI/Microsoft/Boot/kd_07_1415.dll is not signed
✗ /efi/EFI/Microsoft/Boot/kd_0C_8086.dll is not signed
✗ /efi/EFI/Microsoft/Boot/kdnet_uart16550.dll is not signed
✗ /efi/EFI/Microsoft/Boot/kdstub.dll is not signed
✗ /efi/EFI/Microsoft/Boot/ko-KR/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/ko-KR/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/ko-KR/memtest.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/lt-LT/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/lt-LT/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/lv-LV/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/lv-LV/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/memtest.efi is not signed
✗ /efi/EFI/Microsoft/Boot/nb-NO/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/nb-NO/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/nb-NO/memtest.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/nl-NL/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/nl-NL/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/nl-NL/memtest.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/pl-PL/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/pl-PL/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/pl-PL/memtest.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/pt-BR/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/pt-BR/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/pt-BR/memtest.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/pt-PT/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/pt-PT/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/pt-PT/memtest.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/qps-ploc/memtest.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/ro-RO/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/ro-RO/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/ru-RU/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/ru-RU/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/ru-RU/memtest.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/sk-SK/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/sk-SK/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/sl-SI/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/sl-SI/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/sr-Latn-RS/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/sr-Latn-RS/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/sv-SE/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/sv-SE/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/sv-SE/memtest.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/tr-TR/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/tr-TR/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/tr-TR/memtest.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/uk-UA/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/uk-UA/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/zh-CN/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/zh-CN/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/zh-CN/memtest.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/zh-TW/bootmgfw.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/zh-TW/bootmgr.efi.mui is not signed
✗ /efi/EFI/Microsoft/Boot/zh-TW/memtest.efi.mui is not signed
✗ /efi/EFI/ubuntu/grubx64.efi is not signed

Systemd measurements

$ sudo /usr/lib/systemd/systemd-measure status
# PCR kernel-boot
11:sha1=
11:sha256=
# PCR kernel-config (NOT SET!)
12:sha1=0000000000000000000000000000000000000000
12:sha256=0000000000000000000000000000000000000000000000000000000000000000
# PCR sysexts (NOT SET!)
13:sha1=0000000000000000000000000000000000000000
13:sha256=0000000000000000000000000000000000000000000000000000000000000000

$ sudo /usr/lib/systemd/systemd-measure calculate --current --bank=sha1 --bank=sha256
# PCR Phase 
11:sha1=
11:sha256=
# PCR Phase 
11:sha1=
11:sha256=
# PCR Phase 
11:sha1=
11:sha256=
# PCR Phase 
11:sha1=
11:sha256=

Test opening the root partition with TPM

$ sudo cryptsetup open --test-passphrase /dev/nvme0n1p7
Failed to unseal secret using TPM2: Operation not permitted
Enter passphrase for /dev/nvme0n1p7:

Current PCR slots

$ systemd-analyze pcrs
NR NAME                SHA256                                                          
 0 platform-code       
 1 platform-config     
 2 external-code       
 3 external-config     
 4 boot-loader-code    
 5 boot-loader-config  
 6 host-platform       
 7 secure-boot-policy  
 8 -                   0000000000000000000000000000000000000000000000000000000000000000
 9 kernel-initrd       
10 ima                 0000000000000000000000000000000000000000000000000000000000000000
11 kernel-boot         
12 kernel-config       0000000000000000000000000000000000000000000000000000000000000000
13 sysexts             0000000000000000000000000000000000000000000000000000000000000000
14 shim-policy         0000000000000000000000000000000000000000000000000000000000000000
15 system-identity     
16 debug               0000000000000000000000000000000000000000000000000000000000000000
17 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
18 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
19 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
20 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
21 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
22 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
23 application-support 0000000000000000000000000000000000000000000000000000000000000000

# Adding a new TPM entry # I know I can add a new TPM entry and delete the old one with the following command:

# Enroll TPM (again).
$ sudo systemd-cryptenroll --tpm2-device=auto /dev/nvme0n1p7`
🔐 Please enter current passphrase for disk /dev/nvme0n1p7:
New TPM2 token enrolled as key slot 3.

# List LUKS unlock slots on my root partition.
$ sudo systemd-cryptenroll /dev/nvme0n1p7 
SLOT TYPE    
   0 password
   1 recovery
   2 tpm2
   3 tpm2

# Wipe the old tpm2 entry
$ sudo systemd-cryptenroll /dev/nvme0n1p7 --wipe-slot=2
Wiped slot 2.

# Test I can open it
$ sudo cryptsetup open --test-passphrase /dev/nvme0n1p7
$

# Update: System Journal Entries # I checked journalctl -u systemd-cryptsetup@root to see if I can hunt down some more info before and after the first failed boot. On a successful boot:

Aug 27 09:46:02 archlinux systemd: Starting Cryptography Setup for root...
Aug 27 09:46:02 archlinux systemd-cryptsetup: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/gpt-auto-root-luks.
Aug 27 09:46:02 archlinux systemd-cryptsetup: Automatically discovered security TPM2 token unlocks volume.
Aug 27 09:46:04 archlinux systemd-cryptsetup: Successfully extended PCR index 15 with 'cryptsetup:root:' and volume key (banks sha1, sha256).
Aug 27 09:46:04 archlinux systemd: Finished Cryptography Setup for root.

On the next, failed boot:

Aug 28 08:09:52 archlinux systemd: Starting Cryptography Setup for root...
Aug 28 08:09:52 archlinux systemd-cryptsetup: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/gpt-auto-root-luks.
Aug 28 08:09:52 archlinux systemd-cryptsetup: Automatically discovered security TPM2 token unlocks volume.
Aug 28 08:09:53 archlinux systemd-cryptsetup: Failed to unseal secret using TPM2: Operation not permitted
Aug 28 08:09:53 archlinux systemd-cryptsetup: No valid TPM2 token data found.
Aug 28 08:09:53 archlinux systemd-cryptsetup: No TPM2 metadata matching the current system state found in LUKS2 header, falling back to traditional unlocking.
Aug 28 08:10:21 archlinux systemd-cryptsetup: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/gpt-auto-root-luks.
Aug 28 08:10:24 archlinux systemd-cryptsetup: Failed to activate with specified passphrase. (Passphrase incorrect?)
Aug 28 08:10:30 archlinux systemd-cryptsetup: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/gpt-auto-root-luks.
Aug 28 08:10:33 archlinux systemd-cryptsetup: Successfully extended PCR index 15 with 'cryptsetup:root:' and volume key (banks sha1, sha256).
Aug 28 08:10:33 archlinux systemd: Finished Cryptography Setup for root.

Seeing mention of PCR15 here, explained in man systemd-cryptenroll as: > systemd-cryptsetup(8) optionally measures the volume key of activated > LUKS volumes into this PCR. systemd-pcrmachine.service(8) measures > the machine-id(5) into this PCR. systemd-pcrfs@.service(8) measures > mount points, file system UUIDs, labels, partition UUIDs of the > root and /var/ filesystems into this PCR. It would appear that these measurements would have changed by (re-)formatting a partition and would be enough to corrupt this PCR register... # Overhanging Questions # Now I've looked into fixing this and effectively have done, I have questions! - What caused the TPM slot value to become incorrect? - If I update Ubuntu's kernel or initrd, will it happen again? - How to prevent this from happening again? - I see systemd introduced a [pcrlock tool](https://www.freedesktop.org/software/systemd/man/latest/systemd-pcrlock.html) in [November 2023](https://github.com/systemd/systemd/pull/28891) , but (I think) it is still experimental and I don't fully understand it, nor do I know if it would help. Would it? - **Update:** How should I update PCR 15 after formatting a partition?

I can create a dm-crypt filesystem with:

root@smarcimx8mq4g:~# cat /data/caam/randomkey | keyctl padd logon logkey: @s
731358804

root@smarcimx8mq4g:~# dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/mmcblk1p3) crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 /dev/mmcblk1p3 0 1 sector_size:512"

(I'm using the imx8's CAAM's implementation of tk(cbc(aes)).) Unfortunately this wipes (or loses the ability to decode) the data in /dev/mmcblk1p3. I can use /dev/mapper/encrypted, but only once I've run mkfs.ext4 and mounted it. I've also tried:

root@smarcimx8mq4g:~# dmsetup -v load encrypted --table "0 $(blockdev --getsz /dev/mmcblk1p3) crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 /dev/mmcblk1p3 0 1 sector_size:512"
device-mapper: reload ioctl on encrypted  failed: No such device or address
Command failed.

(I expect that nothing other than "create" will create the /dev/mapper/encrypted node.) How do I use dm-crypt to get access to the original data?

I suspect there's a bug in Ubuntu's default whole disk encryption setup. **Here's what happens, repeatably:** 1. I make a fresh install, Ubuntu 15.10 with whole disk encryption, overwriting the whole disk 2. It boots and seems to work just fine 3. A few reboots later, programs start crashing. "Ubuntu has experienced an internal error", Firefox will crash immediately on startup, etc. 4. Finally, after an additional reboot or two, it will boot to busybox. Running fsck finds and fixes tons of errors. 5. Go to step 2 Not cool. **Conclusions so far:** - **I'm quite sure it's not disk failure.** I reproduced this from scratch with two different drives. In both cases, the SMART data looks healthy, and running self tests thru gnome-disks comes up clean. Beyond that... I have no idea. **Details:** - System76 Galago Ultrapro - 64-bit desktop Ubuntu 15.10 - Kernel 4.2.0-18-generic - Default Ubuntu whole-disk encryption setup: ext2 boot partition, dm-crypt+LUKS+ext4 main partition. - I ran into this first with a 256GB Samsung 840 EVO, then reproduced it on a 512GB Samsung 830. I got the same problems in both cases: works fine for a while, but becomes unusable after a few reboots. Installing Ubuntu without disk encryption works. Has this happened to anyone else? I've checked the syslog and couldn't find anything incriminating. **Does anyone know how I could figure out what's going on here?**

I am currently trying to set up multiple devices with Ubuntu (20.04.5 LTS) and the drive must be encrypted, so I used LUKS during the installation. (I checked "Use LVM with the new Ubuntu installation" + "Encrypt the new Ubuntu installation for Security" in the process) However, the encrypted drive is much slower (as expected), but I read this article about the possibility to speed up dm-crypt I/O operations, using two flags

and

(last paragraph). FYI: I am using a NVMe SSD. The patch has been merged into the Linux Kernel 5.9 and onwards, I have 5.14, so it should be available for me. How can I enable this by default? I have already changed the

/etc/crypttab

file by adding the flags:

-etc UUID=123abcdef-etc none luks,discard,no-write-workqueue,no-read-workqueue

That hasn't changed the speed at all. I tried to set the default flags:

--perf-no_read_workqueue --perf-no_write_workqueue --persistent refresh root

then I will get an error:

--perf-no_read_workqueue: unknown option

Furthermore the flags are not shown when I use

luksDump /dev/sdaX | grep Flags

-> (This shows "none") or

table

-> (This shows

) FYI: I used this Wikipage for infos: https://wiki.archlinux.org/title/Dm-crypt/Specialties

I am unable to run luks reencryption. I have data on /dev/sdc1 and would like to encrypt it without the need to format. I am trying to utilize the luks2 online encryption feature. mathew@plug:/mnt $ sudo cryptsetup reencrypt --new --reduce-device-size 16M /dev/sdc1 Usage: cryptsetup [-?vyrq] [-?|--help] [--usage] [--version] [-v|--verbose] [--debug] [--debug-json] [-c|--cipher=STRING] [-h|--hash=STRING] [-y|--verify-passphrase] [-d|--key-file=STRING] [--master-key-file=STRING] [--dump-master-key] [-s|--key-size=BITS] [-l|--keyfile-size=bytes] [--keyfile-offset=bytes] [--new-keyfile-size=bytes] [--new-keyfile-offset=bytes] [-S|--key-slot=INT] [-b|--size=SECTORS] [-o|--offset=SECTORS] [-p|--skip=SECTORS] [-r|--readonly] [-q|--batch-mode] [-t|--timeout=secs] [--progress-frequency=secs] [-T|--tries=INT] [--align-payload=SECTORS] [--header-backup-file=STRING] [--use-random] [--use-urandom] [--shared] [--uuid=STRING] [--allow-discards] [--header=STRING] [--test-passphrase] [--tcrypt-hidden] [--tcrypt-system] [--tcrypt-backup] [--veracrypt] [--veracrypt-pim=INT] [--veracrypt-query-pim] [-M|--type=STRING] [--force-password] [--perf-same_cpu_crypt] [--perf-submit_from_crypt_cpus] [--deferred] [-i|--iter-time=msecs] [--pbkdf=STRING] [--pbkdf-memory=kilobytes] [--pbkdf-parallel=threads] [--pbkdf-force-iterations=LONG] [--priority=STRING] [--disable-locks] [--disable-keyring] [-I|--integrity=STRING] [--integrity-no-journal] [--integrity-no-wipe] [--token-only] [--token-id=INT] [--key-description=STRING] [--sector-size=INT] [--persistent] [--label=STRING] [--subsystem=STRING] [--unbound] [--json-file=STRING] [--luks2-metadata-size=bytes] [--luks2-keyslots-size=bytes] [--refresh] [--keyslot-key-size=BITS] [--keyslot-cipher=STRING] [OPTION...] --new: unknown option As specified in this document - https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Cryptsetup_usage I also tried, but still get error: mathew@plug:/mnt $ sudo cryptsetup reencrypt --encrypt --reduce-device-size 16M /dev/sdc1 Usage: cryptsetup [-?vyrq] [-?|--help] [--usage] [--version] [-v|--verbose] [--debug] [--debug-json] [-c|--cipher=STRING] [-h|--hash=STRING] [-y|--verify-passphrase] [-d|--key-file=STRING] [--master-key-file=STRING] [--dump-master-key] [-s|--key-size=BITS] [-l|--keyfile-size=bytes] [--keyfile-offset=bytes] [--new-keyfile-size=bytes] [--new-keyfile-offset=bytes] [-S|--key-slot=INT] [-b|--size=SECTORS] [-o|--offset=SECTORS] [-p|--skip=SECTORS] [-r|--readonly] [-q|--batch-mode] [-t|--timeout=secs] [--progress-frequency=secs] [-T|--tries=INT] [--align-payload=SECTORS] [--header-backup-file=STRING] [--use-random] [--use-urandom] [--shared] [--uuid=STRING] [--allow-discards] [--header=STRING] [--test-passphrase] [--tcrypt-hidden] [--tcrypt-system] [--tcrypt-backup] [--veracrypt] [--veracrypt-pim=INT] [--veracrypt-query-pim] [-M|--type=STRING] [--force-password] [--perf-same_cpu_crypt] [--perf-submit_from_crypt_cpus] [--deferred] [-i|--iter-time=msecs] [--pbkdf=STRING] [--pbkdf-memory=kilobytes] [--pbkdf-parallel=threads] [--pbkdf-force-iterations=LONG] [--priority=STRING] [--disable-locks] [--disable-keyring] [-I|--integrity=STRING] [--integrity-no-journal] [--integrity-no-wipe] [--token-only] [--token-id=INT] [--key-description=STRING] [--sector-size=INT] [--persistent] [--label=STRING] [--subsystem=STRING] [--unbound] [--json-file=STRING] [--luks2-metadata-size=bytes] [--luks2-keyslots-size=bytes] [--refresh] [--keyslot-key-size=BITS] [--keyslot-cipher=STRING] [OPTION...] --encrypt: unknown option I referred to the manpage here - https://man.cx/cryptsetup(8) and as per them my above command should have worked! My

version is 2.1.0 and I don't see any upgrade when trying

-get install

or

-get upgrade

. I am confused and stuck :(

I just read this discussion between Linus Torvalds and (among others) Milan Broz , one of dm-crypt's maintainers. I am intrigued by the the following part of the discussion : > Linus Torvalds: I thought the people who used hidden ("deniable") things didn't actually ever *use* the outer filesystem at all, exactly so that they can just put the real encrypted thing in there and nor worry about it. > > Milan Broz: Well, they actually should "use" outer from time to time > so the data looks "recent" and for the whole "hidden OS" they should > be even able to boot to outer decoy OS on request, just to show that > something working is there. In theory, I agree with Milan's statement, using the decoy data is a good thing to do to increase credibility. But how do you achieve that in practice? E.g., how can you write to the outer volume without risking to overwrite the inner volume? I have been using hidden LUKS volumes for years now, combining detachable headers and data offset. Usually I start by creating a small LUKS-encrypted outer volume (let's say 20 GB), I format it with EXT4, I fill it with decoy data, then I increase this outer volume's size (to for example 500 GB), and I create the inner volume with an offset of 25GB for example. And after that I do what Linus said, I religiously avoid to touch the outer volume's decoy data, out of fear of damaging the inner volume's data. Is there a way to refresh the outer volume's data, without risking to damage the inner volume's data? E.g., is there a tool to write specifically on the 20 first Gigs of the outer volume, making sure to not mess with the 480 following gigs? I am using both HDDs and SSDs, so the question applies to both.

I'm on an embedded Linux device and trying to open an encrypted squashfs for my rootfs. The image is created on the host (build agent) and from there I'm able to open and work with the content, so I know the image is correct. From the embedded Linux's initramfs when I try to open the image I get the error:

root# cryptsetup open ./rootfs.sqfs.img rootfs

# cryptsetup 2.5.0 processing "/usr/sbin/cryptsetup --debug open ./rootfs.sqfs.img rootfs"
# Verifying parameters for command open.
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device ./rootfs.sqfs.img.
# Trying to open and read device ./rootfs.sqfs.img with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device ./rootfs.sqfs.img.
Cannot initialize crypto backend.
Device ./rootfs.sqfs.img is not a valid LUKS device.
# Releasing crypt device ./rootfs.sqfs.img context.
# Releasing device-mapper backend.
# Unlocking memory.

Some searching online make it sound like this error is caused by a missing kernel module, but I have all modules that have been listed. I have the following CRYPTO modules enabled:

CONFIG_CRYPTO_SHA1_ARM=y
CONFIG_CRYPTO_SHA256_ARM=y
CONFIG_CRYPTO_SHA512_ARM=y
CONFIG_CRYPTO_AES_ARM=y
CONFIG_CRYPTO_ALGAPI=y
CONFIG_CRYPTO_ALGAPI2=y
CONFIG_CRYPTO_AEAD=y
CONFIG_CRYPTO_AEAD2=y
CONFIG_CRYPTO_BLKCIPHER=y
CONFIG_CRYPTO_BLKCIPHER2=y
CONFIG_CRYPTO_HASH=y
CONFIG_CRYPTO_HASH2=y
CONFIG_CRYPTO_RNG=y
CONFIG_CRYPTO_RNG2=y
CONFIG_CRYPTO_RNG_DEFAULT=y
CONFIG_CRYPTO_AKCIPHER2=y
CONFIG_CRYPTO_AKCIPHER=y
CONFIG_CRYPTO_KPP2=y
CONFIG_CRYPTO_KPP=y
CONFIG_CRYPTO_ACOMP2=y
CONFIG_CRYPTO_RSA=y
CONFIG_CRYPTO_ECDH=y
CONFIG_CRYPTO_MANAGER=y
CONFIG_CRYPTO_MANAGER2=y
CONFIG_CRYPTO_USER=y
CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
CONFIG_CRYPTO_GF128MUL=y
CONFIG_CRYPTO_NULL=y
CONFIG_CRYPTO_NULL2=y
CONFIG_CRYPTO_WORKQUEUE=y
CONFIG_CRYPTO_CRYPTD=y
CONFIG_CRYPTO_AUTHENC=y
CONFIG_CRYPTO_CCM=y
CONFIG_CRYPTO_GCM=y
CONFIG_CRYPTO_SEQIV=y
CONFIG_CRYPTO_ECHAINIV=y
CONFIG_CRYPTO_CBC=y
CONFIG_CRYPTO_CTR=y
CONFIG_CRYPTO_CTS=y
CONFIG_CRYPTO_ECB=y
CONFIG_CRYPTO_XTS=y
CONFIG_CRYPTO_KEYWRAP=y
CONFIG_CRYPTO_CMAC=y
CONFIG_CRYPTO_HMAC=y
CONFIG_CRYPTO_CRC32C=y
CONFIG_CRYPTO_GHASH=y
CONFIG_CRYPTO_MD5=y
CONFIG_CRYPTO_RMD128=y
CONFIG_CRYPTO_RMD160=y
CONFIG_CRYPTO_RMD256=y
CONFIG_CRYPTO_RMD320=y
CONFIG_CRYPTO_SHA1=y
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=y
CONFIG_CRYPTO_AES=y
CONFIG_CRYPTO_ARC4=y
CONFIG_CRYPTO_DES=y
CONFIG_CRYPTO_DEFLATE=y
CONFIG_CRYPTO_LZO=y
CONFIG_CRYPTO_ZSTD=y
CONFIG_CRYPTO_ANSI_CPRNG=y
CONFIG_CRYPTO_DRBG_MENU=y
CONFIG_CRYPTO_DRBG_CTR=y
CONFIG_CRYPTO_DRBG=y
CONFIG_CRYPTO_JITTERENTROPY=y
CONFIG_CRYPTO_USER_API=y
CONFIG_CRYPTO_USER_API_HASH=y
CONFIG_CRYPTO_USER_API_SKCIPHER=y
CONFIG_CRYPTO_USER_API_RNG=y
CONFIG_CRYPTO_USER_API_AEAD=y
CONFIG_CRYPTO_HASH_INFO=y
CONFIG_CRYPTO_HW=y
CONFIG_CRYPTO_DEV_ATMEL_AES=y
CONFIG_CRYPTO_DEV_ATMEL_TDES=y

I also have device mapper support (dm_crypt) in my kernel. All options are built into the kernel, so issue is not from a module not loaded. On the embedded Linux system cryptsetup version 2.5.0 is installed. The host has version 2.2.2 installed. The embedded Linux is running kernel 4.19.231. What else am I missing for having cryptsetup able to map this to /dev/mapper/rootfs? EDIT: Thought I was using the kernel backend, not sure how to check on the embedded linux system. Running on the host it appears to use openssl (see below), my initramfs does not include openssl, so if its' trying to use openssl rather than the kernel that may be my problem.

# cryptsetup 2.2.2 processing "cryptsetup --debug open rootfs.sqfs.img rootfs"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device rootfs.sqfs.img.
# Trying to open and read device rootfs.sqfs.img with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device rootfs.sqfs.img.
# Crypto backend (OpenSSL 1.1.1f  31 Mar 2020) initialized in cryptsetup library version 2.2.2.
# Detected kernel Linux 5.15.0-58-generic x86_64.
# Loading LUKS2 header (repair disabled).
# Acquiring read lock for device rootfs.sqfs.img.
# Verifying lock handle for rootfs.sqfs.img.
# Device rootfs.sqfs.img READ lock taken.
# Trying to read primary LUKS2 header at offset 0x0.
# Opening locked device rootfs.sqfs.img
# Veryfing locked device handle (regular file)
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:a69c54af714a6d46ac5a514399ebe367012a233d742d2f2913a7b5979ae70441 (on-disk)
# Checksum:a69c54af714a6d46ac5a514399ebe367012a233d742d2f2913a7b5979ae70441 (in-memory)
# Trying to read secondary LUKS2 header at offset 0x4000.
# Reusing open ro fd on device rootfs.sqfs.img
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:d1a6fae45d92dd47f5a99e11e6d157bc6ba0140fc2bd62ebc1fb9dad0414f0ff (on-disk)
# Checksum:d1a6fae45d92dd47f5a99e11e6d157bc6ba0140fc2bd62ebc1fb9dad0414f0ff (in-memory)
# Device size 68157440, offset 16777216.
# Device rootfs.sqfs.img READ lock released.
# PBKDF argon2i, time_ms 2000 (iterations 0), max_memory_kb 1048576, parallel_threads 4.
# Activating volume rootfs using token -1.
# Interactive passphrase entry requested.
Enter passphrase for rootfs.sqfs.img: 
# Activating volume rootfs [keyslot -1] using passphrase.
# dm version   [ opencount flush ]    (*1)
# dm versions   [ opencount flush ]    (*1)
# Detected dm-ioctl version 4.45.0.
# Detected dm-crypt version 1.23.0.
# Device-mapper backend running with UDEV support enabled.
# dm status rootfs  [ opencount noflush ]    (*1)
# Keyslot 0 priority 1 != 2 (required), skipped.
# Trying to open LUKS2 keyslot 0.
# Reading keyslot area [0x8000].
# Acquiring read lock for device rootfs.sqfs.img.
# Verifying lock handle for rootfs.sqfs.img.
# Device rootfs.sqfs.img READ lock taken.
# Reusing open ro fd on device rootfs.sqfs.img
# Device rootfs.sqfs.img READ lock released.
# Verifying key from keyslot 0, digest 0.
# Loading key (64 bytes, type logon) in thread keyring.
# dm versions   [ opencount flush ]    (*1)
# dm status rootfs  [ opencount noflush ]    (*1)
# Allocating a free loop device.
# Trying to open and read device /dev/loop27 with direct-io.
# Calculated device size is 100352 sectors (RW), offset 32768.
# DM-UUID is CRYPT-LUKS2-606147e882c040c3ae6c7a346a4f5b43-rootfs
# Udev cookie 0xd4da08f (semid 32788) created
# Udev cookie 0xd4da08f (semid 32788) incremented to 1
# Udev cookie 0xd4da08f (semid 32788) incremented to 2
# Udev cookie 0xd4da08f (semid 32788) assigned to CREATE task(0) with flags DISABLE_LIBRARY_FALLBACK         (0x20)
# dm create rootfs CRYPT-LUKS2-606147e882c040c3ae6c7a346a4f5b43-rootfs [ opencount flush ]    (*1)
# dm reload rootfs  [ opencount flush securedata ]    (*1)
# dm resume rootfs  [ opencount flush securedata ]    (*1)
# rootfs: Stacking NODE_ADD (253,2) 0:6 0660 [trust_udev]
# rootfs: Stacking NODE_READ_AHEAD 256 (flags=1)
# Udev cookie 0xd4da08f (semid 32788) decremented to 1
# Udev cookie 0xd4da08f (semid 32788) waiting for zero
# Udev cookie 0xd4da08f (semid 32788) destroyed
# rootfs: Skipping NODE_ADD (253,2) 0:6 0660 [trust_udev]
# rootfs: Processing NODE_READ_AHEAD 256 (flags=1)
# rootfs (253:2): read ahead is 256
# rootfs: retaining kernel read ahead of 256 (requested 256)
Key slot 0 unlocked.
# Releasing crypt device rootfs.sqfs.img context.
# Releasing device-mapper backend.
# Closing read only fd for rootfs.sqfs.img.
# Closed loop /dev/loop27 (rootfs.sqfs.img).
# Unlocking memory.
Command successful.

**[SOLVED]** My issue was caused by the fact I was using a musl-libc and lvm2 required glibc. After switching to glibc cryptsetup was able to load the proper backend.

I have full disk encryption on my arch linux laptop. When i power on the machine it prompts me for my disk password. My system is encrypted by following the LVM on luks archwiki page. the prompt says something like "a password is required for the cryptlvm volume" i would like to change this to feature some imformation about the system like the owner and an address to return it to if lost. So far i have just tried to look at the arch wiki and search to see if anyone else had asked anything similar but i cannot seem to find anything.

When I installed Linux, the block-device-path of my root LUKS device was /dev/md125 and the unencrypted partition was /dev/mapper/md125_crypt. I have since renamed the MD device to /dev/md0, and now I'd like to rename the LUKS partition to /dev/mapper/md0_crypt. Here's what I've done so far: 1. Replaced all references (in the various *tabs) of md125_crypt 2. Updated my initramfs 3. Updated grub2 However, when I reboot, my system doesn't make it to the point of asking for my decryption password; it says something about being "unable to find the root partition". I've also tried adding a symlink (/dev/mapper/md125_crypt -> ./md0_crypt) but it doesn't seem to persist after a reboot. **How can I rename my unencrypted LUKS partition such that I can successfully boot after doing so?**

In shell script $crypsetup isLuks /dev/sda1 Above command returns - 0 -> for luks partition (encrypted partition) - 1 -> non luks partitions (non encrypted partition). I have implemented disk encryption using library APIs in CPP program. How can i check whether a partition is luks partition or not using crypsetup APIs?

One day, when I turned on the computer, my passphrase for home part /dev/sda7 doesn't worked (I am 147% absolutely sure, that I was writing right pass)! After three times of tries, I have rebooted computer via force shutdown and tried to enter the same pass. That didn't worked. Then instead of default boot "Boot arch" I have chosen "Boot arch with Linux linux". And it helped me. I was working all day and after turned off computer. But at the next boot, this trick didn't help me. Even choosing of "Boot arch with Linux linux (initramfs fallback)" (I have only 3 chooses of boot). Then I decided to boot from Ubuntu LiveUSB. sudo cryptsetup luksOpen /dev/sda7 home saying: No key available with this passphrase. I have tried to execute sudo cryptsetup --verbose repair /dev/sda7, which said No known problems detected for LUKS header.. I have compiled and executed official cryptsetup tool https://gitlab.com/cryptsetup/cryptsetup/tree/master/misc/keyslot_checker for checking keyslot. It said the same information about keyslots, that saying luksDump. $ sudo cryptsetup LUKS header information for /dev/sda7 Version: 1 Cipher name: aes Cipher mode: xts-plain64 Hash spec: sha256 Payload offset: 4096 MK bits: 256 MK digest: fc 18 49 fe 3a 4e d4 11 b9 6f 0c c7 1d 54 0a 8d 44 01 86 36 MK salt: 5e 59 c8 fc f2 a9 10 b9 bf 7c 68 4b e4 a5 8e 00 5a f9 c7 66 f9 5b 02 ff e7 59 e4 fd 43 f2 dc b5 MK iterations: 249500 UUID: cc2f71c3-f0d9-4642-bf59-87bff4f60b54 Key Slot 0: ENABLED Iterations: 1996099 Salt: 3e 60 e7 14 02 95 89 c0 c2 bf 8d 61 bb 99 13 aa 9d 9a c4 7d d4 41 78 ee 76 b0 48 b4 ed b0 ff a8 Key material offset: 8 AF stripes: 4000 Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED All of that looks like everything is ok. Like header and all partition was not damaged. I have no idea why passphrase doesn't fit. All I can say is that I am fully upgrading my system (via sudo pacman -Syyu) everyday. And probably at one day somehow upgrade caused this consequences.

**Disk/Partition Backup** What are the backup options and good practice to make a solid and easy to use full system backup? With the following requirement: - Live backup - Image backup - Encrypted backup - Incremental backups - Mount/access the backup disk/files easily - Full system backup, restorable in one shot - Can be scheduled automatically (with cron or else) - Encrypted or classic backup source (luks, dm-crypt, ext3/ext4/btrfs).

I am creating a mapper file /dev/mapper/luks-672dcc74-d002-47dc-b61b-525baf91dc7c on boot in /etc/crypttab like this: luks-672dcc74-d002-47dc-b61b-525baf91dc7c UUID=672dcc74-d002-47dc-b61b-525baf91dc7c /home/user1/keyfile_sandisk120gb luks,keyscript=/bin/cat Output of lsblk is this: sdd 8:48 1 114,6G 0 disk └─luks-672dcc74-d002-47dc-b61b-525baf91dc7c 253:2 0 114,6G 0 crypt Then when I run my backup script I use pmount like this: pmount /dev/mapper/luks-672dcc74-d002-47dc-b61b-525baf91dc7c But I get: Error: device /dev/dm-2 is not removable This normally mounts the ext4 partition to /media/disk_by-partlabel_sandisk120gb. When the disk (removable USB flash drive) was not encrypted everything worked fine. But now pmount does not understand that the encrypted disk is on a pen drive. Maybe I need to add an option to crypttab? I want to use pmount and not mount because pmount does not require root. I am on debian bullseye.

I have 2 usb's of different brands and capacities encrypted with Luks2 using Kali's disk tool. After correcting a problem with the boot and correcting the path I was able to access the disks, but afterwards, they simply do not accept the password. I performed a test with another disk and it works normally. Would some change in the sectors be the cause?!

WD-1TB-LUKS2: /dev/sdd (/dev/sdd1)

LUKS header information
Version:        2
Epoch:          3
Metadata area:  16384 [bytes]
Keyslots area:  16744448 [bytes]
UUID:           afa33689-994f-4bfb-b68a-95166bedab82
Label:          (no label)
Subsystem:      (no subsystem)
Flags:          (no flags)

Data segments:
  0: crypt
        offset: 16777216 [bytes]
        length: (whole device)
        cipher: aes-xts-plain64
        sector: 512 [bytes]

Keyslots:
  0: luks2
        Key:        512 bits
        Priority:   normal
        Cipher:     aes-xts-plain64
        Cipher key: 512 bits
        PBKDF:      argon2id
        Time cost:  11
        Memory:     1048576
        Threads:    4
        Salt:       96 09 fc 6e aa 98 0c 72 26 2f ba ec cb e0 c7 e8 
                    ac a5 eb 85 b7 6b a9 e0 b6 3c e0 04 a8 76 f7 3c 
        AF stripes: 4000
        AF hash:    sha256
        Area offset:32768 [bytes]
        Area length:258048 [bytes]
        Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
        Hash:       sha256
        Iterations: 319298
        Salt:       4e a7 01 b3 da 77 af 03 a6 e1 2f ea a4 aa 89 92 
                    bd c2 bc bc 92 32 63 6c eb fc 80 58 02 42 94 4b 
        Digest:     f7 4c 33 2b 1b 23 de 36 36 2d d5 e8 57 8d 6e 09 
                    fa 0b 50 88 ed e3 9a d6 76 5f 90 42 e4 48 ea 10

Second Disk

HDD-LUKS2-500GB
LUKS header information
Version:        2
Epoch:          3
Metadata area:  16384 [bytes]
Keyslots area:  16744448 [bytes]
UUID:           20f8e19c-a37d-4049-91d4-571e14a02efa
Label:          (no label)
Subsystem:      (no subsystem)
Flags:          (no flags)

Data segments:
  0: crypt
        offset: 16777216 [bytes]
        length: (whole device)
        cipher: aes-xts-plain64
        sector: 512 [bytes]

Keyslots:
  0: luks2
        Key:        512 bits
        Priority:   normal
        Cipher:     aes-xts-plain64
        Cipher key: 512 bits
        PBKDF:      argon2id
        Time cost:  7
        Memory:     1048576
        Threads:    4
        Salt:       9f 98 26 e8 5f 2d d2 78 f8 ac 87 d1 a9 40 05 56 
                    d7 4b b3 35 e0 2f 84 bf 7e 48 5b 69 14 ff 1a db 
        AF stripes: 4000
        AF hash:    sha256
        Area offset:32768 [bytes]
        Area length:258048 [bytes]
        Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
        Hash:       sha256
        Iterations: 320861
        Salt:       13 4c f8 91 c9 25 cb b9 ef b4 2b 25 36 a8 d7 d8 
                    90 c1 36 0e 2c cf 51 04 b1 3c e1 54 04 1c 42 35 
        Digest:     d8 a0 c5 d8 7b 09 a9 a3 d4 07 af 09 da 41 2e e3 
                    6e c5 d2 e0 33 95 fc 12 d0 21 98 58 5c 5a 12 0b

Only working disk with Luks2 :

HDD-32GB0-WD    

LUKS header information
Version:        2
Epoch:          3
Metadata area:  16384 [bytes]
Keyslots area:  16744448 [bytes]
UUID:           5948fcd5-e99d-4c53-991b-459b60cce38f
Label:          (no label)
Subsystem:      (no subsystem)
Flags:          (no flags)

Data segments:
  0: crypt
        offset: 16777216 [bytes]
        length: (whole device)
        cipher: aes-xts-plain64
        sector: 4096 [bytes]

Keyslots:
  0: luks2
        Key:        512 bits
        Priority:   normal
        Cipher:     aes-xts-plain64
        Cipher key: 512 bits
        PBKDF:      argon2id
        Time cost:  10
        Memory:     1048576
        Threads:    4
        Salt:       ed ad 79 93 45 58 0f 41 93 75 1f 1b a5 85 48 43 
                    3b db 27 73 95 ed de 6c 79 46 48 12 c7 60 96 48 
        AF stripes: 4000
        AF hash:    sha256
        Area offset:32768 [bytes]
        Area length:258048 [bytes]
        Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
        Hash:       sha256
        Iterations: 302706
        Salt:       62 80 da cb 32 b6 1d 71 3c 36 e3 7c 91 35 2c 4b 
                    a1 34 25 27 33 a1 dc 24 bf b4 f7 47 08 d2 20 3c 
        Digest:     e0 e1 03 bb 4a 04 5e 93 32 5d 91 c2 b3 db 01 f1 
                    ee 48 f5 76 70 c9 63 33 65 40 19 fb d3 71 68 55

Disk info...

Crypttab output
$cat /etc/crypttab   
#                 

$sudo blkid -t TYPE=crypto_LUKS -o device                                                                                                                                                                                           2 ⨯
/dev/sdd1
/dev/sdc1

lsblk output

sdc                   8:32   0 465,8G  0 disk 
└─sdc1                8:33   0 465,8G  0 part 
sdd                   8:48   0 931,5G  0 disk 
└─sdd1                8:49   0 931,5G  0 part

More info and test :

$sudo fdisk -l                              
Disk /dev/sdc: 465,76 GiB, 500107862016 bytes, 976773168 sectors
Disk model: Touro Mobile 3.0
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: dos
Disk identifier: 0x5dc1c757

Device     Boot Start       End   Sectors   Size Id Type
/dev/sdc1        2048 976773119 976771072 465,8G e8 unknown


Disk /dev/sdd: 931,51 GiB, 1000204885504 bytes, 1953525167 sectors
Disk model: Expansion       
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: dos
Disk identifier: 0x1c5a16fb

Device     Boot Start        End    Sectors   Size Id Type
/dev/sdd1        2048 1953523711 1953521664 931,5G e8 unknown
                                

$ sudo blockdev --getsize64 /dev/sdc1                                                                                                                                                                                                
500106788864                                
                 
$ sudo blockdev --getsize64 /dev/sdd1   
1000203091968                 
                 
                 
sudo parted /dev/sdc unit s print free
Model: HGST Touro Mobile 3.0 (scsi)
Disk /dev/sdc: 976773168s
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags: 

Number  Start       End         Size        Type     File system  Flags
        2s          2047s       2046s                Free Space
 1      2048s       976773119s  976771072s  primary
        976773120s  976773167s  48s                  Free Space

        
        
$ sudo parted /dev/sdd unit s print free
Model: Seagate Expansion (scsi)
Disk /dev/sdd: 1953525167s
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags: 

Number  Start        End          Size         Type     File system  Flags
        2s           2047s        2046s                 Free Space
 1      2048s        1953523711s  1953521664s  primary
        1953523712s  1953525166s  1455s                 Free Space
        
        
        
sudo cryptsetup --debug --verbose luksOpen /dev/sdc1 Device  
[sudo] senha para rocket: 
# cryptsetup 2.5.0 processing "cryptsetup --debug --verbose luksOpen /dev/sdc1 Device"
# Verifying parameters for command open.
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/sdc1.
# Trying to open and read device /dev/sdc1 with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device /dev/sdc1.
# Crypto backend (OpenSSL 3.0.7 1 Nov 2022 [default][legacy]) initialized in cryptsetup library version 2.5.0.
# Detected kernel Linux 5.16.0-kali3-amd64 x86_64.
# Loading LUKS2 header (repair disabled).
# Acquiring read lock for device /dev/sdc1.
# Opening lock resource file /run/cryptsetup/L_8:33
# Verifying lock handle for /dev/sdc1.
# Device /dev/sdc1 READ lock taken.
# Trying to read primary LUKS2 header at offset 0x0.
# Opening locked device /dev/sdc1
# Verifying locked device handle (bdev)
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:684ff912851560ae94bd6d4af4ec447040f62dae3f7596e2aed9f7a05fe74e82 (on-disk)
# Checksum:684ff912851560ae94bd6d4af4ec447040f62dae3f7596e2aed9f7a05fe74e82 (in-memory)
# Trying to read secondary LUKS2 header at offset 0x4000.
# Reusing open ro fd on device /dev/sdc1
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:00a1dd76822bd4f47afda8191840b95a1d2f8448419f4f7d89ade082bbd08e31 (on-disk)
# Checksum:00a1dd76822bd4f47afda8191840b95a1d2f8448419f4f7d89ade082bbd08e31 (in-memory)
# Device size 500106788864, offset 16777216.
# Device /dev/sdc1 READ lock released.
# PBKDF argon2id, time_ms 2000 (iterations 0), max_memory_kb 1048576, parallel_threads 4.
# Activating volume Device using token (any type) -1.
# dm version   [ opencount flush ]    (*1)
# dm versions   [ opencount flush ]    (*1)
# Detected dm-ioctl version 4.45.0.
# Device-mapper backend running with UDEV support enabled.
# dm status Device  [ opencount noflush ]    (*1)
No usable token is available.
# Interactive passphrase entry requested

Return incorrect password. Use this informations and others, Read information -> https://unix.stackexchange.com/a/248553 https://superuser.com/questions/1740773/unsure-if-i-encrypted-external-hdd-correctly-with-luks https://bbs.archlinux.org/viewtopic.php?id=280531 and others...

**I have put some EDIT at the END of the first reply.** unfortunately I run into some problem with my old LVM installation where debian10 was running on it. I have installed Debian 11 alongside Debian 10. While doing so it looks like my Debian 10 LVM became corrupted (I was not able to boot from it anymore) and I don't know how to mount it now. Debian 10 was installed using the installer. It was installed encrypted and inside an LVM that was streched across two drives. While booting initramfs I had to enter my password to decrypt the lvm. **My goal is to save some data from the NVME drive (where debian 10 and the lvm was stored) to the newly attached SATA drive where my new Debian 11 installation is running on.** **My main Question is: How to mount a Logical Volume (etc & home) from the NVME?** I have read several suggestions but this gets me more and more confusing and I do not want to make any more mistakes on the data drives before things get worse. A really simple solutions seems to be https://superuser.com/questions/116617/how-to-mount-an-lvm-volume but I dont know if I can make use of it here now and if it could damage the underlying volumes / volumegroups somehow. Another hint was from here https://unix.stackexchange.com/questions/154630/can-you-recover-lvm-metadata-without-access-to-etc-lvm to use sudo strings /dev/nvme0n1p6 | less but the output was not helpful. It only showed that the lvm was luks encrypted:

LABELONE
LVM2 001s1TKbLcSK8egOQIexp0yoIYg8jHSpbwC
 LVM2 x[5A%r0N*>
sha256
Jz?73404056-2fb5-4d7f-b1eb-8cff2273a211
{"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha512"},"area":{"type":"raw","offset":"32768","size":"258048","encryption":"aes-xts-plain64","key_size":64},"kdf":{"type":"argon2i","time":9,"memory":1048576,"cpus":4,"salt":
OUTPUT Truncated

If you need any further information please let me know in the comments. Thank you for helping me.

pvscan 
  WARNING: Couldn't find device with uuid ovqLHE-HeCP-MabL-UYaZ-zKGk-dSeM-G0HP0I.
  WARNING: Couldn't find device with uuid RxI6g8-Fp87-j7O4-N055-arL3-0l1E-CIIvo2.
  WARNING: VG lvm-crypt is missing PV ovqLHE-HeCP-MabL-UYaZ-zKGk-dSeM-G0HP0I (last written to /dev/mapper/nvme0n1p8_crypt).
  WARNING: VG lvm-crypt is missing PV RxI6g8-Fp87-j7O4-N055-arL3-0l1E-CIIvo2 (last written to /dev/mapper/nvme0n1p6_crypt).
  PV [unknown]                VG lvm-crypt       lvm2 [86,50 GiB / 0    free]
  PV [unknown]                VG lvm-crypt       lvm2 [400,60 GiB / 0    free]
  PV /dev/mapper/sda1-crypt   VG lvm-crypt       lvm2 [931,49 GiB / <397,07 GiB free]
  PV /dev/nvme0n1p6                              lvm2 [400,62 GiB]
  PV /dev/nvme0n1p9                              lvm2 [<86,52 GiB]
  Total: 5 [1,86 TiB] / in use: 3 [<1,39 TiB] / in no VG: 2 [<487,14 GiB]

pvdisplay 
  WARNING: Couldn't find device with uuid ovqLHE-HeCP-MabL-UYaZ-zKGk-dSeM-G0HP0I.
  WARNING: Couldn't find device with uuid RxI6g8-Fp87-j7O4-N055-arL3-0l1E-CIIvo2.
  WARNING: VG lvm-crypt is missing PV ovqLHE-HeCP-MabL-UYaZ-zKGk-dSeM-G0HP0I (last written to /dev/mapper/nvme0n1p8_crypt).
  WARNING: VG lvm-crypt is missing PV RxI6g8-Fp87-j7O4-N055-arL3-0l1E-CIIvo2 (last written to /dev/mapper/nvme0n1p6_crypt).
  --- Physical volume ---
  PV Name               [unknown]
  VG Name               lvm-crypt
  PV Size               86,50 GiB / not usable 2,00 MiB
  Allocatable           yes (but full)
  PE Size               4,00 MiB
  Total PE              22144
  Free PE               0
  Allocated PE          22144
  PV UUID               ovqLHE-HeCP-MabL-UYaZ-zKGk-dSeM-G0HP0I
   
  --- Physical volume ---
  PV Name               [unknown]
  VG Name               lvm-crypt
  PV Size               <400,61 GiB / not usable 4,00 MiB
  Allocatable           yes (but full)
  PE Size               4,00 MiB
  Total PE              102554
  Free PE               0
  Allocated PE          102554
  PV UUID               RxI6g8-Fp87-j7O4-N055-arL3-0l1E-CIIvo2
   
  --- Physical volume ---
  PV Name               /dev/mapper/sda1-crypt
  VG Name               lvm-crypt
  PV Size               <931,50 GiB / not usable 4,00 MiB
  Allocatable           yes 
  PE Size               4,00 MiB
  Total PE              238462
  Free PE               101649
  Allocated PE          136813
  PV UUID               s4UhPf-B5u1-d73L-DKcy-FR93-KvMa-kNrQJ6
   
  "/dev/nvme0n1p6" is a new physical volume of "400,62 GiB"
  --- NEW Physical volume ---
  PV Name               /dev/nvme0n1p6
  VG Name               
  PV Size               400,62 GiB
  Allocatable           NO
  PE Size               0   
  Total PE              0
  Free PE               0
  Allocated PE          0
  PV UUID               s1TKbL-cSK8-egOQ-Iexp-0yoI-Yg8j-HSpbwC
   
  "/dev/nvme0n1p9" is a new physical volume of "<86,52 GiB"
  --- NEW Physical volume ---
  PV Name               /dev/nvme0n1p9
  VG Name               
  PV Size               <86,52 GiB
  Allocatable           NO
  PE Size               0   
  Total PE              0
  Free PE               0
  Allocated PE          0
  PV UUID               8Lk9H1-Tveo-JCko-nfgd-EDrL-KJVq-cA01lR

lvmdiskscan 
  /dev/nvme0n1                                          [     931,51 GiB] 
  /dev/mapper/sdd5-crypt                                [    <840,49 GiB] 
  /dev/nvme0n1p1                                        [     450,00 MiB] 
  /dev/sda1                                             [     931,51 GiB] 
  /dev/mapper/sdd6-crypt                                [     498,03 GiB] 
  /dev/nvme0n1p2                                        [     100,00 MiB] 
  /dev/mapper/sdc1-crypt                                [    <447,11 GiB] 
  /dev/nvme0n1p3                                        [      16,00 MiB] 
  /dev/mapper/sda1-crypt                                [    <931,50 GiB] LVM physical volume
  /dev/nvme0n1p4                                        [     <54,17 GiB] 
  /dev/mapper/luks-cb25c253-2141-40b5-83ae-a2c1c0980496 [    <465,75 GiB] 
  /dev/nvme0n1p5                                        [    <206,72 GiB] 
  /dev/nvme0n1p6                                        [     400,62 GiB] LVM physical volume
  /dev/nvme0n1p7                                        [     500,00 MiB] 
  /dev/nvme0n1p8                                        [       1,86 GiB] 
  /dev/nvme0n1p9                                        [     <86,52 GiB] LVM physical volume
  /dev/nvme0n1p10                                       [      86,91 GiB] 
  /dev/nvme0n1p11                                       [     532,00 MiB] 
  /dev/nvme1n1                                          [    <953,87 GiB] 
  /dev/nvme1n1p1                                        [     856,21 GiB] 
  /dev/sdb                                              [      12,73 TiB] 
  /dev/sdc1                                             [     447,12 GiB] 
  /dev/sdd1                                             [     487,00 MiB] 
  /dev/sdd2                                             [     488,00 MiB] 
  /dev/sdd3                                             [     122,00 MiB] 
  /dev/sdd4                                             [     931,32 GiB] 
  /dev/sdd5                                             [     840,50 GiB] 
  /dev/sdd6                                             [    <498,05 GiB] 
  /dev/sde1                                             [     465,76 GiB] 
  4 disks
  22 partitions
  1 LVM physical volume whole disk
  2 LVM physical volumes

lvdisplay 
  WARNING: Couldn't find device with uuid ovqLHE-HeCP-MabL-UYaZ-zKGk-dSeM-G0HP0I.
  WARNING: Couldn't find device with uuid RxI6g8-Fp87-j7O4-N055-arL3-0l1E-CIIvo2.
  WARNING: VG lvm-crypt is missing PV ovqLHE-HeCP-MabL-UYaZ-zKGk-dSeM-G0HP0I (last written to /dev/mapper/nvme0n1p8_crypt).
  WARNING: VG lvm-crypt is missing PV RxI6g8-Fp87-j7O4-N055-arL3-0l1E-CIIvo2 (last written to /dev/mapper/nvme0n1p6_crypt).
  --- Logical volume ---
  LV Path                /dev/lvm-crypt/wurzel
  LV Name                wurzel
  VG Name                lvm-crypt
  LV UUID                sYo29d-sbzF-w6Bm-0E3W-LxNK-fr9i-jDnqOu
  LV Write Access        read/write
  LV Creation host, time r7deb, 2020-09-10 11:33:51 +0200
  LV Status              NOT available
  LV Size                30,73 GiB
  Current LE             7867
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
   
  --- Logical volume ---
  LV Path                /dev/lvm-crypt/home
  LV Name                home
  VG Name                lvm-crypt
  LV UUID                WdZkeA-uAQX-ryhu-11Xb-1Qp9-v3ld-FVIoej
  LV Write Access        read/write
  LV Creation host, time r7deb, 2020-09-10 11:33:58 +0200
  LV Status              NOT available
  LV Size                195,31 GiB
  Current LE             50000
  Segments               4
  Allocation             inherit
  Read ahead sectors     auto
   
  --- Logical volume ---
  LV Path                /dev/lvm-crypt/var
  LV Name                var
  VG Name                lvm-crypt
  LV UUID                TQav8N-UWZB-6ST1-JMBa-dnCp-A79j-9SdPDD
  LV Write Access        read/write
  LV Creation host, time r7deb, 2020-09-10 11:34:07 +0200
  LV Status              NOT available
  LV Size                18,62 GiB
  Current LE             4768
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
   
  --- Logical volume ---
  LV Path                /dev/lvm-crypt/temp
  LV Name                temp
  VG Name                lvm-crypt
  LV UUID                YBsh1S-1QJI-yIc1-071S-Mqgr-QCoV-7ktV0g
  LV Write Access        read/write
  LV Creation host, time r7deb, 2020-09-10 11:34:16 +0200
  LV Status              NOT available
  LV Size                <1,86 GiB
  Current LE             476
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
   
  --- Logical volume ---
  LV Path                /dev/lvm-crypt/vms
  LV Name                vms
  VG Name                lvm-crypt
  LV UUID                MYuXdV-QuC8-YToG-v2gU-PmlJ-fAEz-AME3Ba
  LV Write Access        read/write
  LV Creation host, time r7deb, 2020-11-11 10:31:26 +0100
  LV Status              NOT available
  LV Size                540,62 GiB
  Current LE             138400
  Segments               2
  Allocation             inherit
  Read ahead sectors     auto
   
  --- Logical volume ---
  LV Path                /dev/lvm-crypt/buero
  LV Name                buero
  VG Name                lvm-crypt
  LV UUID                8sxSOg-gCfc-Dqb5-jTPg-nJGo-qklD-MaM4vV
  LV Write Access        read/write
  LV Creation host, time r7deb, 2022-06-19 08:35:01 +0200
  LV Status              NOT available
  LV Size                <117,19 GiB
  Current LE             30000
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
   
  --- Logical volume ---
  LV Path                /dev/lvm-crypt/buero2
  LV Name                buero2
  VG Name                lvm-crypt
  LV UUID                r3ZqOD-6dqr-esJZ-jqg9-qzoS-7k1o-sRMf8P
  LV Write Access        read/write
  LV Creation host, time r7deb, 2022-06-19 08:37:31 +0200
  LV Status              NOT available
  LV Size                <117,19 GiB
  Current LE             30000
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto

vgscan -v
  WARNING: Couldn't find device with uuid ovqLHE-HeCP-MabL-UYaZ-zKGk-dSeM-G0HP0I.
  WARNING: Couldn't find device with uuid RxI6g8-Fp87-j7O4-N055-arL3-0l1E-CIIvo2.
  WARNING: VG lvm-crypt is missing PV ovqLHE-HeCP-MabL-UYaZ-zKGk-dSeM-G0HP0I (last written to /dev/mapper/nvme0n1p8_crypt).
  WARNING: VG lvm-crypt is missing PV RxI6g8-Fp87-j7O4-N055-arL3-0l1E-CIIvo2 (last written to /dev/mapper/nvme0n1p6_crypt).
  Found volume group "lvm-crypt" using metadata type lvm2

vgdisplay -v
  WARNING: Couldn't find device with uuid ovqLHE-HeCP-MabL-UYaZ-zKGk-dSeM-G0HP0I.
  WARNING: Couldn't find device with uuid RxI6g8-Fp87-j7O4-N055-arL3-0l1E-CIIvo2.
  WARNING: VG lvm-crypt is missing PV ovqLHE-HeCP-MabL-UYaZ-zKGk-dSeM-G0HP0I (last written to /dev/mapper/nvme0n1p8_crypt).
  WARNING: VG lvm-crypt is missing PV RxI6g8-Fp87-j7O4-N055-arL3-0l1E-CIIvo2 (last written to /dev/mapper/nvme0n1p6_crypt).
  --- Volume group ---
  VG Name               lvm-crypt
  System ID             
  Format                lvm2
  Metadata Areas        1
  Metadata Sequence No  37
  VG Access             read/write
  VG Status             resizable
  MAX LV                0
  Cur LV                7
  Open LV               0
  Max PV                0
  Cur PV                3
  Act PV                1
  VG Size               <1,39 TiB
  PE Size               4,00 MiB
  Total PE              363160
  Alloc PE / Size       261511 / <1021,53 GiB
  Free  PE / Size       101649 / <397,07 GiB
  VG UUID               hBHElE-V8b3-bBWF-Om2J-LH8u-0D7R-Nh8vdw
   
  --- Logical volume ---
  LV Path                /dev/lvm-crypt/wurzel
  LV Name                wurzel
  VG Name                lvm-crypt
  LV UUID                sYo29d-sbzF-w6Bm-0E3W-LxNK-fr9i-jDnqOu
  LV Write Access        read/write
  LV Creation host, time r7deb, 2020-09-10 11:33:51 +0200
  LV Status              NOT available
  LV Size                30,73 GiB
  Current LE             7867
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
   
  --- Logical volume ---
  LV Path                /dev/lvm-crypt/home
  LV Name                home
  VG Name                lvm-crypt
  LV UUID                WdZkeA-uAQX-ryhu-11Xb-1Qp9-v3ld-FVIoej
  LV Write Access        read/write
  LV Creation host, time r7deb, 2020-09-10 11:33:58 +0200
  LV Status              NOT available
  LV Size                195,31 GiB
  Current LE             50000
  Segments               4
  Allocation             inherit
  Read ahead sectors     auto
   
  --- Logical volume ---
  LV Path                /dev/lvm-crypt/var
  LV Name                var
  VG Name                lvm-crypt
  LV UUID                TQav8N-UWZB-6ST1-JMBa-dnCp-A79j-9SdPDD
  LV Write Access        read/write
  LV Creation host, time r7deb, 2020-09-10 11:34:07 +0200
  LV Status              NOT available
  LV Size                18,62 GiB
  Current LE             4768
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
   
  --- Logical volume ---
  LV Path                /dev/lvm-crypt/temp
  LV Name                temp
  VG Name                lvm-crypt
  LV UUID                YBsh1S-1QJI-yIc1-071S-Mqgr-QCoV-7ktV0g
  LV Write Access        read/write
  LV Creation host, time r7deb, 2020-09-10 11:34:16 +0200
  LV Status              NOT available
  LV Size                <1,86 GiB
  Current LE             476
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
   
  --- Logical volume ---
  LV Path                /dev/lvm-crypt/vms
  LV Name                vms
  VG Name                lvm-crypt
  LV UUID                MYuXdV-QuC8-YToG-v2gU-PmlJ-fAEz-AME3Ba
  LV Write Access        read/write
  LV Creation host, time r7deb, 2020-11-11 10:31:26 +0100
  LV Status              NOT available
  LV Size                540,62 GiB
  Current LE             138400
  Segments               2
  Allocation             inherit
  Read ahead sectors     auto
   
  --- Logical volume ---
  LV Path                /dev/lvm-crypt/buero
  LV Name                buero
  VG Name                lvm-crypt
  LV UUID                8sxSOg-gCfc-Dqb5-jTPg-nJGo-qklD-MaM4vV
  LV Write Access        read/write
  LV Creation host, time r7deb, 2022-06-19 08:35:01 +0200
  LV Status              NOT available
  LV Size                <117,19 GiB
  Current LE             30000
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
   
  --- Logical volume ---
  LV Path                /dev/lvm-crypt/buero2
  LV Name                buero2
  VG Name                lvm-crypt
  LV UUID                r3ZqOD-6dqr-esJZ-jqg9-qzoS-7k1o-sRMf8P
  LV Write Access        read/write
  LV Creation host, time r7deb, 2022-06-19 08:37:31 +0200
  LV Status              NOT available
  LV Size                <117,19 GiB
  Current LE             30000
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
   
  --- Physical volumes ---
  PV Name               [unknown]     
  PV UUID               ovqLHE-HeCP-MabL-UYaZ-zKGk-dSeM-G0HP0I
  PV Status             allocatable
  Total PE / Free PE    22144 / 0
   
  PV Name               [unknown]     
  PV UUID               RxI6g8-Fp87-j7O4-N055-arL3-0l1E-CIIvo2
  PV Status             allocatable
  Total PE / Free PE    102554 / 0
   
  PV Name               /dev/mapper/sda1-crypt     
  PV UUID               s4UhPf-B5u1-d73L-DKcy-FR93-KvMa-kNrQJ6
  PV Status             allocatable
  Total PE / Free PE    238462 / 101649

lsblk -o NAME,SIZE,TYPE,UUID
NAME                                            SIZE TYPE  UUID
sda                                           931,5G disk  
└─sda1                                        931,5G part  50353f7f-7bc8-4100-85e2-56db32895c11
  └─sda1-crypt                                931,5G crypt s4UhPf-B5u1-d73L-DKcy-FR93-KvMa-kNrQJ6
sdb                                            12,7T disk  a7bbc558-c28c-4df6-992d-8ce16a961147
sdc                                           447,1G disk  
└─sdc1                                        447,1G part  c1971d93-afc1-4f0c-875a-4280c5a275fd
  └─sdc1-crypt                                447,1G crypt 06cd919c-024c-4987-9e78-41551292ed60
sdd                                             3,6T disk  
├─sdd1                                          487M part  
├─sdd2                                          488M part  727C-2D0A
├─sdd3                                          122M part  
├─sdd4                                        931,3G part  786749de-fa3c-4c2c-ac40-23b6ddd6e76e
├─sdd5                                        840,5G part  0fe82dcd-1d1d-4c4b-9f90-91c4cfd6ec07
│ └─sdd5-crypt                                840,5G crypt ad53f0e9-5e4f-48c9-ba2f-2ca3af949ea2
└─sdd6                                          498G part  38bafe27-5b78-48ea-980c-de636514df14
  └─sdd6-crypt                                  498G crypt eb0a33c9-bd6c-4c38-ae31-4667ba3cff24
sde                                           465,8G disk  
└─sde1                                        465,8G part  cb25c253-2141-40b5-83ae-a2c1c0980496
  └─luks-cb25c253-2141-40b5-83ae-a2c1c0980496 465,7G crypt b7aef9a8-41d8-4d11-975f-9f77645434a2
sr0                                            1024M rom   
nvme0n1                                       931,5G disk  
├─nvme0n1p1                                     450M part  D09495E59495CDFA
├─nvme0n1p2                                     100M part  7096-4C77
├─nvme0n1p3                                      16M part  
├─nvme0n1p4                                    54,2G part  C2A82FF0A82FE221
├─nvme0n1p5                                   206,7G part  04BFD1325C7FA67C
├─nvme0n1p6                                   400,6G part  s1TKbL-cSK8-egOQ-Iexp-0yoI-Yg8j-HSpbwC
├─nvme0n1p7                                     500M part  A5A2-6853
├─nvme0n1p8                                     1,9G part  41aadaed-4741-42a1-b17b-128c9fcf6188
├─nvme0n1p9                                    86,5G part  8Lk9H1-Tveo-JCko-nfgd-EDrL-KJVq-cA01lR
├─nvme0n1p10                                   86,9G part  c6c45bc2-a657-4dbb-83b2-b8ef4b3930b9
└─nvme0n1p11                                    532M part  A63AA7D23AA79E35
nvme1n1                                       953,9G disk  
└─nvme1n1p1                                   856,2G part  68BEA6DCBEA6A1D4

**EDIT 1:** So far so bad. I tried a few things and to me it looks like the UUID's have changed or the Header is corrupt. I found the old debian 10 /boot/ partition and was able to boot into initramfs. Here I was able to log in via busy box that I did setup years ago ( to be able to remote log in and remote unlock the drives to boot the system up. ) So I did log in and found the crypttab file. Regarding to its content it is expecting different UUID's.

cat /cryptroot/crypttab3 
nvme0n1p8_crypt UUID=1697ec4a-b30b-4642-b4f3-6ba94afc40ec none luks,discard
nvme0n1p6_crypt UUID=73404056-2fb5-4d7f-b1eb-8cff2273a211 /FIXME-initramfs-rootmnt/root/luks.keys.d/nvme0n1p6.luks.key luks,discard,initramfs
crypt_pv_SamsungQVO UUID=50353f7f-7bc8-4100-85e2-56db32895c11 /FIXME-initramfs-rootmnt/root/luks.keys.d/SamsungQVO_S4CZNG0M301660E.luks.key luks,discard,initramfs
kingston_crypt UUID=c1971d93-afc1-4f0c-875a-4280c5a275fd /FIXME-initramfs-rootmnt/root/luks.keys.d/KINGSTON_SHFS37A480G_50026B7269007A6C.luks.key luks,discard,initramfs

I tried to manually adjust them to the appropriate partitions using vi but it cannot find a valid LUKS partition. Same result when trying to decrypt the drives when booting into debian 11. It says it is not a valid LUKS partition. So I might give up at this point thinking the partition header got corrupt (which is really suspicous - I mean two corrupt luks header at once) or the LVM needs to setup the Volume Group prior to be able to unlock the partitions/volumes with LUKS. I guess the latter is the case here, but I am running out of ideas. If you do not have any better advise I will try to change the UUID's to those written down in the crypttab file inside initramfs that I found in the old /boot/ partition. Hopefully the LVM will get things right this way.