Ask for the decryption key after grub

Garuda inxi:

System:
Kernel: 6.8.9-zen1-2-zen arch: x86_64 bits: 64 compiler: gcc v: 14.1.1
clocksource: hpet avail: acpi_pm
parameters: BOOT_IMAGE=/@/boot/vmlinuz-linux-zen
root=UUID=37143950-d1f3-4a2a-8cb8-05120360fc01 rw rootflags=subvol=@
rd.luks.uuid=9c588456-2255-4964-b21f-0d2a956fab7a loglevel=3yz
plymouth.enable=0 disablehooks=plymouth ibt=off
Desktop: KDE Plasma v: 6.0.4 tk: Qt v: N/A info: frameworks v: 6.1.0
wm: kwin_wayland vt: 1 dm: SDDM Distro: Garuda base: Arch Linux
Machine:
Type: Laptop System: HUAWEI product: KLVL-WXX9 v: M1560
serial: <superuser required>
Mobo: HUAWEI model: KLVL-WXX9-PCB v: M1560 serial: <superuser required>
part-nu: C100 uuid: <superuser required> UEFI: HUAWEI v: 1.06
date: 09/14/2020
Battery:
ID-1: BAT0 charge: 9.5 Wh (19.1%) condition: 49.8/54.9 Wh (90.6%) volts: 7.0
min: 7.6 model: DYNAPACK HB4593R1ECW-22T0 type: Li-ion serial: <filter>
status: discharging cycles: 392
Device-1: hidpp_battery_0 model: Logitech Wireless Mouse MX Master 3
serial: <filter> charge: 100% (should be ignored) rechargeable: yes
status: discharging
CPU:
Info: model: AMD Ryzen 7 4800H with Radeon Graphics bits: 64 type: MT MCP
arch: Zen 2 gen: 3 level: v3 note: check built: 2020-22
process: TSMC n7 (7nm) family: 0x17 (23) model-id: 0x60 (96) stepping: 1
microcode: 0x8600104
Topology: cpus: 1x cores: 8 tpc: 2 threads: 16 smt: enabled cache:
L1: 512 KiB desc: d-8x32 KiB; i-8x32 KiB L2: 4 MiB desc: 8x512 KiB L3: 8 MiB
desc: 2x4 MiB
Speed (MHz): avg: 2829 high: 4270 min/max: 1400/2900 boost: enabled
scaling: driver: acpi-cpufreq governor: performance cores: 1: 2900 2: 2900
3: 2900 4: 1903 5: 2900 6: 4270 7: 2900 8: 2900 9: 2900 10: 2900 11: 2900
12: 2900 13: 2900 14: 2900 15: 2900 16: 1397 bogomips: 92622
Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm
Vulnerabilities: <filter>
Graphics:
Device-1: AMD Renoir [Radeon RX Vega 6 ] vendor: Huaqin driver: amdgpu
v: kernel arch: GCN-5 code: Vega process: GF 14nm built: 2017-20 pcie:
gen: 4 speed: 16 GT/s lanes: 16 ports: active: eDP-1 empty: DP-1,HDMI-A-1
bus-ID: 04:00.0 chip-ID: 1002:1636 class-ID: 0300 temp: 61.0 C
Device-2: IMC Networks HD Camera driver: uvcvideo type: USB rev: 2.0
speed: 480 Mb/s lanes: 1 mode: 2.0 bus-ID: 3-4:3 chip-ID: 13d3:5451
class-ID: 0e02 serial: <filter>
Display: wayland server: X.org v: 1.21.1.13 with: Xwayland v: 23.2.6
compositor: kwin_wayland driver: X: loaded: amdgpu unloaded: modesetting
alternate: fbdev,vesa dri: radeonsi gpu: amdgpu display-ID: 0
Monitor-1: eDP-1 res: 1800x1200 size: N/A modes: N/A
API: EGL v: 1.5 hw: drv: amd radeonsi platforms: device: 0 drv: radeonsi
device: 1 drv: swrast surfaceless: drv: radeonsi wayland: drv: radeonsi x11:
drv: radeonsi inactive: gbm
API: OpenGL v: 4.6 compat-v: 4.5 vendor: amd mesa v: 24.0.6-arch1.2
glx-v: 1.4 direct-render: yes renderer: AMD Radeon Graphics (radeonsi
renoir LLVM 17.0.6 DRM 3.57 6.8.9-zen1-2-zen) device-ID: 1002:1636
memory: 500 MiB unified: no display-ID: :1.0
API: Vulkan v: 1.3.279 layers: 13 device: 0 type: integrated-gpu name: AMD
Radeon Graphics (RADV RENOIR) driver: mesa radv v: 24.0.6-arch1.2
device-ID: 1002:1636 surfaces: xcb,xlib,wayland device: 1 type: cpu
name: llvmpipe (LLVM 17.0.6 256 bits) driver: mesa llvmpipe
v: 24.0.6-arch1.2 (LLVM 17.0.6) device-ID: 10005:0000
surfaces: xcb,xlib,wayland
Audio:
Device-1: AMD Renoir Radeon High Definition Audio vendor: Huaqin
driver: snd_hda_intel v: kernel pcie: gen: 4 speed: 16 GT/s lanes: 16
bus-ID: 04:00.1 chip-ID: 1002:1637 class-ID: 0403
Device-2: AMD ACP/ACP3X/ACP6x Audio Coprocessor vendor: Huaqin driver: N/A
alternate: snd_pci_acp3x, snd_rn_pci_acp3x, snd_pci_acp5x, snd_pci_acp6x,
snd_acp_pci, snd_rpl_pci_acp6x, snd_pci_ps, snd_sof_amd_renoir,
snd_sof_amd_rembrandt, snd_sof_amd_vangogh, snd_sof_amd_acp63 pcie: gen: 4
speed: 16 GT/s lanes: 16 bus-ID: 04:00.5 chip-ID: 1022:15e2 class-ID: 0480
Device-3: AMD Family 17h/19h HD Audio vendor: Huaqin driver: snd_hda_intel
v: kernel pcie: gen: 4 speed: 16 GT/s lanes: 16 bus-ID: 04:00.6
chip-ID: 1022:15e3 class-ID: 0403
API: ALSA v: k6.8.9-zen1-2-zen status: kernel-api with: aoss
type: oss-emulator tools: N/A
Server-1: PipeWire v: 1.0.6 status: active with: 1: pipewire-pulse
status: active 2: wireplumber status: active 3: pipewire-alsa type: plugin
4: pw-jack type: plugin tools: pactl,pw-cat,pw-cli,wpctl
Network:
Device-1: Intel Wi-Fi 6E AX210/AX1675 2x2 [Typhoon Peak] driver: iwlwifi
v: kernel pcie: gen: 2 speed: 5 GT/s lanes: 1 bus-ID: 01:00.0
chip-ID: 8086:2725 class-ID: 0280
IF: wlp1s0 state: up mac: <filter>
IF-ID-1: br-362fc8bf733b state: down mac: <filter>
IF-ID-2: docker0 state: down mac: <filter>
Info: services: NetworkManager, smbd, systemd-timesyncd, wpa_supplicant
Bluetooth:
Device-1: Intel AX210 Bluetooth driver: btusb v: 0.8 type: USB rev: 2.0
speed: 12 Mb/s lanes: 1 mode: 1.1 bus-ID: 3-3:2 chip-ID: 8087:0032
class-ID: e001
Report: btmgmt ID: hci0 rfk-id: 0 state: up address: <filter> bt-v: 5.3
lmp-v: 12 status: discoverable: no pairing: no class-ID: 7c010c
Drives:
Local Storage: total: 931.51 GiB used: 136.98 GiB (14.7%)
SMART Message: Unable to run smartctl. Root privileges required.
ID-1: /dev/nvme0n1 maj-min: 259:0 vendor: Samsung model: SSD 980 1TB
size: 931.51 GiB block-size: physical: 512 B logical: 512 B speed: 31.6 Gb/s
lanes: 4 tech: SSD serial: <filter> fw-rev: 2B4QFXO7 temp: 49.9 C
scheme: GPT
Partition:
ID-1: / raw-size: 931.01 GiB size: 931.01 GiB (100.00%)
used: 136.89 GiB (14.7%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
mapped: luks-9c588456-2255-4964-b21f-0d2a956fab7a
ID-2: /boot/efi raw-size: 512 MiB size: 511 MiB (99.80%)
used: 90.4 MiB (17.7%) fs: vfat dev: /dev/nvme0n1p1 maj-min: 259:1
ID-3: /home raw-size: 931.01 GiB size: 931.01 GiB (100.00%)
used: 136.89 GiB (14.7%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
mapped: luks-9c588456-2255-4964-b21f-0d2a956fab7a
ID-4: /var/log raw-size: 931.01 GiB size: 931.01 GiB (100.00%)
used: 136.89 GiB (14.7%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
mapped: luks-9c588456-2255-4964-b21f-0d2a956fab7a
ID-5: /var/tmp raw-size: 931.01 GiB size: 931.01 GiB (100.00%)
used: 136.89 GiB (14.7%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
mapped: luks-9c588456-2255-4964-b21f-0d2a956fab7a
Swap:
Kernel: swappiness: 133 (default 60) cache-pressure: 100 (default) zswap: no
ID-1: swap-1 type: zram size: 15 GiB used: 0 KiB (0.0%) priority: 100
comp: zstd avail: lzo,lzo-rle,lz4,lz4hc,842 max-streams: 16 dev: /dev/zram0
Sensors:
System Temperatures: cpu: 93.9 C mobo: N/A gpu: amdgpu temp: 61.0 C
Fan Speeds (rpm): N/A
Info:
Memory: total: 16 GiB note: est. available: 15 GiB used: 5.31 GiB (35.4%)
Processes: 426 Power: uptime: 12m states: freeze,mem,disk suspend: deep
avail: s2idle wakeups: 0 hibernate: platform avail: shutdown, reboot,
suspend, test_resume image: 5.98 GiB services: org_kde_powerdevil,
power-profiles-daemon, upowerd Init: systemd v: 255 default: graphical
tool: systemctl
Packages: 2155 pm: pacman pkgs: 2150 libs: 594
tools: gnome-software,octopi,paru pm: flatpak pkgs: 5 Compilers:
clang: 17.0.6 gcc: 14.1.1 Shell: garuda-inxi default: fish v: 3.7.1
running-in: konsole inxi: 3.3.34
Garuda (2.6.26-1):
System install date:     2024-04-07
Last full system update: 2024-05-12 ↻
Is partially upgraded:   No
Relevant software:       snapper NetworkManager dracut
Windows dual boot:       No/Undetected
Failed units:

So, my issue is that I have no idea how to configure plymouth/grub correctly.
First of all: my installation is encrypted with the settings calamaris/garuda installer uses.
The goal:

  • System starts
  • grub shows up
  • I select linux partition
  • Plymouth starts and shows the selected theme and asks for the decryption password (the same way like ubuntu or nobara ask for the decryption key)

What it does:

  • System starts
  • Decryption key is asked command line like in the top right corner
  • grub starts
  • the plymouth theme starts for some reason which makes me just wait. It’s not asking for anything

Since it doesn’t work I disabled it with the kernel parameters.
I tried to just follow the arch wiki entry for this. On an arch installation it also actually worked. I installed it with the arch install script and their default settings for btrfs and encryption.

This only works when you have either /boot or /boot/efi containing the initrd in a separate partition. Otherwise it needs GRUB to unlock the partition containing the needed files to boot up. If that’s the case, you wouldn’t be able to profit from snapshots.

Ok. Could you explain, what I would need to to, to change it, even if I can’t use snapshots anymore?
I mean, the partitioning looks right to me:

[🔴] × lsblk
NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
zram0                                         253:0    0    15G  0 disk  [SWAP]
nvme0n1                                       259:0    0 931,5G  0 disk
├─nvme0n1p1                                   259:1    0   512M  0 part  /boot/efi
└─nvme0n1p2                                   259:2    0   931G  0 part
└─luks-9c588456-2255-4964-b21f-0d2a956fab7a 254:0    0   931G  0 crypt /var/tmp
                                                                    /var/log
                                                                    /var/cache
                                                                    /srv
                                                                    /root
                                                                    /home
                                                                    /

but how to do the initrd stuff? What even is that? I just heard initramfs and dracut as alternative. What is initrd doing? Sorry for the questions

How did you set it up on your Arch installation? With a separate partition for /boot?

The Calamares installer is kind of limited with the encryption setups it will configure for you. It is basically full disk encryption or nothing. If you want an encrypted root but unencrypted /boot, set up a separate /boot partition in the installer but leave encryption out of it altogether and just set it up afterward like this: dm-crypt/Device encryption - ArchWiki

1 Like

Could you explain, why I wouldn’t be able to use snapshots anymore, when I, lets say have an unencrypted boot partition and an encrypted root partition? What is needed to be able to use snapshots?

That’s not quite right. You would still be able to use snapshots. You would still get automatic snapshots of the root subvolume before and after Pacman transactions with snap-pac, and you could restore those snapshots manually or with Btrfs Assistant like normal. You could also create a Snapper config for your boot subvolume and get snapshots for that going as well.

The feature which would be lost is the ability to boot into snapshots with grub-btrfs. The reason for this is simple: the kernels and intitramfs images are stored in /boot.

Btrfs snapshots are a snapshot of the filesystem, and a separate partition means a separate filesystem. In the setup you are describing, this means means Btrfs snapshots of / would not include /boot. If you upgraded the kernel and attempted to boot to a snapshot from before you did that, the boot would fail because the kernel relevant for that snapshot would no longer be found.

If you had a setup like this you could still “rollback” with snapshots using other methods. For example, you could boot to the live environment, mount the Btrfs partition, and restore the snapshots of / and /boot (separately) from Btrfs Assistant or the command line. Or, if you had a multiboot setup with more than one Linux distro, you could just boot to another distro and do it from there. But booting into snapshots from Grub would definitely not work in situations where the kernel in /boot was different than the one the snapshot is expecting.

3 Likes