/home decryption prompt not shown at startup

Hello there

I noticed that if you crypt your /home partition and start with the default quiet splash parameters, you don ´t see the system actually asking for the decryption passphrase. Instead, the splash screen keeps on spinning as if boot is still processing. Note that at this time, you can blindly type in your passphrase and hit Enter anyway, and it will work, but it's kinda missing a prompt.

I noticed this behaviour on both xfce and KDE dragonized versions, and removed the quiet splash parameters from grub so I'm fine, but new users willing to secure their documents might think the install is broken

When the splash screen is visible, you can press ESC or "down arrow" to be able to see the query.

We have already added the hint text some time ago.
So "new" users are fine :slight_smile:

2 Likes

Any reason for not choosing full disk encryption, here the prompt comes up immediately after starting the machine? :eyes:

3 Likes

Hum I never noticed the hint, and I ran into this with a fresh install from yesterday. I might have been distracted. I'll check again

As far as I understood it, btrfs snapshots (timeshift) on encrypted drives are impossible. As it's a must-have feature for me, I went with root FS clear and /home encrypted

They are possible though, I'm using FDE myself since a long time :slight_smile:

2 Likes

There are more?

2021/11/17

1 Like

Ok. I will try this next time.

I'm used to a separate /home partition for easier data recovery in case of a huge problem, but I guess snapshots limit the risks of such problems anyway.

I'll check sometime soon and this hint may very well be present and I absentmindedly ignored it.

However, this hint does not really cover the absence of passphrase prompt in my opinion. Agreed I might as well switch to FDE and be done with it, but still, why does a prompt appear for FDE but not /home encryption might be a good question

Even if you use manual partitioning with separate partitions, if you encrypt both / and /home the problem will be solved.

That being said, the question of why only encrypting /home fails to prompt you decrypt seems to be a fair one.

With all due respect, what kind of "new user" is going to have the knowledge to encrypt just their /home, but not the knowledge they can Esc the splash?

1 Like

Well, me, for starters.

First gardua install actually went well with this very setting, but upon rebooting and seeing the splash screen running around endlessly I thought I might have screwed something and reinstalled from scratch.

Might be at that time the hint was not visible (around june or july '21) or I completely missed it.

1 Like

I changed it at librewish's request 2 weeks ago, so that the M$ switchers know too about.
I already feel like I'm in America, where you have to write on packaging that you have to remove it before you can cook the pizza in the oven. :smiley:

4 Likes

3 Likes

When you create the /home partition the option to encrypt it is displayed prominently right on the screen so I don't think this needs any special knowledge or talents.

The text that pressing esc to see the text isn't the same thing as if you don't hit esc you will be staring at this screen forever since it doesn't show the decryption prompt.

But only if you do manual partitioning and that's typically only going to be people with experience.
Maybe it's done by someone with experience for a new user, but then it's up to them to inform the actual user how to access their desktop.

Not really, lots of people coming from other distros expect there to be /home even if they have minimal knowledge about Linux as a whole. This is a pretty common thing to do.

Even if they are experienced, how is hiding the decryption prompt behind the splash screen the correct behavior? I am not aware of any other distro that does that.

To not know to hit escape to look at what's stalling the bootup?
Once you've realized the prompt is hidden, can just go ahead with entering the passphrase for every boot, the keystrokes are hidden anyway in case of typos.

I don't know if it's the correct behaviour, I can honestly argue it either way :woman_shrugging:

Again, why should you have to do this? It is neither typical nor intuitive.

It is one thing to need to hit escape if something is broken, it is another thing to require it as part of the normal use of your install.

I know the OP solved it by removing quiet but isn't the real solution here to use the correct hooks in mkinitcpio.conf so the decryption prompt is displayed?

If nobody knows what the actual issue is I will do a test install and take a look at it.

1 Like

It'd only be "required" once to realize what's going on, it's then no longer required.

I'd installed a new VM with an encrypted home. Only had a blank screen rather than a splash screen (Dragonized KDE), let alone any text on there.
This could be a VM thing. Updating atm to see if that changes.