Tumbleweed: Unable to boot into GUI (problem with unlocking encrypted disk probably)

Hi everyone,

I ran sudo zypper dup today, rebooted, and now I can’t boot into the GUI anymore.

I originally set the encryption up with the tools the installer gave me, so no customization there.

When booting the system I can unlock the disk (maybe) and I can see the opensuse splash screen where I can drop to a command line or boot normally.

I am on kernel 6.8.4-rc1-1-default (selecting another kernel doesn’t change the outcome).

Next I’m greeted with these error messages:

Failed to start Cryptography Setup for cr_root.

Dependency failed for Local Encrypted Volumes.

And then the process times out:

dracut-initqueue: starting timeout scripts

Warning: /dev/disk/by-uuid/[the UUID] does not exist

And then I’m at an “emergency shell”

I’d appreciate if someone can help me fix this since I’m really not a linux pro and would need to do a fresh install to fix the problem.

That is contradictory.


So, what exactly can you unlock, when it happens, how the screen where you do it looks like? You could make a photo of this screen and post here.

I have just updated a Tumbleweed system, as are seeing similar errors to this.
Going into the Dracut emergency shell, and running systemctl status on systemd-cryptsetup shows it failing in the command /usr/bin/pcr-signature.sh on line 18 because the command mktemp is not found.
Booting from the previous kernel that was working before now gives the same error.

Can you upload rdsosreport.txt?

OK, it is the package dracut-pcr-signature and mktemp was added in the commit Various small improvements · aplanas/dracut-pcr-signature@719dad9 · GitHub

So to fix it - manually unlock and mount root (either in dracut emergency shell or booting live image), chroot into it following the usual procedure, disable dracut module

echo 'omit_dracutmodules+=" pcr-signature "' >  /etc/dracut.conf.d/disable-pcr-signature.conf

and recreate initrd

dracut -f --regenerate-all

And open bug report on https://bugzilla.opensuse.org/

P.S. you can also include mktemp insead, see man dracut.conf, look for install_items.


What exactly is the point of BTRFS and snapshots? :thinking: :thinking: :thinking:

If the snapshots are locked up behind an encryption wall and the encryption is what broke. You need to fix the encryption before you can revert

No, encryption did not broke. Decryption did. And only decryption in initrd, not in grub (otherwise system did not reach initrd in the first place).

So yes, as long as btrfs with snapshots is used it should be possible to boot into previous snapshot, do modifications I described to block broken dracut module and update.


I don’t have the rdsosreport.txt, for some reason I could not get it to detect any USB sticks as a disk.
Disabled pcr-signature in dracut as mentioned and that made the system work again, thanks.

Will create a bug report for this.

I’m also having a very similar issue with ‘Failed to start Cryptography Setup for cr_root’ and then eventually ending up with the dracut-initqueue: starting timeout scripts running over and over before it presents me with an “emergency shell” login option.
Back on 17 March after Plasma 6.01 Tumbleweed with Wayland was available I did a fresh install and chose to use the experimental systemd boot option with encryption during the install, instead of Grub. Now with an update earlier today I have this same issue.
I did manage to grab a copy of the rdsosreport.txt.
The only way for me to attempt your suggested changes arvidjaar was to use the Tumbleweed live “cd”.
However dracut has trouble finding modules such as ‘systemd-networkd’ and ‘systemd-resolved’, but does find and includes module: crypt ***
When I restart I end up with the timeout scripts and the emergency shell again.
So do you think the experiment has ended and I need to re-install, or is there something else I can try?

Rollback to earlier snapshot in grub menu.

1 Like

Hey people,

I had the same issue, with the same error, that systemd-cryptsetup service failed to start. But I did not get the status of the cryptsetup service by systemctl status systemd-cryptsetup. I saw the error in /run/initramfs/rdsosreport.txt. I want to share my steps I made to fix it. I used an usb device with tumbleweed and started in recovery mode. After typing the user root in rescue shell, I did as follows:

cryptsetup luksOpen /dev/nvme0n1p2 my_device
vgchange -ay
lvscan # just check, if the devices are listed

mount /dev/system/root/ /mnt/
mount /dev/system/home/ /mnt/home/
mount /dev/nvme0n1p1 /mnt/boot/efi
mount --bind /proc/ /mnt/proc/
mount --bind /dev/ /mnt/dev/
mount --bind /sys/ /mnt/sys/

chroot /mnt

# used arvidjaar suggestion  
echo 'omit_dracutmodules+=" pcr-signature "' >  /etc/dracut.conf.d/disable-pcr-signature.conf
dracut -f --regenerate-all

umount /mnt/boot
umount /mnt/home
umount /mnt

vgchange -a n

cryptsetup luksClose /dev/nvme0n1p2 my_device


I hope the detailed steps help and thanks a lot @arvidjaar :slight_smile:

I am not familiar with dracut, but is that a kind of bug, so that I can revoke my changes later or do I want to include mktemp instead of omitting the module?


1 Like

I am using a systemd-boot+LUKS2 argon2id FDE combo and haven’t had a problem so far, until the newest snapshot 20240412 which brought a very similar issue, where systemd-cryptsetup failed to start so I couldn’t type decrypt password. Rolled back to 20240411 and things worked fine.

Disabling pcr-signature as suggested did help! Then I tried to update to 20240412 again then did dracut -f --regenerate-all and this time the system can boot as usual.

I see that dracut-pcr-signature is required by sdbootutil.

I wonder if I run out of popcorn before anyone with affected system finally submits bug report …

1 Like

And I am using systemd-boot with encryption and do not have this issue. Looking at what I have - mktemp is added to initrd by disk-encryption-tool which, according to its description

Convert a plain text kiwi image into one with LUKS full disk encryption.

That is exactly what happens on first boot of MicroOS appliance. And I presume it is the reason why developers did not notice this issue.

running out of popcorn must not happen: https://bugzilla.opensuse.org/show_bug.cgi?id=1222750 :wink:

I thought there was one created already…

Yes, did the rollback and all good with that, but still want to have an updated system. So I will see how I go with the other suggestions. Thanks all :slight_smile:

So yes, doing this after rolling back, then updating with the pcr-signature disabled and then immediately after the update, using su, forcing the dracut regnerate-all worked. I restarted and all is good :slight_smile: :blush:

Indeed, popcorn is essential :slight_smile: I contributed a comment to this bug.

Same problem here. Did zypper dup today and after reboot i am stuck at “Failed to start Cryptography Setup” and “Dependency failed for Local Encrypted Volumes.”
What I don’t get: Why does not everybody with encrypted discs and Tumbleweed have exactly the same problem?
By the way: I don’t know how to proceed from here. I don’t see any possibility to type anything or enter any commands. I use ext4 and thus have no snapshots. Older kernels do not work better either.