#1 calamares-encrypted-boot-error.png

calamares is configured with modules 'luksbootkeyfile luksopenswaphookcfg initcpiocfg initcpio' in the same relative order as the default settings.conf show here https://github.com/calamares/calamares/blob/master/settings.conf#L84

initially after the install GRUB would not load - i had to chroot into the target system and uncomment #GRUB_ENABLE_CRYPTODISK=y in /etc/default/grub and then update-grub

then upon boot of the newly installed target system:

• disk encryption password is accepted
• GRUB menu is presented
• the default OS entry is starts booting
• mount fails and drops into emergency shell

see screenshot below for boot log

the following is as the target drive (/dev/sdb1) appears from the perspective of the calamares host (on /dev/sda2)

$ sudo blkid /dev/sdb1
/dev/sdb1: UUID="32f825f1-806b-4e18-9111-43095319a91c" TYPE="crypto_LUKS" PARTUUID="ad6943cd-01"

$ sudo cryptsetup -v luksOpen /dev/sdb1 calamares-target
Enter passphrase for /dev/sdb1: 
Key slot 0 unlocked.
Command successful.

$ blkid -U 82d4d5bb-246c-4e22-9abb-f2fcd1b091e5
/dev/mapper/calamares-target

$ sudo blkid /dev/mapper/calamares-target
/dev/mapper/calamares-target: UUID="82d4d5bb-246c-4e22-9abb-f2fcd1b091e5" TYPE="ext4"

$ sudo mount  /dev/mapper/calamares-target /mnt/sdb1/
 
$ sudo grep UUID /mnt/sdb1/boot/grub/grub.cfg 
	linux	/boot/vmlinuz-linux-libre root=UUID=82d4d5bb-246c-4e22-9abb-f2fcd1b091e5 rw  quiet
	linux	/boot/vmlinuz-linux-libre root=UUID=82d4d5bb-246c-4e22-9abb-f2fcd1b091e5 rw  quiet

$ grep 32f825f1 /mnt/sdb1/boot/grub/grub.cfg
cryptomount -u 32f825f1806b4e18911143095319a91c
set root='cryptouuid/32f825f1806b4e18911143095319a91c'
  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/32f825f1806b4e18911143095319a91c'  82d4d5bb-246c-4e22-9abb-f2fcd1b091e5
cryptomount -u 32f825f1806b4e18911143095319a91c
set root='cryptouuid/32f825f1806b4e18911143095319a91c'
  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/32f825f1806b4e18911143095319a91c'  82d4d5bb-246c-4e22-9abb-f2fcd1b091e5
	cryptomount -u 32f825f1806b4e18911143095319a91c
	set root='cryptouuid/32f825f1806b4e18911143095319a91c'
	  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/32f825f1806b4e18911143095319a91c'  82d4d5bb-246c-4e22-9abb-f2fcd1b091e5
	cryptomount -u 32f825f1806b4e18911143095319a91c
	set root='cryptouuid/32f825f1806b4e18911143095319a91c'
	  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/32f825f1806b4e18911143095319a91c'  82d4d5bb-246c-4e22-9abb-f2fcd1b091e5

complete grub.cfg

/etc/crypttab and /etc/fstab

/etc/mkinitcpio.conf

in the emergency shell running the following commands allows the system to boot:

cryptosetup luksOpen /dev/sda1 mapper-name
mount /dev/mapper/mapper-name /new_root
exit

setting the 'root' and 'cryptdevice' kernel params in grub.cfg like so seems to be an improvement but still not successful (see screenshot below for boot log):

• cryptdevice=UUID=<DEVICE-UUID>:<MAPPER-NAME>
• root=/dev/mapper/<MAPPER-NAME>

linux /boot/vmlinuz-linux-libre cryptdevice=UUID=32f825f1-806b-4e18-9111-43095319a91c:luks-32f825f1-806b-4e18-9111-43095319a91c root=/dev/mapper/luks-32f825f1-806b-4e18-9111-43095319a91c

the <MAPPER-NAME> is defined for filesystems other than root in the /etc/crypttab file - but noting that the /etc/crypttab file explicitly mentions:

: Do not list your root (/) partition here, it must be set up beforehand by the initramfs

this indicates that the root filesystem should not be referenced in that file - when the keyfile entry in this file is replaced with 'none' it prompts for a password but this is only after the root fs has already mounted and replaced the initrd - indeed the system still boots with this file deleted

$ sudo cat  /boot/grub/grub.cfg 

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for q: 
Sorry, try again.
[sudo] password for q: 
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
insmod part_gpt
insmod part_msdos
if [ -s $prefix/grubenv ]; then
  load_env
fi
if [ "${next_entry}" ] ; then
   set default="${next_entry}"
   set next_entry=
   save_env next_entry
   set boot_once=true
else
   set default="0"
fi

if [ x"${feature_menuentry_id}" = xy ]; then
  menuentry_id_option="--id"
else
  menuentry_id_option=""
fi

export menuentry_id_option

if [ "${prev_saved_entry}" ]; then
  set saved_entry="${prev_saved_entry}"
  save_env saved_entry
  set prev_saved_entry=
  save_env prev_saved_entry
  set boot_once=true
fi

function savedefault {
  if [ -z "${boot_once}" ]; then
    saved_entry="${chosen}"
    save_env saved_entry
  fi
}

function load_video {
  if [ x$feature_all_video_module = xy ]; then
    insmod all_video
  else
    insmod efi_gop
    insmod efi_uga
    insmod ieee1275_fb
    insmod vbe
    insmod vga
    insmod video_bochs
    insmod video_cirrus
  fi
}

set menu_color_normal=magenta/black
set menu_color_highlight=white/magenta

if [ x$feature_default_font_path = xy ] ; then
   font=unicode
else
insmod part_msdos
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ext2
cryptomount -u a9de0fba5cc242f6a67003800ce5e6d1
set root='cryptouuid/a9de0fba5cc242f6a67003800ce5e6d1'
if [ x$feature_platform_search_hint = xy ]; then
  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/a9de0fba5cc242f6a67003800ce5e6d1'  38a6e3a8-97f8-4979-a44d-647894e88007
else
  search --no-floppy --fs-uuid --set=root 38a6e3a8-97f8-4979-a44d-647894e88007
fi
    font="/usr/share/grub/unicode.pf2"
fi

if loadfont $font ; then
  set gfxmode=auto
  load_video
  insmod gfxterm
  set locale_dir=$prefix/locale
  set lang=en_US
  insmod gettext
fi
terminal_input console
terminal_output gfxterm
insmod part_msdos
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ext2
cryptomount -u a9de0fba5cc242f6a67003800ce5e6d1
set root='cryptouuid/a9de0fba5cc242f6a67003800ce5e6d1'
if [ x$feature_platform_search_hint = xy ]; then
  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/a9de0fba5cc242f6a67003800ce5e6d1'  38a6e3a8-97f8-4979-a44d-647894e88007
else
  search --no-floppy --fs-uuid --set=root 38a6e3a8-97f8-4979-a44d-647894e88007
fi
insmod gfxmenu
loadfont ($root)/boot/grub/themes/parabola-laf/Sans-10.pf2
loadfont ($root)/boot/grub/themes/parabola-laf/Sans-12.pf2
loadfont ($root)/boot/grub/themes/parabola-laf/Sans-14.pf2
insmod png
set theme=($root)/boot/grub/themes/parabola-laf/theme.txt
export theme
if [ x$feature_timeout_style = xy ] ; then
  set timeout_style=menu
  set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
  set timeout=5
fi
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/10_linux ###
menuentry 'GNU/Linux, linux-libre kernel' --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-linux-libre-advanced-38a6e3a8-97f8-4979-a44d-647894e88007' {
    load_video
    set gfxpayload=keep
    insmod gzio
    insmod part_msdos
    insmod cryptodisk
    insmod luks
    insmod gcry_rijndael
    insmod gcry_rijndael
    insmod gcry_sha256
    insmod ext2
    cryptomount -u a9de0fba5cc242f6a67003800ce5e6d1
    set root='cryptouuid/a9de0fba5cc242f6a67003800ce5e6d1'
    if [ x$feature_platform_search_hint = xy ]; then
      search --no-floppy --fs-uuid --set=root --hint='cryptouuid/a9de0fba5cc242f6a67003800ce5e6d1'  38a6e3a8-97f8-4979-a44d-647894e88007
    else
      search --no-floppy --fs-uuid --set=root 38a6e3a8-97f8-4979-a44d-647894e88007
    fi
    echo    'Loading linux-libre kernel ...'
    linux   /boot/vmlinuz-linux-libre root=UUID=38a6e3a8-97f8-4979-a44d-647894e88007 rw  quiet cryptdevice=UUID=a9de0fba-5cc2-42f6-a670-03800ce5e6d1:luks-a9de0fba-5cc2-42f6-a670-03800ce5e6d1 root=/dev/mapper/luks-a9de0fba-5cc2-42f6-a670-03800ce5e6d1
    echo    'Loading initial ramdisk ...'
    initrd  /boot/initramfs-linux-libre.img
}
menuentry 'GNU/Linux, linux-libre kernel (fallback initramfs)' --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-linux-libre-fallback-38a6e3a8-97f8-4979-a44d-647894e88007' {
    load_video
    set gfxpayload=keep
    insmod gzio
    insmod part_msdos
    insmod cryptodisk
    insmod luks
    insmod gcry_rijndael
    insmod gcry_rijndael
    insmod gcry_sha256
    insmod ext2
    cryptomount -u a9de0fba5cc242f6a67003800ce5e6d1
    set root='cryptouuid/a9de0fba5cc242f6a67003800ce5e6d1'
    if [ x$feature_platform_search_hint = xy ]; then
      search --no-floppy --fs-uuid --set=root --hint='cryptouuid/a9de0fba5cc242f6a67003800ce5e6d1'  38a6e3a8-97f8-4979-a44d-647894e88007
    else
      search --no-floppy --fs-uuid --set=root 38a6e3a8-97f8-4979-a44d-647894e88007
    fi
    echo    'Loading linux-libre kernel ...'
    linux   /boot/vmlinuz-linux-libre root=UUID=38a6e3a8-97f8-4979-a44d-647894e88007 rw  quiet cryptdevice=UUID=a9de0fba-5cc2-42f6-a670-03800ce5e6d1:luks-a9de0fba-5cc2-42f6-a670-03800ce5e6d1 root=/dev/mapper/luks-a9de0fba-5cc2-42f6-a670-03800ce5e6d1
    echo    'Loading initial ramdisk ...'
    initrd  /boot/initramfs-linux-libre-fallback.img
}

### END /etc/grub.d/10_linux ###

### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###

### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###

### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###

### BEGIN /etc/grub.d/41_custom ###
if [ -f  ${config_directory}/custom.cfg ]; then
  source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f  $prefix/custom.cfg ]; then
  source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###


$ sudo cat  /etc/default/grub 
# GRUB boot loader configuration

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=''
GRUB_CMDLINE_LINUX_DEFAULT="quiet cryptdevice=UUID=a9de0fba-5cc2-42f6-a670-03800ce5e6d1:luks-a9de0fba-5cc2-42f6-a670-03800ce5e6d1 root=/dev/mapper/luks-a9de0fba-5cc2-42f6-a670-03800ce5e6d1"
GRUB_CMDLINE_LINUX=""

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y

# Uncomment to enable Hidden Menu, and optionally hide the timeout count
#GRUB_HIDDEN_TIMEOUT=5
#GRUB_HIDDEN_TIMEOUT_QUIET=true

# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console

# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE=auto

# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep

# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true

# Uncomment and set to the desired menu colors.  Used by normal and wallpaper
# modes only.  Entries specified as foreground/background.
GRUB_COLOR_NORMAL="magenta/black"
GRUB_COLOR_HIGHLIGHT="white/magenta"

# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/path/to/wallpaper"
GRUB_THEME=/boot/grub/themes/parabola-laf/theme.txt

# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"

# Uncomment to make GRUB remember the last selection. This requires to
# set 'GRUB_DEFAULT=saved' above.
#GRUB_SAVEDEFAULT="true"

# Disable advanced submenu
GRUB_DISABLE_SUBMENU="y"
GRUB_ENABLE_CRYPTODISK=y


$ sudo cat  /etc/fstab 
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a device; this may
# be used with UUID= as a more robust way to name devices that works even if
# disks are added and removed. See fstab(5).
#
# <file system>             <mount point>  <type>  <options>  <dump>  <pass>
/dev/mapper/luks-a9de0fba-5cc2-42f6-a670-03800ce5e6d1 /              ext4    defaults,noatime 0 1

$ sudo cat  /etc/crypttab 
# /etc/crypttab: mappings for encrypted partitions.
#
# Each mapped device will be created in /dev/mapper, so your /etc/fstab
# should use the /dev/mapper/<name> paths for encrypted devices.
#
# See crypttab(5) for the supported syntax.
#
# NOTE: Do not list your root (/) partition here, it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf). The same applies
#       to encrypted swap, which should be set up with mkinitcpio-openswap
#       for resume support.
#
# <name>               <device>                         <password> <options>


$ sudo cat  /etc/mkinitcpio.conf 
[sudo] password for q: 
# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES=(piix ide_disk reiserfs)
MODULES=""

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES="/crypto_keyfile.bin"

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
##   This setup specifies all modules in the MODULES setting above.
##   No raid, lvm2, or encrypted root is needed.
#    HOOKS=(base)
#
##   This setup will autodetect all modules for your system and should
##   work as a sane default
#    HOOKS=(base udev autodetect block filesystems)
#
##   This setup will generate a 'full' image which supports most systems.
##   No autodetection is done.
#    HOOKS=(base udev block filesystems)
#
##   This setup assembles a pata mdadm array with an encrypted root FS.
##   Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
#    HOOKS=(base udev block mdadm encrypt filesystems)
#
##   This setup loads an lvm2 volume group on a usb device.
#    HOOKS=(base udev block lvm2 filesystems)
#
##   NOTE: If you have /usr on a separate partition, you MUST include the
#    usr, fsck and shutdown hooks.
HOOKS="base udev autodetect modconf block keyboard keymap encrypt filesystems fsck"

# COMPRESSION
# Use this to compress the initramfs image. By default, gzip compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"

# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()