HOW TO: Manjaro LUKS encryption with a keyfile from a pendrive

I installed a default installation of manjaro, with full disk LUKS encryption enabled. It works fine, every time I start my system I'm asked for a password

Well I'd like to stop being asked for a password and instead using a keyfile from a pendrive. Could you please guide me through the steps? Thank you.

Reference material
A) https://willhaley.com/blog/unlock-luks-volumes-with-usb-key/
B) https://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile

This is what I've got so far. You can see manjaro's original luks password, and the one I added "ending in -keyring". But when I reboot my computer there's no change, I'm still asked for the password. I want it to take the file "zeioth-laptop.pem" from the pendrive I'm mounting in "/mnt/keyring". Any idea about how should I proceed from here?

/etc/default/cryptdisks

/dev/mapper/luks-fe0ede32-da97-41d0-bc57-ca75cdf6aad7-keyring   /                               ext4    defaults,nofail          0  1
/dev/mapper/luks-fe0ede32-da97-41d0-bc57-ca75cdf6aad7           /                               ext4    defaults,noatime,discard 0 1
tmpfs                                                           /tmp                            tmpfs   defaults,noatime,mode=1777 0 0
UUID=dba744e5-bb88-442f-884d-390b0b2c6da1                       /mnt/keyring                    ext4    defaults,nofail,x-systemd.device-timeout=5

/etc/crypttab

# <name>                                                <device>                                        <password>                                      <options>
luks-fe0ede32-da97-41d0-bc57-ca75cdf6aad7-keyring       UUID=fe0ede32-da97-41d0-bc57-ca75cdf6aad7       /zeioth-laptop.pem                              luks,nofail
luks-fe0ede32-da97-41d0-bc57-ca75cdf6aad7               UUID=fe0ede32-da97-41d0-bc57-ca75cdf6aad7       /crypto_keyfile.bin                             luks

/etc/default/cryptdisks

CRYPTDISKS_MOUNT='/mnt/keyring'

/etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet cryptdevice=UUID=fe0ede32-da97-41d0-bc57-ca75cdf6aad7:luks-fe0ede32-da97-41d0-bc57-ca75cdf6aad7-keyring root=/dev/mapper/luks-fe0ede32-da97-41d0-bc57-ca75cdf6aad7-keyring resume=/dev/mapper/luks-fe0ede32-da97-41d0-bc57-ca75cdf6aad7-keyring apparmor=1 security=apparmor udev.log_priority=3"
GRUB_PRELOAD_MODULES="part_gpt part_msdos"
GRUB_ENABLE_CRYPTODISK=y

On this DEMO the luks password prompt triggers during the kernel load.

But on my manjaro installation it triggers even before the GRUB is loaded. There's something I'm missing here? I'm out of ideas.

I actually succeeded following this tutorial.

  • I see grub
  • During the load of any kernel, the USBKEY is checked. If there is no USBKEY then I'm asked for the password.

My only issue now is how can I disable the password prompt manjaro launches before the GRUB. I don't even know what file I should touch to achieve that. Should I ask the Calamares guys?

Ok, according to people from the Calamares git bug tracker, it is not possible to eliminate the pre-grub password screen when you do a full disk encryption (and you should).

So, now I'm going to research how to disable the second password prompt that happens when your usb stick is not connected. And that should be all.

Apparently this is not possible due to changes downstream in the package cryptsetup for arch. This behaviour is not present in the original cryptsetup repository.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by