I have just updated a Tumbleweed system, as are seeing similar errors to this.
Going into the Dracut emergency shell, and running systemctl status on systemd-cryptsetup shows it failing in the command /usr/bin/pcr-signature.sh on line 18 because the command mktemp is not found.
Booting from the previous kernel that was working before now gives the same error.
So to fix it - manually unlock and mount root (either in dracut emergency shell or booting live image), chroot into it following the usual procedure, disable dracut module
No, encryption did not broke. Decryption did. And only decryption in initrd, not in grub (otherwise system did not reach initrd in the first place).
So yes, as long as btrfs with snapshots is used it should be possible to boot into previous snapshot, do modifications I described to block broken dracut module and update.
I don’t have the rdsosreport.txt, for some reason I could not get it to detect any USB sticks as a disk.
Disabled pcr-signature in dracut as mentioned and that made the system work again, thanks.
I’m also having a very similar issue with ‘Failed to start Cryptography Setup for cr_root’ and then eventually ending up with the dracut-initqueue: starting timeout scripts running over and over before it presents me with an “emergency shell” login option.
Back on 17 March after Plasma 6.01 Tumbleweed with Wayland was available I did a fresh install and chose to use the experimental systemd boot option with encryption during the install, instead of Grub. Now with an update earlier today I have this same issue.
I did manage to grab a copy of the rdsosreport.txt.
The only way for me to attempt your suggested changes arvidjaar was to use the Tumbleweed live “cd”.
However dracut has trouble finding modules such as ‘systemd-networkd’ and ‘systemd-resolved’, but does find and includes module: crypt ***
When I restart I end up with the timeout scripts and the emergency shell again.
So do you think the experiment has ended and I need to re-install, or is there something else I can try?
I had the same issue, with the same error, that systemd-cryptsetup service failed to start. But I did not get the status of the cryptsetup service by systemctl status systemd-cryptsetup. I saw the error in /run/initramfs/rdsosreport.txt. I want to share my steps I made to fix it. I used an usb device with tumbleweed and started in recovery mode. After typing the user root in rescue shell, I did as follows:
cryptsetup luksOpen /dev/nvme0n1p2 my_device
vgchange -ay
lvscan # just check, if the devices are listed
mount /dev/system/root/ /mnt/
mount /dev/system/home/ /mnt/home/
mount /dev/nvme0n1p1 /mnt/boot/efi
mount --bind /proc/ /mnt/proc/
mount --bind /dev/ /mnt/dev/
mount --bind /sys/ /mnt/sys/
chroot /mnt
# used arvidjaar suggestion
echo 'omit_dracutmodules+=" pcr-signature "' > /etc/dracut.conf.d/disable-pcr-signature.conf
dracut -f --regenerate-all
umount /mnt/boot
umount /mnt/home
umount /mnt
vgchange -a n
cryptsetup luksClose /dev/nvme0n1p2 my_device
reboot
I hope the detailed steps help and thanks a lot @arvidjaar
I am not familiar with dracut, but is that a kind of bug, so that I can revoke my changes later or do I want to include mktemp instead of omitting the module?
I am using a systemd-boot+LUKS2 argon2id FDE combo and haven’t had a problem so far, until the newest snapshot 20240412 which brought a very similar issue, where systemd-cryptsetup failed to start so I couldn’t type decrypt password. Rolled back to 20240411 and things worked fine.
Disabling pcr-signature as suggested did help! Then I tried to update to 20240412 again then did dracut -f --regenerate-all and this time the system can boot as usual.
I see that dracut-pcr-signature is required by sdbootutil.
And I am using systemd-boot with encryption and do not have this issue. Looking at what I have - mktemp is added to initrd by disk-encryption-tool which, according to its description
Convert a plain text kiwi image into one with LUKS full disk encryption.
That is exactly what happens on first boot of MicroOS appliance. And I presume it is the reason why developers did not notice this issue.
So yes, doing this after rolling back, then updating with the pcr-signature disabled and then immediately after the update, using su, forcing the dracut regnerate-all worked. I restarted and all is good
Same problem here. Did zypper dup today and after reboot i am stuck at “Failed to start Cryptography Setup” and “Dependency failed for Local Encrypted Volumes.”
What I don’t get: Why does not everybody with encrypted discs and Tumbleweed have exactly the same problem?
By the way: I don’t know how to proceed from here. I don’t see any possibility to type anything or enter any commands. I use ext4 and thus have no snapshots. Older kernels do not work better either.
