Garuda boots in qwerty making it hard to decrypt my LUKS partition

What happens
On boot, I am prompted to decrypt my LUKS partition with my passphrase. The layout keyboard is in qwerty, while I use azerty.
When I type in my passphrase and fails (because it is in qwerty), I’m prompted with:

error: access denied.
error disk 'cryptouuid/whateverbigid' not found.
Entering rescue mode...
grub rescue >

I’m not sure how relevant this is. It may belong to an other issue but I wanted to provide as much information as I can.

What I tried
I’ve checked vconsole.conf. It is fine:


I’ve seen things about mkinitcpio but I’m not concerned as I have Dracut.
I added /etc/vconsole.conf in in install_items+= in /etc/dracut.conf.d/calamares-luks.conf then rebooted but it didn’t fix the issue.

garuda-inxi content

  Kernel: 6.1.69-1-lts arch: x86_64 bits: 64 compiler: gcc v: 13.2.1
    clocksource: tsc available: acpi_pm
    parameters: BOOT_IMAGE=/@/boot/vmlinuz-linux-lts
    root=UUID=92c43eb7-b450-427a-bdef-7908b67325bf rw rootflags=subvol=@
    quiet rd.luks.uuid=f0c06df4-c37c-4b4b-be44-1a0989006f94
    resume=/dev/mapper/luks-d47b0d44-e52a-4d69-a1b0-fb89fe282926 loglevel=3
  Desktop: Xfce v: 4.18.1 tk: Gtk v: 3.24.36 info: xfce4-panel wm: xfwm
    v: 4.18.0 vt: 7 dm: LightDM v: 1.32.0 Distro: Garuda Linux base: Arch Linux
  Type: Laptop System: LENOVO product: 20HRCTO1WW v: ThinkPad X1 Carbon 5th
    serial: <superuser required> Chassis: type: 10 serial: <superuser required>
  Mobo: LENOVO model: 20HRCTO1WW v: SDK0J40709 WIN
    serial: <superuser required> UEFI: LENOVO v: N1MET37W (1.22 )
    date: 07/04/2017
  ID-1: BAT0 charge: 46.6 Wh (97.9%) condition: 47.6/57.0 Wh (83.4%)
    volts: 12.8 min: 11.6 model: LGC 01AV494 type: Li-poly serial: <filter>
    status: not charging cycles: 354
  Info: model: Intel Core i7-7600U bits: 64 type: MT MCP arch: Amber/Kaby Lake
    note: check gen: core 7 level: v3 note: check built: 2017
    process: Intel 14nm family: 6 model-id: 0x8E (142) stepping: 9
    microcode: 0xF4
  Topology: cpus: 1x cores: 2 tpc: 2 threads: 4 smt: enabled cache:
    L1: 128 KiB desc: d-2x32 KiB; i-2x32 KiB L2: 512 KiB desc: 2x256 KiB
    L3: 4 MiB desc: 1x4 MiB
  Speed (MHz): avg: 500 high: 600 min/max: 400/3900 scaling:
    driver: intel_pstate governor: powersave cores: 1: 400 2: 400 3: 600 4: 600
    bogomips: 23209
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
  Vulnerabilities: <filter>
  Device-1: Intel HD Graphics 620 vendor: Lenovo ThinkPad X1 Carbon 5th Gen
    driver: i915 v: kernel arch: Gen-9.5 process: Intel 14nm built: 2016-20
    ports: active: HDMI-A-1,eDP-1 empty: DP-1,DP-2 bus-ID: 00:02.0
    chip-ID: 8086:5916 class-ID: 0300
  Device-2: Chicony Integrated IR Camera driver: uvcvideo type: USB rev: 2.0
    speed: 480 Mb/s lanes: 1 mode: 2.0 bus-ID: 1-5:3 chip-ID: 04f2:b5cf
    class-ID: 0e02
  Device-3: Chicony Integrated Camera driver: uvcvideo type: USB rev: 2.0
    speed: 480 Mb/s lanes: 1 mode: 2.0 bus-ID: 1-8:5 chip-ID: 04f2:b5ce
    class-ID: 0e02
  Display: x11 server: X.Org v: 21.1.10 compositor: xfwm v: 4.18.0 driver:
    X: loaded: modesetting alternate: fbdev,intel,vesa dri: iris gpu: i915
    display-ID: :0.0 screens: 1
  Screen-1: 0 s-res: 3840x1080 s-dpi: 96 s-size: 1016x286mm (40.00x11.26")
    s-diag: 1055mm (41.55")
  Monitor-1: HDMI-A-1 mapped: HDMI-1 pos: right model: Philips PHL 247E6
    serial: <filter> built: 2016 res: 1920x1080 hz: 60 dpi: 94 gamma: 1.2
    size: 521x293mm (20.51x11.54") diag: 598mm (23.5") ratio: 16:9 modes:
    max: 1920x1080 min: 720x400
  Monitor-2: eDP-1 pos: primary,left model: BOE Display 0x06df built: 2016
    res: 1920x1080 hz: 60 dpi: 158 gamma: 1.2 size: 309x173mm (12.17x6.81")
    diag: 354mm (13.9") ratio: 16:9 modes: 1920x1080
  API: Vulkan v: 1.3.274 layers: 5 device: 0 type: integrated-gpu name: Intel
    HD Graphics 620 (KBL GT2) driver: mesa intel v: 23.3.2-arch1.2
    device-ID: 8086:5916 surfaces: xcb,xlib device: 1 type: cpu name: llvmpipe
    (LLVM 16.0.6 256 bits) driver: mesa llvmpipe v: 23.3.2-arch1.2 (LLVM
    16.0.6) device-ID: 10005:0000 surfaces: xcb,xlib
  API: OpenGL Message: Unable to show GL data. glxinfo is missing.
  Device-1: Intel Sunrise Point-LP HD Audio vendor: Lenovo ThinkPad X1 Carbon
    5th Gen driver: snd_hda_intel v: kernel alternate: snd_soc_skl,snd_soc_avs
    bus-ID: 00:1f.3 chip-ID: 8086:9d71 class-ID: 0403
  Device-2: Logitech G735 Gaming Headset
    driver: hid-generic,snd-usb-audio,usbhid type: USB rev: 2.0 speed: 12 Mb/s
    lanes: 1 mode: 1.1 bus-ID: 1-1:2 chip-ID: 046d:0ad8 class-ID: 0102
  Device-3: DisplayLink ThinkPad Hybrid USB-C with USB-A Dock
    driver: snd-usb-audio type: USB rev: 3.2 speed: 5 Gb/s lanes: 1
    mode: 3.2 gen-1x1 bus-ID: 4-1.2:3 chip-ID: 17e9:6015 class-ID: 0102
    serial: <filter>
  API: ALSA v: k6.1.69-1-lts status: kernel-api tools: N/A
  Server-1: PipeWire v: 1.0.0 status: active with: 1: pipewire-pulse
    status: active 2: wireplumber status: active 3: pipewire-alsa type: plugin
    4: pw-jack type: plugin tools: pactl,pw-cat,pw-cli,wpctl
  Device-1: Intel Ethernet I219-LM vendor: Lenovo driver: e1000e v: kernel
    port: N/A bus-ID: 00:1f.6 chip-ID: 8086:15d7 class-ID: 0200
  IF: enp0s31f6 state: down mac: <filter>
  Device-2: Intel Wireless 8265 / 8275 driver: iwlwifi v: kernel pcie:
    gen: 1 speed: 2.5 GT/s lanes: 1 bus-ID: 04:00.0 chip-ID: 8086:24fd
    class-ID: 0280
  IF: wlp4s0 state: up mac: <filter>
  Device-3: Lenovo ThinkPad Lan driver: cdc_ether type: USB rev: 3.0
    speed: 5 Gb/s lanes: 1 mode: 3.2 gen-1x1 bus-ID: 4-1.3:4 chip-ID: 17ef:a359
    class-ID: 0a00 serial: <filter>
  IF: enp60s0u1u3c2 state: down mac: <filter>
  Device-1: Intel Bluetooth wireless interface driver: btusb v: 0.8 type: USB
    rev: 2.0 speed: 12 Mb/s lanes: 1 mode: 1.1 bus-ID: 1-7:4 chip-ID: 8087:0a2b
    class-ID: e001
  Report: btmgmt ID: hci0 rfk-id: 1 state: up address: <filter> bt-v: 4.2
    lmp-v: 8 status: discoverable: no pairing: no class-ID: 7c010c
  Local Storage: total: 953.87 GiB used: 32.83 GiB (3.4%)
  SMART Message: Required tool smartctl not installed. Check --recommends
  ID-1: /dev/nvme0n1 maj-min: 259:0 vendor: Samsung
    model: MZVLW1T0HMLH-000L7 size: 953.87 GiB block-size: physical: 512 B
    logical: 512 B speed: 31.6 Gb/s lanes: 4 tech: SSD serial: <filter>
    fw-rev: 6L7QCXY7 temp: 36.9 C scheme: GPT
  ID-1: / raw-size: 936.65 GiB size: 936.65 GiB (100.00%)
    used: 32.83 GiB (3.5%) fs: btrfs dev: /dev/dm-1 maj-min: 254:1
    mapped: luks-f0c06df4-c37c-4b4b-be44-1a0989006f94
  ID-2: /boot/efi raw-size: 300 MiB size: 299.4 MiB (99.80%)
    used: 728 KiB (0.2%) fs: vfat dev: /dev/nvme0n1p1 maj-min: 259:1
  ID-3: /home raw-size: 936.65 GiB size: 936.65 GiB (100.00%)
    used: 32.83 GiB (3.5%) fs: btrfs dev: /dev/dm-1 maj-min: 254:1
    mapped: luks-f0c06df4-c37c-4b4b-be44-1a0989006f94
  ID-4: /var/log raw-size: 936.65 GiB size: 936.65 GiB (100.00%)
    used: 32.83 GiB (3.5%) fs: btrfs dev: /dev/dm-1 maj-min: 254:1
    mapped: luks-f0c06df4-c37c-4b4b-be44-1a0989006f94
  ID-5: /var/tmp raw-size: 936.65 GiB size: 936.65 GiB (100.00%)
    used: 32.83 GiB (3.5%) fs: btrfs dev: /dev/dm-1 maj-min: 254:1
    mapped: luks-f0c06df4-c37c-4b4b-be44-1a0989006f94
  Kernel: swappiness: 133 (default 60) cache-pressure: 100 (default) zswap: no
  ID-1: swap-1 type: partition size: 16.91 GiB used: 0 KiB (0.0%)
    priority: -2 dev: /dev/dm-0 maj-min: 254:0
    mapped: luks-d47b0d44-e52a-4d69-a1b0-fb89fe282926
  ID-2: swap-2 type: zram size: 15.37 GiB used: 0 KiB (0.0%) priority: 100
    comp: zstd avail: lzo,lzo-rle,lz4,lz4hc,842 max-streams: 4 dev: /dev/zram0
  System Temperatures: cpu: 58.0 C mobo: N/A
  Fan Speeds (rpm): N/A
  Processes: 252 Uptime: 32m wakeups: 0 Memory: total: 16 GiB note: est.
  available: 15.38 GiB used: 4.59 GiB (29.9%) Init: systemd v: 255
  default: graphical tool: systemctl Compilers: gcc: 13.2.1 Packages:
  pm: pacman pkgs: 1344 libs: 421 tools: paru,yay Shell: Zsh v: 5.9
  running-in: terminator inxi: 3.3.31
Garuda (2.6.22-1):
  System install date:     2023-11-21
  Last full system update: 2024-01-02
  Is partially upgraded:   No
  Relevant software:       snapper NetworkManager dracut
  Windows dual boot:       No/Undetected
  Failed units:

Thanks for your help !

Maybe, I don’t know: Keyboard Layout [closed] / Newbie Corner / Arch Linux Forums

After making a change to the dracut configuration you must rebuild the initramfs.

sudo dracut-rebuild

Then reboot, and test again.

1 Like

Tested this. Didn’t work. :confused:

Check if this is a valid keymap by running:

localectl list-keymaps

I don’t think this will work as expected since this would only take place once the initramfs starts. If you went for full disk encryption, something before initramfs unlocks the drive (which is also why it takes quite long compared to regular decryption - the kernel modules aren’t available) afaik.


It is listed in the choices of the command you provided so I confirm fr is a valid keymap.

My understanding is dracut should automatically include /etc/vconsole.conf in the initramfs. The file just needs to exist, and then the initramfs be rebuilt. Including a install_items+= shouldn’t even be needed.

See this topic, for example: Dracut ignores /etc/vconsole.conf - EndeavourOS installation - EndeavourOS

Is it Grub?

You could try something like this, in /etc/default/grub:


Then regenerate the Grub configuration file.

sudo update-grub
1 Like

5 Using a custom keyboard layout
GRUB uses the US keyboard layout by default. Alternative layouts for the LUKS passphrase prompts can’t be loaded from /boot or the root file system, as the underlying devices haven’t been mapped yet at that stage. If you require another layout to type in your passphrase, then you’ll need to manually generate the core image using grub-mkimage(1). A possible solution is to embed a memdisk containing the keymap inside the core image.

Create a memdisk (in GNU tar format) with the desired keymap, for instance dvorak’s. (The XKB keyboard layout and variant passed to grub-kbdcomp(1) are described in the setxkbmap(1) manual.)

root@debian:~# memdisk=“$(mktemp --tmpdir --directory)”
root@debian:~# grub-kbdcomp -o “$memdisk/keymap.gkb” us dvorak
root@debian:~# tar -C “$memdisk” -cf /boot/grub/memdisk.tar .
Generate an early configuration file to embed inside the image.

root@debian:~# uuid=“$(blkid -o value -s UUID /dev/sda1)”
root@debian:~# cat >/etc/early-grub.cfg <<-EOF
terminal_input --append at_keyboard
keymap (memdisk)/keymap.gkb
cryptomount -u ${uuid//-/}

set root=(cryptouuid/${uuid//-/})
set prefix=/grub
configfile grub.cfg
Note: This is for the case of a separate /boot partition. If /boot resides on the root file system, then replace /dev/sda1 with /dev/sda5 (the LUKS device holding the root file system) and set prefix=/boot/grub; if it’s in a logical volume you’ll also need to set root=(lvm/DMNAME).

Note: You might need to remove the first line if you use a USB keyboard, or tweak it if GRUB doesn’t see any PC/AT keyboard among its available terminal input devices. Start by specifing terminal_input in an interactive GRUB shell in order to determine the suitable input device. (Choosing an incorrect device might prevent unlocking if no input can be be entered.)

from here :eyes:


Certainly not a fix, but perhaps an adequate workaround.

Switch your password to a strictly numerical password.

Unless you are worried about corporate espionage, or state sponsored security agencies decrypting you computer this should still provide a strong enough password for a reasonable level of security. :smile:


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.