After updating with pacman -Syu system fails to boot. ERROR: device '/dev/lvmSystemXXX/volRootXXX' not found. Skipping fsck. mount: /new_root: fsconfig() failed: /dev/lvmSystemXXX/volRootXXX: Can't lookup blockdev. ERROR: failed to mount '/dev/lvmSystemXXX/volRootXXX' on real root You are now being dropped into an emergecy shell. sh: can't access tty: job control truned off [rootfs ~]# Some background info Linux: [rootfs ~]# uname -a Linux archlinux 6.15.9-arch1-1 #1 SMP PREEMPT_DYNAMIC Sat, 02 Aug 2025... x86_64 GNU/Linux Drives [rootfs ~]# blkid /dev/sdb2:UUID="A123456789" TYPE="crypto_LUKS" PARTUUID="A987654321" /dev/sdb1: SEC_TYPE="msdos" LABEL_FATBOOT="BOOT" LABEL="BOOT" UUID="B123456789" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="B987654321" Is there a possibility to check if the kernel was updated and eventually downgrade from emergecy shell? mkinitcpio.conf file here # vim:set ft=sh # MODULES # The following modules are loaded before any boot hooks are # run. Advanced users may wish to specify all system modules # in this array. For instance: # MODULES=(usbhid xhci_hcd) MODULES=() # BINARIES # This setting includes any additional binaries a given user may # wish into the CPIO image. This is run last, so it may be used to # override the actual binaries included by a given hook # BINARIES are dependency parsed, so you may safely ignore libraries BINARIES=() # FILES # This setting is similar to BINARIES above, however, files are added # as-is and are not parsed in any way. This is useful for config files. FILES=() # HOOKS # This is the most important setting in this file. The HOOKS control the # modules and scripts added to the image, and what happens at boot time. # Order is important, and it is recommended that you do not change the # order in which HOOKS are added. Run 'mkinitcpio -H ' for # help on a given hook. # 'base' is _required_ unless you know precisely what you are doing. # 'udev' is _required_ in order to automatically load modules # 'filesystems' is _required_ unless you specify your fs modules in MODULES # Examples: ## This setup specifies all modules in the MODULES setting above. ## No RAID, lvm2, or encrypted root is needed. # HOOKS=(base) # ## This setup will autodetect all modules for your system and should ## work as a sane default # HOOKS=(base udev autodetect modconf block filesystems fsck) # ## This setup will generate a 'full' image which supports most systems. ## No autodetection is done. # HOOKS=(base udev modconf block filesystems fsck) # ## This setup assembles a mdadm array with an encrypted root file system. ## Note: See 'mkinitcpio -H mdadm_udev' for more information on RAID devices. # HOOKS=(base udev modconf keyboard keymap consolefont block mdadm_udev encrypt filesystems fsck) # ## This setup loads an lvm2 volume group. # HOOKS=(base udev modconf block lvm2 filesystems fsck) # ## This will create a systemd based initramfs which loads an encrypted root filesystem. # HOOKS=(base systemd autodetect modconf kms keyboard sd-vconsole sd-encrypt block filesystems fsck) # ## NOTE: If you have /usr on a separate partition, you MUST include the # usr and fsck hooks. HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block filesystems fsck) # COMPRESSION # Use this to compress the initramfs image. By default, zstd compression # is used for Linux ≥ 5.9 and gzip compression is used for Linux Building image from preset: /etc/mkinitcpio.d/linux-lts.preset: 'default' [2025-08-05T00:26:32+0200] [ALPM-SCRIPTLET] ==> Using default configuration file: '/etc/mkinitcpio.conf' [2025-08-05T00:26:32+0200] [ALPM-SCRIPTLET] -> -k /boot/vmlinuz-linux-lts -g /boot/initramfs-linux-lts.img [2025-08-05T00:26:32+0200] [ALPM-SCRIPTLET] ==> Starting build: '6.12.41-1-lts' [2025-08-05T00:26:32+0200] [ALPM-SCRIPTLET] -> Running build hook: [base] ... [2025-08-05T00:26:33+0200] [ALPM-SCRIPTLET] -> Running build hook: [modconf] [2025-08-05T00:26:33+0200] [ALPM-SCRIPTLET] -> Running build hook: [block] [2025-08-05T00:26:33+0200] [ALPM-SCRIPTLET] -> Running build hook: [encrypt] [2025-08-05T00:26:34+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/usr/bin/dmsetup': No space left on device [2025-08-05T00:26:34+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/usr/bin/dmsetup': No space left on device [2025-08-05T00:26:34+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/usr/bin/dmsetup': No space left on device [2025-08-05T00:26:34+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/usr/lib/udev/rules.d/13-dm-disk.rules': No space left on device [2025-08-05T00:26:34+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/usr/lib/udev/rules.d/95-dm-notify.rules': No space left on device [2025-08-05T00:26:34+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/usr/bin/dmsetup': No space left on device [2025-08-05T00:26:34+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/usr/lib/udev/rules.d/11-dm-initramfs.rules': No space left on device [2025-08-05T00:26:34+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/usr/lib/ossl-modules/legacy.so': No space left on device [2025-08-05T00:26:34+0200] [ALPM-SCRIPTLET] install: error writing '/tmp/mkinitcpio.evH3PB/root/hooks/encrypt': No space left on device [2025-08-05T00:26:34+0200] [ALPM-SCRIPTLET] -> Running build hook: [lvm2] [2025-08-05T00:26:34+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/usr/bin/pdata_tools': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/usr/bin/dmsetup': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/usr/bin/dmsetup': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/usr/bin/dmsetup': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/usr/lib/udev/rules.d/11-dm-lvm.rules': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/usr/bin/dmsetup': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/usr/lib/udev/rules.d/13-dm-disk.rules': No space left on device ... [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/crypto/twofish_common.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/crypto/aegis128.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/crypto/async_tx/async_raid6_recov.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/arch/x86/crypto/sm4-aesni-avx-x86_64.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/arch/x86/crypto/curve25519-x86_64.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/crypto/cast6_generic.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/crypto/cast_common.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/crypto/hctr2.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/drivers/hid/hid-generic.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/crypto/ecrdsa_generic.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/drivers/cdrom/cdrom.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/drivers/crypto/intel/iaa/iaa_crypto.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/drivers/nvme/host/nvme.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/crypto/wp512.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/drivers/md/dm-raid.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/drivers/crypto/chelsio/chcr.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/drivers/scsi/virtio_scsi.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/crypto/fcrypt.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/crypto/cast5_generic.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/drivers/md/dm-mod.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/arch/x86/crypto/aegis128-aesni.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/arch/x86/crypto/des3_ede-x86_64.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/arch/x86/crypto/crc32c-intel.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/drivers/md/dm-thin-pool.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/arch/x86/crypto/camellia-x86_64.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/crypto/async_tx/async_pq.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/crypto/xxhash_generic.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/crypto/vmac.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/drivers/md/raid456.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/crypto/crypto_null.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/crypto/async_tx/async_xor.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/drivers/nvme/host/nvme-core.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/crypto/cryptd.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/crypto/sm4_generic.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/crypto/cmac.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/crypto/xcbc.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/crypto/blake2b_generic.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/arch/x86/crypto/sm3-avx-x86_64.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/drivers/md/dm-region-hash.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/drivers/crypto/padlock-sha.ko.zst': No space left on device [2025-08-05T00:26:35+0200] [ALPM-SCRIPTLET] cp: error writing '/tmp/mkinitcpio.evH3PB/root/lib/modules/6.12.41-1-lts/kernel/crypto/geniv.ko.zst': No space left on device ... [2025-08-05T00:26:57+0200] [ALPM-SCRIPTLET] depmod: ERROR: failed to load symbols from /tmp/mkinitcpio.qT6HiW/root/lib/modules/6.15.9-arch1-1/kernel/arch/x86/crypto/des3_ede-x86_64.ko.zst: Invalid argument [2025-08-05T00:26:57+0200] [ALPM-SCRIPTLET] depmod: ERROR: failed to load symbols from /tmp/mkinitcpio.qT6HiW/root/lib/modules/6.15.9-arch1-1/kernel/crypto/seqiv.ko.zst: Invalid argument [2025-08-05T00:26:57+0200] [ALPM-SCRIPTLET] depmod: ERROR: failed to load symbols from /tmp/mkinitcpio.qT6HiW/root/lib/modules/6.15.9-arch1-1/kernel/drivers/input/keyboard/applespi.ko.zst: Invalid argument [2025-08-05T00:26:57+0200] [ALPM-SCRIPTLET] depmod: ERROR: failed to load symbols from /tmp/mkinitcpio.qT6HiW/root/lib/modules/6.15.9-arch1-1/kernel/fs/smb/common/cifs_arc4.ko.zst: Invalid argument [2025-08-05T00:26:57+0200] [ALPM-SCRIPTLET] depmod: ERROR: failed to load symbols from /tmp/mkinitcpio.qT6HiW/root/lib/modules/6.15.9-arch1-1/kernel/drivers/mfd/max14577.ko.zst: Invalid argument [2025-08-05T00:26:57+0200] [ALPM-SCRIPTLET] depmod: ERROR: failed to load symbols from /tmp/mkinitcpio.qT6HiW/root/lib/modules/6.15.9-arch1-1/kernel/drivers/vfio/vfio.ko.zst: Invalid argument [2025-08-05T00:26:57+0200] [ALPM-SCRIPTLET] depmod: ERROR: failed to load symbols from /tmp/mkinitcpio.qT6HiW/root/lib/modules/6.15.9-arch1-1/kernel/fs/zonefs/zonefs.ko.zst: Invalid argument [2025-08-05T00:26:57+0200] [ALPM-SCRIPTLET] depmod: ERROR: Could not create index 'modules.dep'. Output is truncated: No space left on device [2025-08-05T00:26:57+0200] [ALPM-SCRIPTLET] ==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux-fallback.img' [2025-08-05T00:26:58+0200] [ALPM-SCRIPTLET] ==> WARNING: errors were encountered during the build. The image may not be complete. [2025-08-05T00:26:58+0200] [ALPM] running 'dbus-reload.hook'... [2025-08-05T00:26:58+0200] [ALPM] running 'detect-old-perl-modules.hook'... [2025-08-05T00:26:59+0200] [ALPM-SCRIPTLET] WARNING: '/usr/lib/perl5/5.40' contains data from at least 1 packages which will NOT be used by the installed perl interpreter. [2025-08-05T00:26:59+0200] [ALPM-SCRIPTLET] -> Run the following command to get a list of affected packages: pacman -Qqo '/usr/lib/perl5/5.40' [2025-08-05T00:26:59+0200] [ALPM] running 'fontconfig.hook'... [2025-08-05T00:26:59+0200] [ALPM] running 'fontconfig-32.hook'... [2025-08-05T00:27:00+0200] [ALPM] running 'gdk-pixbuf-query-loaders.hook'... [2025-08-05T00:27:00+0200] [ALPM] running 'ghc-register.hook'... [2025-08-05T00:27:13+0200] [ALPM] running 'glib-compile-schemas.hook'... [2025-08-05T00:27:13+0200] [ALPM] running 'gtk-update-icon-cache.hook'... [2025-08-05T00:27:14+0200] [ALPM] running 'texinfo-install.hook'... [2025-08-05T00:27:16+0200] [ALPM] running 'update-desktop-database.hook'... [2025-08-05T00:27:16+0200] [ALPM] running 'xorg-mkfontscale.hook'... [2025-08-05T00:27:18+0200] [PACMAN] Running 'pacman -S -y --config /etc/pacman.conf --' [2025-08-05T00:27:18+0200] [PACMAN] synchronizing package lists [2025-08-05T00:27:21+0200] [PACMAN] Running 'pacman -S -y --config /etc/pacman.conf --' [2025-08-05T00:27:21+0200] [PACMAN] synchronizing package lists [2025-08-05T00:27:24+0200] [PACMAN] Running 'pacman -S -y --config /etc/pacman.conf --' [2025-08-05T00:27:24+0200] [PACMAN] synchronizing package lists [2025-08-05T00:27:27+0200] [PACMAN] Running 'pacman -S -y --config /etc/pacman.conf --' [2025-08-05T00:27:27+0200] [PACMAN] synchronizing package lists [2025-08-05T00:28:00+0200] [PACMAN] Running 'pacman -S -y --config /etc/pacman.conf --' [2025-08-05T00:28:00+0200] [PACMAN] synchronizing package lists [2025-08-05T00:29:00+0200] [PACMAN] Running 'pacman -S -y --config /etc/pacman.conf --' [2025-08-05T00:29:00+0200] [PACMAN] synchronizing package lists

I have a USB drive, encrypted with LUKS [cryptsetup](https://gitlab.com/cryptsetup/cryptsetup) , that I use for regular backups. When I plug in the drive, I am prompted for a password, just as expected. But then the drive gets mounted, an icon appears on my desktop, and a second password dialogue is shown. The message in the dialogue – “A passphrase is needed to access …” is wrong. I can ignore the second dialogue, or cancel it, and I am able to access the drive. See the screen-shot, which shows the drive icon (unlocked), files on it in Nemo, and the second password dialogue. It gets weirder: if I enter my password again, it is rejected and the dialogue reappears. This seems to happen infinitely, until I Cancel the dialogue. Is this a bug, or am I doing something wrong? Here is the lsblk output (sda is the USB drive): NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS sda 8:0 1 233G 0 disk └─sda1 8:1 1 233G 0 part └─luks-4c8f9d1b-f967-4257-91d5-c32db662e482 252:0 0 233G 0 crypt /media/ME/BackupRed nvme0n1 259:0 0 931.5G 0 disk ├─nvme0n1p1 259:1 0 512M 0 part /boot/efi └─nvme0n1p2 259:2 0 931G 0 part / I am using Linux Mint 22.1 Cinnamon. There are similar questions but they refer to boot problems. e.g. https://askubuntu.com/questions/1106136/prompted-for-luks-password-twice-on-boot-despite-separate-unencrypted-boot-part . **Edit - Answers to early comments.** I don’t have KDE, it’s not even in the Mint distro. I tried running ps -fu ME at various stages: • No new processes when USB plugged in • No new processes when first dialogue cancelled • No new processes when first dialogue completed All of which leads me to assume the dialogues are part of Cinnamon, and not a separate process. ** Edit - Answers to @waltinator ** No output at all from sudo journalctl --follow |tail -f. It was started before the drive was plugged in, and left running through both dialogues. Here are my notes from when the drive was encrypted. It was brand-new so had nothing to save. > To use the GUI: Launch Disks to get access to the encryption utility. > Plug in your memory stick and look for it in the list of available > disks. Create a temporary folder and copy out all of the files you > have on the stick. Next, you choose to format the external drive, > specifying the encryption option. Remember, this action will mean > that you will only be able to access the files on Linux computers > that also have cryptsetup installed. If you don’t want to encrypt the > entire memory stick, partition it first. This action can also be > performed in the Disks utility. > > You specify a password when the > Format procedure launches. The formatting process offers you the > option to not overwrite existing data. However, this doesn’t work and > you will lose all of your files on the memory stick during the > formatting process. That’s why you need to copy them over to a > temporary folder before you start the encryption process. Once the > formatting finishes, copy your files back over. > > A drive that has been > protected by encryption is flagged in the Disks display by a padlock > icon. Henceforth, when you click on that drive to access it, a popup > window will appear to prompt you for the password. Options in the > popup specify whether the computer should store the password for > future access, whether it should forget the password immediately, or > whether it should forget the password once the USB stick is removed > from the computer.

At the moment cryptsetup luks preboot password entry prompt shows not even asterisk symbols while typing. Password entry is functional though. But this is too difficult for some users. How to make cryptsetup luks preboot password entry prompt at least show asterisk while typing? Is it possible to make cryptsetup luks preboot password entry prompt show the real password letters as it is being entered? (Similar to web forms "show password" boxes.)

Fresh install of Lubuntu 20.04 on system with Windows 10 and Lubuntu installed on 256GB NVME drive to dual boot. Boot drive is /dev/nvme0n1p2 Home folder is therefore /dev/nvme0n1p2/home/username I have a 1TB HDD with two partitions: /dev/sda1 736GB encrypted ext4/LUKS /dev/sda2 195GB ntfs For context, the purpose of the ntfs partition is so that I can easily share files between my Lubuntu environment and Windows 10. My objective is to be able to: 1) Boot into Lubuntu 2) Log in 3) Open File Manager and navigate to /home/Filestore 4) Be prompted to enter password I have read this guide: https://www.linuxbabe.com/desktop-linux/how-to-automount-file-systems-on-linux And I can successfully automount the ntfs drive to /home/WindowsShare But I cannot mount the LUKS filesystem to /home/Filestore Using 'ext4' as the filesystem gives me this error message:

mount: /home/luke/Filestore: wrong fs type, bad option, bad superblock on /dev/sda1, missing codepage or helper program, or other error.

The entry for the partition in blkid is:

/dev/sda1: UUID="redacted" TYPE="crypto_LUKS" PARTUUID="redacted"

So I therefore tried using "crypto_LUKS" as the filesystem in fstab and got this:

mount: /home/luke/Filestore: unknown filesystem type 'crypto_LUKS'.

I have looked for guides on automounting encrypted filesystems and found numerous. Here is one: https://blog.tinned-software.net/automount-a-luks-encrypted-volume-on-system-start/ Everything I have found involves using a shared key to auto-decrypt the filesystem on boot. I don't want to do this as I don't have an encrypted area on my boot drive in order to store the key. Is my stated aim possible?

i have a ~200GB luks encrypted partition on a dual boot setup and i've just shrunk my windows partition by a bit so i can use the unallocated space on my root partition which is xfs. how would i go about extending the luks partition and subsequently the voidvm/root one? $ lsblk -f NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS nvme0n1 ├─nvme0n1p1 vfat FAT32 SYSTEM 089A-0EBD /boot/efi ├─nvme0n1p2 ├─nvme0n1p3 ntfs Windows 18E6E384E6E3610C ├─nvme0n1p4 ntfs 066C04116C03FA67 └─nvme0n1p5 crypto_LUKS 1 2ab65cad-808c-4168-8e51-0e081bd9d58b └─voidvm LVM2_member LVM2 001 c4mDao-UZLC-znl1-efSm-SmPB-DrRU-ChSQ82 ├─voidvm-root xfs root 2559b74d-53a8-437f-82e5-62b514f6987d 2.1G 91% / └─voidvm-home xfs home 60588d15-9846-43c9-996b-a4d09cea8b07 17.1G 90% /home Physical vol sudo pvs PV VG Fmt Attr PSize PFree /dev/mapper/voidvm voidvm lvm2 a-- <195.31g 0 LVM lvs LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert home voidvm -wi-ao---- <171.31g root voidvm -wi-ao---- 24.00g

Here is quick description what im trying to achieve, building this mender yocto image for raspberry pi want to encrypt the root partition, while secure boot, need to add the init script which can decrypt the LUKS encrypted rootfs partition. Poky layer already has core-image-minimal-initramfs which can be bundled in linux kernel, the problem is im not able to add the init script from custom layer, have no idea how to achieve it This is the poky layer content core-image-minimal-initramfs.bb # Simple initramfs image. Mostly used for live images. SUMMARY = "Small image capable of booting a device." DESCRIPTION = "Small image capable of booting a device. The kernel includes \ the Minimal RAM-based Initial Root Filesystem (initramfs), which finds the \ first 'init' program more efficiently." INITRAMFS_SCRIPTS ?= "\ initramfs-framework-base \ initramfs-module-setup-live \ initramfs-module-udev \ initramfs-module-install \ initramfs-module-install-efi \ " PACKAGE_INSTALL = "${INITRAMFS_SCRIPTS} ${VIRTUAL-RUNTIME_base-utils} udev base-passwd ${ROOTFS_BOOTSTRAP_INSTALL}" # Do not pollute the initrd image with rootfs features IMAGE_FEATURES = "" # Don't allow the initramfs to contain a kernel PACKAGE_EXCLUDE = "kernel-image-*" IMAGE_NAME_SUFFIX ?= "" IMAGE_LINGUAS = "" LICENSE = "MIT" IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}" inherit core-image IMAGE_ROOTFS_SIZE = "8192" IMAGE_ROOTFS_EXTRA_SPACE = "0" # Use the same restriction as initramfs-module-install COMPATIBLE_HOST = '(x86_64.*|i.86.*|arm.*|aarch64.*|loongarch64.*)-(linux.*|freebsd.*)' the is meta-mender/meta-mender-core/recipe-core tree, ihave added this core-image-minimal-initramfs.bbappend and initLUKSdecrpyt.sh /meta-mender/meta-mender-core/recipes-core$ tree . ├── initrdscripts │   ├── core-image-minimal-initramfs.bbappend │   ├── files │   │   ├── init-install-efi-mender.sh │   │   └── initLUKSdecrypt.sh │   ├── initramfs-module-install_%.bbappend │   ├── initramfs-module-install-efi_%.bbappend │   └── initramfs-module-install.inc 8 directories, 12 files this is code in core-image-minimal-initramfs.bbappend file,here the do_install is not getting called. FILESEXTRAPATHS:prepend := "${THISDIR}/files:" SRC_URI += "file://initLUKSdecrypt.sh" PACKAGE_INSTALL += "cryptsetup" do_install:append:mender-uboot(){ bbwarn "WorkDIR=${WORKDIR} Destination=${D}" install -m 0755 ${WORKDIR}/initLUKSdecrypt.sh ${D}/init.d/initLUKSdecrypt.sh } So add the code in initramfs-module-install_%.bbappend, the do_install gets called but while final pacakging gets error. require initramfs-module-install.inc do_install:append:mender-efi-boot() { install -m 0755 ${WORKDIR}/init-install-efi-mender-altered.sh ${D}/init.d/install.sh } FILESEXTRAPATHS:prepend := "${THISDIR}/files:" SRC_URI := " file://initLUKSdecrypt.sh " do_install() { bbwarn "WorkDIR=${WORKDIR} Destination=${D}" install -m 0755 ${WORKDIR}/initLUKSdecrypt.sh ${D}/../package/init.d/ } Error logs: ERROR: Task (/home/john/meta-mender-community/yocto-raspberrypi4/build/../../kas/demos/meta-mender-raspberrypi-wifi/recipes-raspberrypi/images/core-image-raspberrypi-wifi.bb:do_image_bootimg) failed with exit code '1' ERROR: core-image-minimal-initramfs-1.0-r0 do_rootfs: Unable to install packages. Command '/home/john/meta-mender-community/yocto-raspberrypi4/build/tmp/work/raspberrypi4_64-poky-linux/core-image-minimal-initramfs/1.0/recipe-sysroot-native/usr/bin/opkg --volatile-cache -f /home/john/meta-mender-community/yocto-raspberrypi4/build/tmp/work/raspberrypi4_64-poky-linux/core-image-minimal-initramfs/1.0/opkg.conf -t /home/john/meta-mender-community/yocto-raspberrypi4/build/tmp/work/raspberrypi4_64-poky-linux/core-image-minimal-initramfs/1.0/temp/ipktemp/ -o /home/john/meta-mender-community/yocto-raspberrypi4/build/tmp/work/raspberrypi4_64-poky-linux/core-image-minimal-initramfs/1.0/rootfs --force_postinstall --prefer-arch-to-version --add-exclude kernel-image-* --add-exclude kernel-image-* install base-passwd busybox cryptsetup initramfs-framework-base initramfs-module-install initramfs-module-install-efi initramfs-module-setup-live initramfs-module-udev run-postinsts udev' returned 255: * opkg_solver_install: No candidates to install initramfs-module-install (null)! ERROR: Logfile of failure stored in: /home/john/meta-mender-community/yocto-raspberrypi4/build/tmp/work/raspberrypi4_64-poky-linux/core-image-minimal-initramfs/1.0/temp/log.do_rootfs.10642 ERROR: Task (/home/john/meta-mender-community/yocto-raspberrypi4/build/../poky/meta/recipes-core/images/core-image-minimal-initramfs.bb:do_rootfs) failed with exit code '1' don't know what im missing.

It seems that the even the most recent version of GRUB2 doesn't support LUKS2 with the PBKDF Argon2ID ([source](https://wiki.archlinux.org/index.php/GRUB#Encrypted_/boot)) . The Raspberry Pi bootloader for instance fully supports this new hashing function. Is there an actively maintained (and widely enough adopted) desktop Linux bootloader that supports LUKS2 devices with Argon2ID? Would it be possible to achieve an encrypted /boot (other than /) partition with this PBKDF?

I am running Debian Jessie. I have 2 hard drives with my various partitions spread across both (not RAID). Both of them are separately LUKS encrypted, and LVMs sit upon both of those. My /boot partition is the only partition not included on the two hard drives; instead, it is located on an unencrypted USB stick. On the /boot partition is myKeyfile.key which should unlock both of the hard drives [but doesn't]. My goal is to have fully inaccessible/useless disks whenever the system boots without the USB stick. Here is what I have done to accomplish this. I used this answer on StackOverflow as a guide. ---------- /etc/default/cryptdisks - # Mountpoints to mount, before cryptsetup is invoked at initscripts. Takes # mountpoints which are configured in /etc/fstab/ as arguments. Separate # mountpoints by space. # original: CRYPTDISKS_MOUNT="" CRYPTDISKS_MOUNT=/boot According to the comment, I just have to make sure I have the proper mountpoint name as described in fstab. For completeness, here is the relevant line: /etc/fstab - # UUID= /boot ext4 defaults 0 2 ---------- /etc/crypttab - sda1_crypt UUID= /boot/myKeyfile.key luks,keyscript=/bin/passphrase-from-usb sda2_crypt UUID= /boot/myKeyfile.key luks,keyscript=/bin/passphrase-from-usb I could specify the UUID of the USB drive (instead of /boot/myKeyfile.key), but then I'm not sure how I would specify that myKeyfile.key is the file I'm interested in. /etc/initramfs-tools/hooks/passphrase-from-usb - #!/bin/sh PREREQ="" prereqs() { echo "$PREREQ" } case "$1" in prereqs) prereqs exit 0 ;; esac . "${CONFDIR}/initramfs.conf" . /usr/share/initramfs-tools/hook-functions copy_exec /bin/passphrase-from-usb /bin /bin/passphrase-from-usb - #!/bin/sh set -e if ! [ -e "$CRYPTTAB_KEY" ]; then echo "Waiting for USB stick to be recognized..." >&2 sleep 5 fi if [ -e "$CRYPTTAB_KEY" ]; then echo "Unlocking the disk $CRYPTTAB_SOURCE ($CRYPTTAB_NAME) from USB key" >&2 echo "Using $CRYPTTAB_KEY as the key source" >&2 dd if="$CRYPTTAB_KEY" bs=1 count=256 2>/dev/null exit else echo "Can't find $CRYPTTAB_KEY; USB stick not present." >&2 fi /lib/cryptsetup/askpass "Manually unlock the disk ($CRYPTTAB_NAME)\nEnter passphrase: " ---------- ---------- This is what I am greeted with upon booting: Loading, please wait... Volume group "vg-root" not found Skipping volume group vg-root Unable to find LVM volume vg-root/lv-root Volume group "vg-other" not found Skipping volume group vg-other Unable to find LVM volume vg-other/lv-swap Waiting for USB stick to be recognized... [ 3.159979] sd 7:0:0:0: [sdd] No Caching mode page found [ 3.160152] sd 7:0:0:0: [sdd] Assuming drive cache: write through Can't find /boot/myKeyfile.key; USB stick not present. Manually unlock the disk (sda1_crypt) Enter passphrase: After I enter the passphrase, the same exchange happens for the second disk, sdb1_crypt. ---------- I'm doing something wrong, but I'm not sure what. Since CRYPTDISKS_MOUNT "specifies the mountpoints that are mounted before cryptdisks is invoked", I thought adding /boot to it would make /boot available before the unlocking procedure began. However, it does not appear to be mounted when /bin/passphrase-from-usb runs. I am sure that myKeyfile.key is added as a LUKS key to both drives, and I have updated the initramfs via update-initramfs -u.

I have a 2 TB Western Digital MyBook I encrypted with LUKS over a year ago. A few months ago, I decided to be reckless and accidentally formatted the disk in Windows when trying to create a boot-able USB disk with different software. The drive was totally reformatted. But then, I put a GPT partition header (GUID partition table) on it with no data. I use Linux Mint 22.1 as my default OS. Long story short - the drive and partition are gone with a new GPT partition installed. This means the 'disks' app still shows the drive as /dev/sdc (which it is) but that it is "Unallocated Space". To say that the data on this drive is important is an understatement. I’ve looked through the following articles to try and address this issue, but to no avail: - https://unix.stackexchange.com/questions/706070/restore-a-luks-partition-that-was-overwritten-by-pvcreate/706071#706071 - https://unix.stackexchange.com/questions/741404/overwritten-luks-with-a-partition-table/741850#741850 When performing hexdump -C /dev/sdc | grep LUKS, for over an hour, I see the following:

4774f600  eb 02 92 95 54 d3 f2 e3  ca d1 4c 55 4b 53 e0 16  |....T.....LUKS..|
98ea5380  d7 01 bf 4c 55 4b 53 8c  f2 24 43 72 9f 4a 63 94  |...LUKS..$Cr.Jc.|
c7b54730  7c f3 4c 4c 55 4b 53 71  4c 47 40 69 96 53 57 12  ||.LLUKSqLG@i.SW.|
2963da820  04 75 9e 51 4c 55 4b 53  fe 1c 76 f6 30 ad c5 c1  |.u.QLUKS..v.0...|
495e522c0  aa e1 e4 ac 21 6c 29 4c  55 4b 53 b0 e9 98 63 b5  |....!l)LUKS...c.|
508fbcd90  ec 2e 2b 4e 59 1f 4c 55  4b 53 b7 27 18 1b 60 62  |..+NY.LUKS.'..`b|
59dde6680  d2 4c 55 4b 53 57 5f d3  f8 40 ce 4f d6 3e b0 83  |.LUKSW_..@.O.>..|
7d4a7f640  70 9d 24 a6 05 d5 bd 4c  55 4b 53 67 c6 74 56 62  |p.$....LUKSg.tVb|
7f38a7520  ee 9d e8 1e 13 19 b2 28  55 e9 d8 4c 55 4b 53 1b  |.......(U..LUKS.|
81bac7400  fc 10 90 53 a2 9e 78 d9  37 8c db b4 4c 55 4b 53  |...S..x.7...LUKS|
8ff10e9f0  4c 55 4b 53 9d a5 a7 67  a6 3d 5a e4 62 8b 20 39  |LUKS...g.=Z.b. 9|
a51b31010  f0 4c 55 4b 53 d9 d7 e7  df 6e 03 53 9c 54 8a ef  |.LUKS....n.S.T..|
ca9ecb700  1e 53 df f2 4c 55 4b 53  b7 bf 24 86 89 00 49 06  |.S..LUKS..$...I.|
ceb247eb0  47 4c 55 4b 53 c6 1c 95  d8 41 86 19 d0 e9 74 c9  |GLUKS....A....t.|
e6521bb10  45 ff ec cd 68 a5 58 bf  b1 4c 55 4b 53 5b 14 51  |E...h.X..LUKS[.Q|
ead66c2e0  d0 6b 8d a0 c3 cf 4c 55  4b 53 1b 14 86 01 a2 c2  |.k....LUKS......|

I created an image of the disk (image.dd). When following frostschutz' procedure for "cryptsetup repair, Part Two — Full Header Recovery" (https://unix.stackexchange.com/questions/741404/overwritten-luks-with-a-partition-table/741850#741850) Step 1: Result of metadata recovery: stdbuf -oL strings -n 64 -t d image.dd | grep '"keyslots":' 20480 {"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha256"},"area":{"type":"raw","offset":"32768","size":"258048","encryption":"aes-xts-plain64","key_size":64},"kdf":{"type":"argon2id","time":12,"memory":1048576,"cpus":4,"salt":"5JN08SD5Z1cryqRFiQvn+JensssvRMuayF2jHXKjGDY="}}},"tokens":{},"segments":{"0":{"type":"crypt","offset":"16777216","size":"dynamic","iv_tweak":"0","encryption":"aes-xts-plain64","sector_size":512}},"digests":{"0":{"type":"pbkdf2","keyslots":["0"],"segments":["0"],"hash":"sha256","iterations":313944,"salt":"cHPpJJpF2ivqLjkyTTJmKmqVcVSaRqN0L0V+yx0La+E=","digest":"COHktekQxX/2Jfq4ro8hqDweVOmom5bGAPa23nzkEV0="}},"config":{"json_size":"12288","keyslots_size":"16744448"}} Valid JSON string found at offset 20480.... After following the entire procedure to its end (working on the image.dd) it keeps saying "Device luks.recovery is not a valid LUKS device." Is this pointless? If I can see LUKS keyslots, the offsets, etc, then am I just doing this wrong? Thanks!

This may sound similar to [this question](https://unix.stackexchange.com/questions/164403/unlock-luks-encrypted-debian-root-with-key-file-on-boot-partition) , except the circumstances are different where the boot partition is encrypted. I do not want to store the keyfile in the initramfs as that is not my intention. My goal is to unlock the boot partition on boot after grub finishes and use the keyfile, named keyfile to unlock the main root partition after manually unlocking the boot partition again. I desire this as I would rather type the passphrase twice rather than thrice. How would this be possible? I have not had any success as continuing to boot after grub finishes causes an error which says that the keyfile does not exist along with systemd-cryptsetup failing, alerting of a bad password or options. Booting with grub is fine as I manually unlock the boot partition, but the aftermath is not. My partition scheme:

(Block device for EFI system partition): ESP (not important)
(Block device for encrypted ext2 boot partition)
└─/keyfile (keyfile to unlock the encrypted root partition)
(Block device for encrypted btrfs root partition)
├─@rootfs (subvolume for /)
├─@home (subvolume for /home)
├─@log (subvolume for /var/log)
├─@libvirt (subvolume for /var/lib/libvirt)
└─@opt (subvolume for /opt)

Current /etc/crypttab:

#                        
debian_crypt  PARTLABEL=Debian     none          luks

cryptswap     PARTLABEL=cryptswap  /dev/urandom  swap,plain,cipher=aes-xts-plain64,size=512,sector-size=4096

boot_crypt    PARTLABEL=Boot       none          luks

I have tried to reorder the debian_crypt part to the end, specifying the path to the keyfile in the third column, /boot/keyfile, and adding the keyscript option, keyscript=/lib/cryptsetup/scripts/passdev along with the key-slot option. Also, is it possible for cryptsetup-suspend to also unlock the encrypted root partition with the keyfile on the encrypted boot partition so only the encrypted boot partition has to be manually unlocked after waking up?

I'm trying to decrypt the Debian root with a key file stored in the boot partition (decrypted partition). This will break the security, but it doesn't matter now. I have to conclude this successfully or die trying. I have created the hooks to the initramfs and the key file is on the /boot directory inside the initrd.img-* file. The path to the key file (/boot/keyfile) is on the /etc/crypttab file. I updated the initramfs with sudo update-initramfs -u but I received this message: cryptsetup: WARNING: target sdaX_crypt uses a key file, skipped. Ignoring the message and rebooting results in a unbootable disk. The message Gave up waiting for root device. is displayed and drops to initramfs shell. In the initramfs environment the cryptsetup don't exists. *(It should exists?)* Seens that the update-initramfs -u "thinks" the sdaX_crypt device will be mounted in another way and don't configure to decrypt with the keyfile. *How can I do that?*

I use Debian Wheezy and have all partitions encrypted using LUKS, except /boot. I want to decrypt the partitions automatically without having to type the password in each of the 7 encrypted partitions (same for all 7). How I can do this? With cryptsetup? How do I make the hook script from initramfs?

/boot: No crypt
/: crypt
/home: crypt

I need to decrypt / and /home in initramfs in Debian.

I have Ubuntu 18.04 with full disk encryption with two partitions: EFI ESP and LUKS1 encrypted root partition (no separate /boot). After installing grub and rebooting, it just shows normal grub > prompt instead of asking for LUKS password and booting Ubuntu. The kernel unlocks root filesystem by using LUKS keyfile in /etc/luks/boot_os.keyfile. Grub configuration file in /boot/efi/EFI/ubuntu/grub.cfg doesn't include cryptomount command so it's not even trying to unlock root partition:

search.fs_uuid ee03828b-76bc-4143-a2fb-f86719a90fca root cryptouuid/88251fdb112a4924a9c69892f17322e8 
set prefix=($root)'/boot/grub'
configfile $prefix/grub.cfg

If I manually edit this file adding:

cryptomount -u 88251fdb112a4924a9c69892f17322e8

as the first line, grub asks for password and system boots fine. How can I convince grub-install to include cryptomount in grub.cfg inside ESP, so that system upgrade won't break my system? ### Other config files: **/etc/default/grub**

GRUB_DEFAULT=0
GRUB_TIMEOUT_STYLE=hidden
GRUB_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT=1
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_DISTRIBUTOR=lsb_release -i -s 2> /dev/null || echo Debian
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX=""

GRUB_DISABLE_OS_PROBER=true

GRUB_ENABLE_CRYPTODISK=y
GRUB_PRELOAD_MODULES="luks cryptodisk"

**/etc/fstab**

#                
/dev/mapper/nvme0n1p2_crypt /                         ext4    errors=remount-ro  0       1
/swapfile                                 none            swap    sw                 0       0
UUID=6225-46A9  /boot/efi       vfat    defaults      0       1

**/etc/crypttab**

# 				
nvme0n1p2_crypt UUID=88251fdb-112a-4924-a9c6-9892f17322e8 /etc/luks/boot_os.keyfile luks,discard

**/etc/cryptsetup-initramfs/conf-hook**

KEYFILE_PATTERN=/etc/luks/*.keyfile

### Partitions: **lsblk -e7 -f**

NAME                FSTYPE      LABEL     UUID                                 MOUNTPOINT
sda                                                                            
├─sda1              vfat        SYSTEM    E463-AB68                            
├─sda2                                                                         
├─sda3                                                                         
└─sda4              ntfs        WinRE_DRV B27667B5766778CD                     
nvme0n1                                                                        
├─nvme0n1p1         vfat                  6225-46A9                            /boot/efi
└─nvme0n1p2         crypto_LUKS           88251fdb-112a-4924-a9c6-9892f17322e8 
  └─nvme0n1p2_crypt ext4                  ee03828b-76bc-4143-a2fb-f86719a90fca /

Also, I don't care about dual-boot right now, so I disabled OS prober in /etc/default/grub.

The goal is to have grub unlock /dev/nvme0n1p3 which contains a keyfile to unlock the 2 luks encrypted btrfs raid0 drives. If I can get it working, I'll create a tool that can accompany Linux installers to get it done easier. I keep getting dropped into the grub rescue prompt with:

No such device: 2d6983f7-c10e-4b1a-b182-24d6f2b2a6c0
error: unknown filesystem.

So, it's not unlocking my luks. That's the UUID of /dev/mapper/cryptroot and /dev/mapper/cryptroot2 (They share it since it's raid0). Idk why it's showing up as the first thing grub tries to do though. The first thing I want grub to unlock is 0df41a34-e267-491a-ac02-25758c26ec65 aka /dev/nvme0n1p3 (cryptkeys) in order to unlock the raid0 drives. Here's what I did... ## Setup 2 nvme drives. - 2 NVMe drives. - Garuda Linux (Arch-based). - Grub 2.6 (Supports LUKS2). - blkid output:

/dev/loop1: TYPE="squashfs"
/dev/mapper/cryptroot2: UUID="2d6983f7-c10e-4b1a-b182-24d6f2b2a6c0" UUID_SUB="b2ee9dad-c9cb-4ec4-ae38-d28af19eb183" BLOCK_SIZE="4096" TYPE="btrfs"
/dev/nvme0n1p3: UUID="0df41a34-e267-491a-ac02-25758c26ec65" TYPE="crypto_LUKS" PARTUUID="a49f7cdb-cbb6-44cd-b1e4-00b61dd1f00d"
/dev/nvme0n1p1: LABEL_FATBOOT="NO_LABEL" LABEL="NO_LABEL" UUID="A5AC-81DA" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="b0def085-1288-b746-9d7d-961354131dbc"
/dev/nvme0n1p2: UUID="802edb34-f481-4adf-9f98-3a80028d7cec" TYPE="crypto_LUKS" PARTLABEL="root" PARTUUID="9b945709-b51b-1c46-8ee3-6f3ba74c5a5b"
/dev/sdb2: SEC_TYPE="msdos" LABEL_FATBOOT="MISO_EFI" LABEL="MISO_EFI" UUID="EFD7-7387" BLOCK_SIZE="512" TYPE="vfat"
/dev/sdb1: BLOCK_SIZE="2048" UUID="2021-08-09-16-03-00-00" LABEL="GARUDA_GNOME_SOARING_" TYPE="iso9660"
/dev/loop2: TYPE="squashfs"
/dev/loop0: TYPE="squashfs"
/dev/mapper/cryptroot: UUID="2d6983f7-c10e-4b1a-b182-24d6f2b2a6c0" UUID_SUB="ef6be59d-a4be-4d00-93c2-0084530bf929" BLOCK_SIZE="4096" TYPE="btrfs"
/dev/nvme1n1: UUID="53517d3d-a638-48b9-af4f-125114e4f0c6" TYPE="crypto_LUKS"
/dev/zram0: LABEL="zram0" UUID="aa36a4d8-690e-4f2a-bfc9-e2fad1db8efb" TYPE="swap"
/dev/loop3: TYPE="squashfs"

## Procedures 1. Installed Garuda Linux to /dev/nvme0n1 which gave me the following partition layout on the first drive. I then created an ext4 partition (cryptkeys) in a luks container for storing keys and a luks container spanning the entire nvme1n1 for the btrfs raid:

NAME               FSTYPE          FLAGS
nvme0n1
├─nvme0n1p1        fat32           boot,esp
├─nvme0n1p2        crypto_LUKS
│ └─cryptroot      btrfs
└─nvme0n1p3        crypto_LUKS
  └─cryptkeys      ext4
nvme1n1            crypto_LUKS
└─         
  └─cryptroot2     btrfs

2. Unlocked nvme0n1p2 and nvme1n1 mounting to /mnt/cryptroot. 3. To convert to raid0 spanning 2 drives, ran:

btrfs device add /dev/mapper/cryptroot2 /mnt/cryptroot
btrfs balance start -dconvert=raid0 -mconvert=raid1 /mnt/cryptroot

4. Created a new keyfile for luks and added it to all luks containers except the one I named "cryptkeys" which is /dev/nvme0n1p3. All luks containers can also be unlocked via the same password. nvme0n1p3 was mounted to /mnt/cryptkeys and the keyfile copied to it:

dd bs=512 count=4 if=/dev/random of=/mnt/cryptroot/crypto_keyfile.bin
chmod 600 /mnt/cryptkeys/crypto_keyfile.bin

cryptsetup luksAddKey /dev/nvme0n1p2 cryptkeys/crypto_keyfile.bin
cryptsetup luksAddKey /dev/nvme1n1 cryptkeys/crypto_keyfile.bin

5. With the btrfs raid0 now mounted, chrooted into the new Garuda install via:

mkdir /mnt/newroot
mount -o subvol=@,compress=zstd /dev/mapper/cryptroot newroot
for i in /dev /dev/pts /proc /sys /run; do sudo mount --bind $i /mnt/newroot$i; done
mount /dev/nvme0n1p1 newroot/boot/efi
mount --bind /sys/firmware/efi/efivars newroot/sys/firmware/efi/efivars 
chroot /mnt/newroot

6. Edited /etc/default/grub to be:

# GRUB boot loader configuration

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Garuda"
GRUB_CMDLINE_LINUX_DEFAULT="quiet cryptdevice2=/dev/disk/by-uuid/0df41a34-e267-491a-ac02-25758c26ec65:cryptkeys:allow-discards cryptdevice3=/dev/disk/by-uuid/802edb34-f481-4adf-9f98-3a80028d7cec:cryptroot:allow-discards cryptdevice=/dev/disk/by-uuid/53517d3d-a638-48b9-af4f-125114e4f0c6:cryptroot2:allow-discards root=/dev/mapper/cryptroot splash rd.udev.log_priority=3 vt.global_cursor_default=0 systemd.unified_cgroup_hierarchy=1 loglevel=3"
GRUB_CMDLINE_LINUX=""

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to enable booting from LUKS encrypted devices
#GRUB_ENABLE_CRYPTODISK=y

# Set to 'countdown' or 'hidden' to change timeout behavior,
# press ESC key to display menu.
GRUB_TIMEOUT_STYLE=menu

# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console

# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE=auto

# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep

# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true

# Uncomment and set to the desired menu colors.  Used by normal and wallpaper
# modes only.  Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"

# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/path/to/wallpaper"
GRUB_THEME="/usr/share/grub/themes/garuda/theme.txt"

# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"

# Uncomment to make GRUB remember the last selection. This requires
# setting 'GRUB_DEFAULT=saved' above.
#GRUB_SAVEDEFAULT=true

# Uncomment to disable submenus in boot menu
#GRUB_DISABLE_SUBMENU=y

GRUB_DISABLE_OS_PROBER=false
GRUB_DISABLE_OS_PROBER=false
GRUB_ENABLE_CRYPTODISK=y

7. Copied hooks as:

# copy the original hook
cp /usr/lib/initcpio/install/encrypt /etc/initcpio/install/encrypt2
cp /usr/lib/initcpio/install/encrypt /etc/initcpio/install/encrypt3
cp /usr/lib/initcpio/hooks/encrypt  /etc/initcpio/hooks/encrypt2
cp /usr/lib/initcpio/hooks/encrypt  /etc/initcpio/hooks/encrypt3
# adapt the new hook to use different names and to NOT delete the keyfile
sed -i "s/cryptdevice/cryptdevice2/" /etc/initcpio/hooks/encrypt2
sed -i "s/cryptdevice/cryptdevice3/" /etc/initcpio/hooks/encrypt3
sed -i "s/cryptkey/cryptkey2/" /etc/initcpio/hooks/encrypt2
sed -i "s/cryptkey/cryptkey3/" /etc/initcpio/hooks/encrypt3
sed -i "s/rm -f \${ckeyfile}//" /etc/initcpio/hooks/encrypt2
sed -i "s/rm -f \${ckeyfile}//" /etc/initcpio/hooks/encrypt3

8. Added encrypt2 and encrypt3 to /etc/mkinitcpio.conf before encrypt hook. Also specified keyfile. mkinitcpio.conf is now:

# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES=(intel_agp i915 amdgpu radeon nouveau)
MODULES=(intel_agp i915 amdgpu radeon nouveau)

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES="/crypto_keyfile.bin"

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H ' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
##   This setup specifies all modules in the MODULES setting above.
##   No raid, lvm2, or encrypted root is needed.
#    HOOKS=(base)
#
##   This setup will autodetect all modules for your system and should
##   work as a sane default
#    HOOKS=(base udev autodetect block filesystems)
#
##   This setup will generate a 'full' image which supports most systems.
##   No autodetection is done.
#    HOOKS=(base udev block filesystems)
#
##   This setup assembles a pata mdadm array with an encrypted root FS.
##   Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
#    HOOKS=(base udev block mdadm encrypt filesystems)
#
##   This setup loads an lvm2 volume group on a usb device.
#    HOOKS=(base udev block lvm2 filesystems)
#
##   NOTE: If you have /usr on a separate partition, you MUST include the
#    usr, fsck and shutdown hooks.
HOOKS="base udev encrypt autodetect modconf block keyboard keymap consolefont plymouth encrypt2 encrypt3 encrypt filesystems"

# COMPRESSION
# Use this to compress the initramfs image. By default, zstd compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="zstd"
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"

# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()

9. Ran:

mkinitcpio -p linux-zen
# initramfs includes the key, so only root should be able to read it
chmod 600 /boot/initramfs-linux-fallback.img
chmod 600 /boot/initramfs-linux.img

10. Changed /etc/crypttab to:

# /etc/crypttab: mappings for encrypted partitions.
#
# Each mapped device will be created in /dev/mapper, so your /etc/fstab
# should use the /dev/mapper/ paths for encrypted devices.
#
# See crypttab(5) for the supported syntax.
#
# NOTE: Do not list your root (/) partition here, it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf). The same applies
#       to encrypted swap, which should be set up with mkinitcpio-openswap
#       for resume support.
#
#                                          
cryptkeys             UUID=0df41a34-e267-491a-ac02-25758c26ec65     /crypto_keyfile.bin luks,discard,nofail

11. Changed /etc/fstab to:

#                      
UUID=A5AC-81DA        /boot/efi      vfat    umask=0077 0 2
/dev/mapper/cryptroot /              btrfs   subvol=/@,defaults,noatime,space_cache,autodefrag,compress=zstd 0 0
/dev/mapper/cryptroot /home          btrfs   subvol=/@home,defaults,noatime,space_cache,autodefrag,compress=zstd 0 0
/dev/mapper/cryptroot /root          btrfs   subvol=/@root,defaults,noatime,space_cache,autodefrag,compress=zstd 0 0
/dev/mapper/cryptroot /srv           btrfs   subvol=/@srv,defaults,noatime,space_cache,autodefrag,compress=zstd 0 0
/dev/mapper/cryptroot /var/cache     btrfs   subvol=/@cache,defaults,noatime,space_cache,autodefrag,compress=zstd 0 0
/dev/mapper/cryptroot /var/log       btrfs   subvol=/@log,defaults,noatime,space_cache,autodefrag,compress=zstd 0 0
/dev/mapper/cryptroot /var/tmp       btrfs   subvol=/@tmp,defaults,noatime,space_cache,autodefrag,compress=zstd 0 0

12. Finally, ran:

grub-mkconfig -o /boot/grub/grub.cfg
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Garuda --recheck
exit
reboot

**An aside:** A few times that I ran grub-install, the value of --bootloader-id was arch-grub before I changed it to Garuda. I don't think it matters much except that now I have extra boot menu entries as idk how to get rid of them. Probably doesn't matter though. I get the error even when selecting the Garuda entry from the EFI boot menu. **Note:** These procedures were adapted from this blog post . What's different is no luks encrypted boot partition and the addition of the cryptkeys partition instead.

I'm looking for a clear tutorial on how to do this but I'm encountering insufficient information everywhere. Namely, I have a laptop with the following disk configuration: Drive one has Fedora 38 installed and the drive is encrypted. However, I have a second SSD, independent of the one on which Fedora 38 is installed, and I would like to encrypt it with LUKS as well. I have searched and read but I am lost. https://docs.fedoraproject.org/en-US/quick-docs/encrypting-drives-using-LUKS/#_remove_a_passphrase_or_key_from_a_device reading the official Fedora guide to LUKS encryption, I can not grasp the idea of how to implement this to the second SSD independent drive so that if, for example, I need to reinstall Fedora or another system on the drive on which the operating system is currently, I do not fear losing access to the second drive encrypted. 1) How to correctly implement the above (or other) guide to have the second SSD encrypted? 2) What steps would have to be considered in such a solution to have access to this drive in case of reinstallation of the system or blowing out the drive with the operating system? (I mean here a copy of the keys, etc. ?) 3) I tried this tutorial from point 4 and unfortunately ended up somewhere with my mistake and after rebooting the system I had to enter twice the password to the encrypted drive with OS and to the other SSD drive but unfortunately after entering both passwords correctly, I received a message about the need to log in as root to repair the system. 4) Is it possible to implement a solution so that it only asks for the password to the encrypted partition with OS, and to the second drive only from within Fedora ? I would be grateful if someone would try to explain it to me, I have searched really many places from Fedora, here, Youtube as well as other articles but I am probably too stupid to understand it.

HardenedArray has a helpful archlinux-installation guide at [Efficient Encrypted UEFI-Booting Arch Installation](https://gist.github.com/HardenedArray/31915e3d73a4ae45adc0efa9ba458b07) . However, I encountered difficulty early in the installation process -- specifically, at the point of opening my LUKS partition. The command cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random luksFormat /dev/sda3 completes without error, but after I enter the command cryptsetup luksOpen /dev/sda3 tsundoku, _/dev/mapper/tsundoku_ does not become available. ls /dev/mapper lists _/dev/mapper/control_ alone, and not also _/dev/mapper/tsundoku_ as I would expect. The following error message appears upon cryptsetup luksOpen /dev/sda3 tsundoku --verbose --debug: "Trying to read ... LUKS2 header at offset .... LUKS header read failed (-22). Command failed with code -1 (wrong or missing parameters)." Could anyone offer any hints at to the cause of this error? My attempts at online research to this point haven't been fruitful. Thanks much --- EDIT --- I've asked this question for help to achieve any of three goals: (1) to install arch-linux (in any manner) on a 6ish-year-old x86-64 Intel Core i5 2.50GHz ASUS; (2) more specifically, to install arch-linux securely with an encrypted partition; (3) to learn why, despite my expectations, cryptsetup luksOpen /dev/sda3 tsundoku does not create a _tsundoku_ mapping entry in the path _/dev/mapper_. I'm a newcomer to arch-linux, so although I'd prefer installing the OS with encryption, I'd settle for installing it in any way. I haven't had much luck following the installation instructions in the official arch wiki in the past, so upon seeing HardenedArray's clearly delineated installation guide, I thought I'd give it a go -- worst case scenario being that I might encounter a problem like the one described above, whereby I might learn something new. As for the issue, here are some more details: As per HardenedArray's guide: I gdisk /dev/sda and create the following partitions: * /dev/sda1, default, 100M, EF00 * /dev/sda2, default, 250M, 8300 * /dev/sda3, default, default, 8300 Then I do the following: mkfs.vfat -F 32 /dev/sda1 mkfs.ext2 /dev/sda2 At this point, I attempt to initialize a LUKS partition and set up a mapping. > cryptsetup --verbose -c aes-xts-plain64 -h sha512 -s 512 --use-random luksFormat /dev/sda3 Command successful > cryptsetup -v isLuks /dev/sda3 Command successful > ls /dev/mapper control > cryptsetup luksOpen /dev/sda3 tsundoku --verbose --debug cryptsetup 2.0.0. processing "cryptsetup luksOpen /dev/sda3 tsundoku --verbose --debug" Running command open. Locking memory. ... Trying to load any crypt type from device /dev/sda3. Crypto backend ... initialized ... Detected kernel Linux 4.14.9-1-ARCH x86_64. ... Reading LUKS header of size 1024 from device /dev/sda3. ... Activating volume tsundoku using token -1. STDIN descriptor passphrase entry requested. Activating volume tsundoku [keyslot -1] using passphrase. ... Detected dm-ioctl version 4.37.0. Device-mapper backend running with UDEV support enabled. dm status tsundoku [ opencount flush ] [...] (...) Trying to open key slot 0 [ACTIVE_LAST]. Reading key slot 0 area. Using userspace crypto wrapper to access keyslot area. Trying to open key slot 1 [INACTIVE]. # key slots 2-7 are also [INACTIVE] Releasing crypt device /dev/sda3 context. Releasing device-mapper backend. Unlocking memory. Command failed with code -2 (no permission or bad passphrase). > ls /dev/mapper control > cryptsetup luksDump /dev/sda3 LUKS header information for /dev/sda3 Version: 1 Cipher name: aes Cipher mode: xts-plain64 Hash spec: sha512 ... UUID: 56d8... Key Slot 0: ENABLED ... Key Slot 1: DISABLED # Key Slots 2-7 are also DISABLED ----- Are the steps I've listed above inaccurate in any way? Perhaps there were alternatives I should have taken instead or intervening actions that I missed? If not, is the command cryptsetup luksOpen /dev/sd{a} {volume} supposed to create a volume mapping in the path _/dev/mapper_? If so, do the details I've added above allow anyone to ascertain why the path _/dev/sda3/tsundoku_ does not appear on my machine? And if not, is there any additional information that I could add to make the problem clearer? Thanks much.

I'm searching for clues on how to use a fingerprint reader to unlock a LUKS-encrypted device. My hard disk uses /dev/sda2 (encrypted with LUKS) to start the OS. I don't want to use complex passphrases because it could be forgotten by the users. How do you use a fingerprint to boot from a LUKS-encrypted device?

I have a setup with a grub2 bootloader, and the rest of the system on an encrypted partition (LVM-on-LUKS). I have two OSes installed inside of the LUKS container, Kali Sana and Debian 8, as well as a shared swap partition. This was setup by installing Kali with full disk encryption, and then making room for Debian. The grub install is from Kali. I am fully aware that it is simply easier to have a second /boot partition for Debian. However, given the way this was setup, there is no room left for the Debian bootloader, and resizing everything to make room will be a pain. So, here is what I need to do under grub: - Mount the encrypted partition (already managed to do this) - Start initramfs and the kernel for Debian (This is where there is trouble). I have done some research on this, and I am attempting to do this by editing the /boot/grub/custom.cfg file. After each edit, I have run sudo grub-mkconfig and sudo update-grub. Then I have restarted to see if it will boot. While it can decrypt the LUKS container, it can't find initramfs or the kernel. Here is my custom.cfg file. Note: I am fuzzy on what all of this does. It is most likely completely wrong. menuentry "Debian 8 Jessie"{ insmod luks insmod lvm cryptdevice=UUID=ffe7a64d-e552-4db9-b0f3-1e42be118059:cryptolvm set root=/dev/Outsider-vg/Outsider-debianroot linux /boot/vmlinuz-3.16.0-4-amd64 root=/dev/Outsider-vg/Outsider-debianroot initrd /boot/initrd.img-3.16.0-4-amd64 } Note about the above: cryptdevice=UUID=ffe7a64d-e552-4db9-b0f3-1e42be118059:cryptolvm was originally set root=/dev/sda5. This version of the file fails to decrypt the container. Note that I already know how to get this to work, I was just messing with it to see if changing it would help. I have been referencing [this link](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS) for help editing this file. Basically, I need to know the syntax to point grub at the correct initramfs and vmlinuz files, after the LUKS partition has been decrypted. They are under the logical volume Outsider--debianroot. My only real issue is that I don't know how to do this. I apologize for being somewhat vague. Part of the problem is that I am not sure what I am looking for. If you do not have an answer, but can direct me to a comprehensive guide to editing custom.cfg, that would also be appreciated. Please let me know if you need more details. **EDIT: Upon further research, here is what I have found:** Basically, I need to give Grub the correct path to a root directory which is on an LVM. After doing some digging around on the file system, I have found two paths which could work: /dev/mapper/volumeGroup-volumeName and /dev/volumeGroup/volumeName. In the case of the above example, they are /dev/mapper/Outsider--vg-Outsider--debianroot and /dev/Outsider-vg/Outsider-debianroot. I need to know which is the path to the correct root directory, allowing that distro to boot. Either one is right, both need to be used together, or there is a different path which I am missing which I need to use instead. Any ideas? Furthermore, what is the difference between these two paths? What do they each point to? What is the difference between /dev/mapper/volumeGroup and just /dev/volumeGroup? **EDIT 2:** I believe that /dev/volumeGroup/volumeName is the correct path, based off of the end syntax for [this tutorial](http://www.howtogeek.com/howto/40702/how-to-manage-and-use-lvm-logical-volume-management-in-ubuntu/) . I will experiment with this and report back. Note: I will come and clean this up later, when I have solved it.

## Scenario Have an external device, encrypted with LUKS, automatically mount when inserted and not cause any issues if not present on boot. > Most questions on this topic refer to mounting on boot - this is NOT what I am trying to do Additionally, the mountpoint should be protected from accidental writes when the usb device is not present and I can do this with chattr +i ## Problem 1. When the external device is NOT mounted, any attempt to access the mountpoint will hang until timeout - this can cause system instability. 1. When the device is inserted, the passphrase is prompted for and device unlocked, but not mounted. I then have to mount the device manually with mount /mnt/backup or mount /dev/mapper/fit which appears to correctly use the fstab settings. ## Configuration

# /etc/crypttab
fit   UUID=xxxxxxxx-xxxxx-xxxxxxxx-xxxxxxxxxx none luks,noauto

# /etc/fstab
/dev/mapper/fit    /mnt/backup   ext4    noatime,user,noauto,x-systemd.automount,x-systemd.device-timeout=5ms,x-systemd.mount-timeout=100ms    0   0

> I happen to have a Samsung Fit usb flash drive if anyone was wondering about the name ## Accessing the mountpoint when the external device is NOT present

# Accessing the mountpoint when the drive is NOT plugged in
andy@pop-os:mnt$ ll
ls: cannot access 'backup': No such device
total 0
d????????? ? ? ? ?            ? backup/

andy@pop-os:mnt$ mountpoint /mnt/backup
/mnt/backup is a mountpoint

# journalctl
Jan 21 16:33:34 pop-os systemd: mnt-backup.automount: Got automount request for /mnt/backup, triggered by 5192 (ls)
Jan 21 16:33:34 pop-os systemd: dev-mapper-fit.device: Job dev-mapper-fit.device/start timed out.
Jan 21 16:33:34 pop-os systemd: Timed out waiting for device /dev/mapper/fit.
Jan 21 16:33:34 pop-os systemd: Dependency failed for /mnt/backup.
Jan 21 16:33:34 pop-os systemd: mnt-backup.mount: Job mnt-backup.mount/start failed with result 'dependency'.
Jan 21 16:33:34 pop-os systemd: dev-mapper-fit.device: Job dev-mapper-fit.device/start failed with result 'timeout'.

### Normal Removal Processes

# Absolute path is required if not using sudo (user was set in fstab)
andy@pop-os:mnt$ umount /mnt/backup

andy@pop-os:mnt$ sudo cryptsetup close fit

andy@pop-os:mnt$ sudo eject /dev/sdx

### Temporary Resolution I can unmount the mountpoint (even though no device is mounted anyway) to temporarly fix this issue but it will come back after a system reboot or after mounting/ummounting the device again.

andy@pop-os:mnt$ sudo umount backup

andy@pop-os:mnt$ ll
total 4.0K
drwxr-xr-x 2 root root 4.0K Jan 19 10:16 backup/

andy@pop-os:mnt$ lsattr
----i---------e------- ./backup

andy@pop-os:~$ mountpoint /mnt/backup
/mnt/backup is not a mountpoint

If I use noauto and don't include x-systemd.automount then I avoid the problem of the directory being a mountpoint on boot when no device is present, but I also don't get automounting - although the device still unlocks. ## Mounting the external device Passphrase is prompted for and device unlocked

andy@pop-os:mnt$ lsblk -f
NAME            FSTYPE      FSVER    LABEL     UUID                                   FSAVAIL FSUSE% MOUNTPOINTS
sdb             crypto_LUKS 2                  xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx                  
└─fit           ext4        1.0                yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy                  

andy@pop-os:mnt$ ll backup/
ls: cannot access 'backup/': No such device

> Note that MOUNTPOINTS is empty

# journalctl -f
Jan 21 17:17:26 pop-os kernel: usb 6-2: new SuperSpeed USB device number 2 using xhci_hcd
Jan 21 17:17:26 pop-os kernel: usb 6-2: New USB device found, idVendor=090c, idProduct=1000, bcdDevice=11.00
Jan 21 17:17:26 pop-os kernel: usb 6-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Jan 21 17:17:26 pop-os kernel: usb 6-2: Product: Flash Drive FIT
Jan 21 17:17:26 pop-os kernel: usb 6-2: Manufacturer: Samsung
Jan 21 17:17:26 pop-os kernel: usb 6-2: SerialNumber: 0123456789123
Jan 21 17:17:26 pop-os kernel: usb-storage 6-2:1.0: USB Mass Storage device detected
Jan 21 17:17:26 pop-os kernel: scsi host7: usb-storage 6-2:1.0
Jan 21 17:17:26 pop-os mtp-probe: checking bus 6, device 2: "/sys/devices/pci0000:00/0000:00:08.1/0000:0b:00.4/usb6/6-2"
Jan 21 17:17:26 pop-os mtp-probe: bus: 6, device: 2 was not an MTP device
Jan 21 17:17:26 pop-os mtp-probe: checking bus 6, device 2: "/sys/devices/pci0000:00/0000:00:08.1/0000:0b:00.4/usb6/6-2"
Jan 21 17:17:26 pop-os mtp-probe: bus: 6, device: 2 was not an MTP device
Jan 21 17:17:29 pop-os kernel: scsi 7:0:0:0: Direct-Access     Samsung  Flash Drive FIT  1100 PQ: 0 ANSI: 6
Jan 21 17:17:29 pop-os kernel: sd 7:0:0:0: Attached scsi generic sg1 type 0
Jan 21 17:17:29 pop-os kernel: sd 7:0:0:0: [sdb] 501253132 512-byte logical blocks: (257 GB/239 GiB)
Jan 21 17:17:29 pop-os kernel: sd 7:0:0:0: [sdb] Write Protect is off
Jan 21 17:17:29 pop-os kernel: sd 7:0:0:0: [sdb] Mode Sense: 43 00 00 00
Jan 21 17:17:29 pop-os kernel: sd 7:0:0:0: [sdb] Write cache: enabled, read cache: enabled, doesnt support DPO or FUA
Jan 21 17:17:29 pop-os kernel:  sdb: sdb1
Jan 21 17:17:29 pop-os kernel: sd 7:0:0:0: [sdb] Attached SCSI removable disk
Jan 21 17:17:41 pop-os systemd: Starting Cryptography Setup for fit...
Jan 21 17:17:41 pop-os systemd-cryptsetup: Volume fit already active.
Jan 21 17:17:41 pop-os systemd: Finished Cryptography Setup for fit.
Jan 21 17:17:41 pop-os systemd: Reached target Block Device Preparation for /dev/mapper/fit.
Jan 21 17:17:41 pop-os gnome-shell: Unable to mount volume 257 GB Encrypted: Gio.IOErrorEnum: Operation was cancelled
Jan 21 17:17:41 pop-os udisksd: Unlocked device /dev/sdb1 as /dev/dm-4

> Note that the second to last line "Operation was cancelled" is happening just before udisksd reports "Unlock device..." I've tried this with two different devices, one with whole disk block encryption and the other with an encrypted partition, it makes no difference. Sometimes moments later...

andy@pop-os:mnt$ mount /mnt/backup
mount: /mnt/backup: /dev/mapper/fit already mounted on /mnt/backup.

... but usually this just mounts the device as expected. ## Other Issues - If I do not set [x-systemd.device-timeout](https://www.freedesktop.org/software/systemd/man/systemd.mount.html#x-systemd.automount) to something much less than the default 90s then my system will slowly become unresponsive and then crash. I thought systemd might be timing out waiting for me to type in my passphrase but longer timeouts didn't seem to help - I copied the configuration from an old Ubuntu 22.04 system to Pop!_OS 22.04, I would sometimes see the question marks while listing the directory in the unmounted state but the auto-mount worked perfectly. On the old system I didn't set the immutable attribute on the mountpoint. ## Related - [mount-error-when-automounting-a-luks-encrypted-usb-flashdrive](https://unix.stackexchange.com/questions/281349/mount-error-when-automounting-a-luks-encrypted-usb-flashdrive) - different errors and method of mounting - [Automounting USB sticks on Debian](https://unix.stackexchange.com/a/346830/458741) - uses a slightly different method with nofail instead of noauto but unfortunately doesn't answer my question - I can get more information with systemctl show mnt-backup.mount but this hasn't helped me - The man page for [fstab](https://wiki.archlinux.org/title/fstab) says what to do for external devices but these settings don't auto mount the device and do cause the boot process to hang --- So, why does accessing the mountpoint try to access the device after it has been unmounted resulting in ?????????, and why does it not automount correctly when the device is inserted? Between the old fstab and new systemd I can't seem to find the magic variables. Would also be useful to know why the system crashes if I don't set the device timeout? --- ### Update August 2023 [mount-vs-automount-systemd-units...](https://unix.stackexchange.com/questions/570958/mount-vs-automount-systemd-units-which-one-to-use-for-what) explains the ????? as the .automount unit attempts to open the mountpoint on access. I have still been unable to achieve the behaviour I want though, and wonder if it because without configuring anything udev is used and then the only problem is being able to customise the directory used as a mountpoint. As soon as an fstab entry is made, /run/systemd/generator systemd units are made and the behaviour changes. There also seems to be a problem on my new system with plymouth as this spits out errors while systemd uses 100% CPU and hangs the system. This doesn't happen on my old laptop.

I'm running the MATE edition of Linux Mint on my laptop. I have an external USB disk with a LUKS container on it. The USB disk is connected to the laptop's docking station. Whenever I connect the laptop to the docking station, MATE pops up a window which says, "Enter a password to unlock the volume" along with a text field and options to forget the password immediately, remember until logout, or remember forever. (Not "don't show me this popup again," which is what I would prefer.) Under normal use, I want to have this external USB disk unmounted and idle. I have a cron job which unlocks the disk via a key file, mounts the partition, and runs an automated backup. I don't want this partition to be mounted all the time, nor do I want it to be accessible to my ordinary (non-privileged) user account. Is there any way to tell gvfs (or whatever is doing this) to please stop showing me the "enter password" dialog every time I dock my laptop to the docking station?