Plymouth does not show password prompt with encrypted root #26722
Comments
abbradar
added
0.kind: enhancement
|
I remember myself trying to implement this some time ago; this would probably need us moving from shell scripts based initrd to systemd. Maybe I'll take another look at this... |
|
Has anything ever happened in this regard? Does anyone know? |
|
Unfortunately I was unable to get this working. I ended up disabling plymouth entirely. Hopefully someone else has a better idea on how to get this working. |
|
Nope @hedning, this issue has been around for a long time. |
|
Ideally, we should have flicker free boot like Fedora has now (see https://hansdegoede.livejournal.com/19224.html and https://hansdegoede.livejournal.com/19673.html). |
This comment was marked as off-topic.
This comment was marked as off-topic.
stale
bot
added
the
2.status: stale
stale
bot
removed
the
2.status: stale
|
May also be influenced by #88789. |
|
#99011 was merged, for reference. |
|
Since the above was implemented is anything else blocking this from being resolved? |
Afaik #170136 will fix this issue |
|
Anyone test with latest nixpkgs master? Afaik it should work based on the systemd in stage 1 milestone progress |
|
I am on commit 934e076, added |
|
I am seeing these lines in the journal that mention Plymouth: The "condition check" message is repeated half a dozen times. |
|
|
Just gave it a shot, release-22.05, with There was systemd in stage1, and there was a job that said something about starting plymouth before it would ask for the password, but plymouth did not actually come up, and after a short pause the screen was reset and more textual start up message appeared, including a textual password prompt. (This was my first experiment with systemd in stage1, and other things were strange, so I reverted for now.) |
|
On 22.05, I managed to have a minimal nixos-branded plymouth password prompt using the following config: {config, pkgs, lib, ...}:
{
# ...
boot.plymouth = {
enable = true;
theme = "breeze";
};
boot.initrd.systemd.enable = true;
}The text "Starting Plymouth" appears beforehand, and afterwards a graphical prompt appears. According to the documentation for I got the same result from testing the code above, getting a text prompt after "Starting Plymouth". So potentially it's the default theme |
|
Can this issue be closed? Or should we set |
|
Not working for me with @nomeata's settings… Nixos 22.05. Plymouth starts, (though it's very slow and the wrong resolution), and shows me the passphrase prompt. When I enter the passphrase the prompt disappears and nothing happens. When I press Escape the console output says that we're waiting for a job for a disk. I have a somewhat complicated setup, I have 2 disks that I wanted to unlock with one passphrase, which I wanted to enter only once, so I have 3 encrypted partitions. The first is unlocked with a passphrase, and it is the keyfile for the following 2 encrypted partitions. The first of these is the root filesystem. The second is just a data drive: { config, lib, pkgs, ... }:
{
# ...
boot = {
# ...
initrd.luks.devices = {
cryptkey = {
device = "/dev/disk/by-uuid/6b17a213-6987-4a8e-b609-5243f6ba1467";
preLVM = true;
};
cryptroot = {
device = "/dev/disk/by-uuid/556cb835-419a-48b6-a081-36d2998d9c57";
keyFile = "/dev/mapper/cryptkey";
preLVM = true;
allowDiscards = true;
};
};
initrd.systemd.enable = true;
plymouth = {
enable = true;
theme = "breeze";
};
};
# ...
fileSystems."/data" = {
device = "/dev/disk/by-uuid/6ee6e25c-fe6f-4c50-b7fb-985260cf8ca9";
encrypted = {
enable = true;
label = "cryptdata";
blkDev = "/dev/disk/by-uuid/14924ada-f427-411b-b426-e9db44ab0752";
keyFile = "/dev/mapper/cryptkey";
};
};
# ...
} |
|
@zeorin that sounds more like a bug with the implementation that doesn't permit your setup or at least is backwards-incompatible with it, and not a flat out missing implementation like it used to be. Perhaps that should be handled in a aeparate issue? |
|
It also doesn’t work when |
|
I have an encrypted ZFS root. With this config {
boot.plymouth.enable = true;
boot.initrd.systemd.enable = true;
}I get a textual prompt for the password. But if I include the changes from #179619, I get a graphical prompt, even with the default It sure does take a long time for udev initialization to finish and for Plymouth to take over, though. |
|
A new release, a new try, with some progress! With 22.11 and after grub I first get a few lines of text, including something akin to “Starting plymouth”, which takes a few moments. Then I do get a graphical password prompt from plymouth (success!), and it unlocks my disk. Text mode briefly pops up again, before X comes up! It’s still noticable slower than the text mode passphrase prompt, so maybe not quite yet worth it. I guess I am spoiled and hope for a fast and flickerless experience from grub all the way through to X, which is what I had in Debian before switching to Nix OS :-) |
|
I configured NixOS 22.11 with After nixos-rebuild switch and reboot, I am still welcomed with the GRUB "Enter passphrase for hd0,msdos1" text password input. What am I doing wrong? |
|
If you're using grub's cryptomount to unlock your luks you can't use plymouth for password prompt, because plymouth is part of the initrd and requires the kernel to already be running. It's arguably better to do what you're doing though, since it means you can encrypt your People here let the initrd unlock their devices, which means that the kernel must have already started. It's the setup most commonly used by Linux distros out there, but requires leaving Poettering has recently started a crusade against this poor state of affairs if you're curious about a potential better future approach: https://0pointer.de/blog/brave-new-trusted-boot-world.html Probably will take a long time before adoption in NixOS though. |
|
That you @TLATER, I was able to reproduce the setup with /boot unencrypted and / encrypted, at first I was surprised that NixOS was not even asking for a password to boot. For that I had to comment the line I was always confused about why different distros had differences in luks unlocking, so thank you helping me understand the difference between grub unlocking and initrd unlocking. However, even with I get a line I get the same result if I use bgrt theme for plymouth. What am I doing wrong this time? PS: I get the attached in the logs about plymouth |
|
I'd recommend asking for support on discourse rather than github tickets, but the related ticket #32556 may have some hints. I've definitely seen it work with that configuration before, though as of 21.11 setting the theme to breeze doesn't seem necessary anymore, I guess the default theme has gained password prompt support. |
|
This issue has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/get-plymouth-to-show-password-prompt-for-encrypted-root/24916/1 |
|
I have Plymouth showing the password prompt for both ZFS and LUKS encrypted volumes on 23.05. The Discourse thread also indicates the issue is resolved. Is this two-line config snippet sufficient to close this issue? Or is it a problem that boot.initrd.systemd.enable = true;
boot.plymouth.enable = true; |
|
I can (still) confirm that it works, and that this issue can likely be closed. I’m not using it, though, it increases my laptop boot time (from grub to X) from 9s to 17s. Yes, these numbers are amazing to what we had around 2000, but still :-) Also there is unfortunately still flicker, and the status messages from systemd are printed in normal text mode. But flicker-free boot is a topic for a different issue… :-) (Ok, after adding |
Is this actually what other distros do? I feel like it's an anti-pattern because it breaks plymouth's escape-to-see-logs feature. |
|
Closing this as completed. For future readers, LUKS+Plymouth works if you set See #44965 for a similar issue about ZFS+Plymouth. |
|
|
@Majiir I disagree with closing this. Systemd initrd is still marked experimental and is not feature complete. The default initrd in NixOS has this issue. |
|
For those running a system with a root tmpfs, you'll need to persist the |
|
@WillPower3309 that doesn't make much sense, because |
I see you're right, and either way Plymouth starts before the mount, but why would Plymouth output: |
|
@WillPower3309 I'm not exactly sure why that happens, but it's a red herring. I see that on my system (during stage 2) and plymouth's password prompt works fine (even for passwords in stage 2) |
and others
Issue description
Plymouth has the ability to ask the user for their password to decrypt their root device if necessary. Currently, Plymouth runs after the user already decrypts their device in the TTY, and as far as I can tell there is no option to override this.
Steps to reproduce
Encrypt your root with LUKS.
Enable plymouth:
boot.plymouth.enable = trueTechnical details
The text was updated successfully, but these errors were encountered: