Root on LVM lv on vg spanning multiple dm-crypt/LUKS-encrypted pvs

Similar Messages

• Decrypt multiple dm-crypt LUKS drives with a single password on start

  Hi there,
  This is a hook based on the encrypt hook that I use to decrypt multiple dm-crypt LUKS drives on startup for a btrfs raid 1. I thought someone might find it useful. I'd be willing to do some work to include this in the official mkinitcpio package if the developers are happy with it ? Constructive suggestions are welcome
  Credit goes to the following:
  https://bbs.archlinux.org/viewtopic.php?id=120243
  https://wiki.gentoo.org/wiki/Custom_Initramfs/Examples
  https://wiki.archlinux.org/index.php/Dm … iple_disks
  The author(s) of the mkinitcpio hooks on which this hook is based
  Edit: Thanks to frostschutz for pointing out that --keyfile-size and --keyfile-offset use bytes instead of bits. Therefore to use 4096 bit keys, 512 bytes should be specified. I have corrected the examples.
  The idea is to have a dm-crypt LUKS password encrypted file /boot/multikeyfile. This file contains multiple 4096 bit keys to be used to decrypt the actual drives.
  I created the file and encrypted volumes as follows:
  $ dd if=/dev/zero of=multikeyfile bs=3M count=1 # I chose 3M because the LUKS header is around 2M
  $ cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat multikeyfile
  # install -m644 -o root -g root multikeyfile /boot
  # cryptsetup open --type luks /boot/multikeyfile multikeyfile
  # dd if=/dev/zero of=/dev/mapper/multikeyfile
  # I wanted keys for two drives (2 * 4096 / 8) = 1024 bytes
  # dd iflag=fullblock if=/dev/random of=/dev/mapper/multikeyfile bs=1024 count=1
  # Verify enough random content
  # hexdump -C /dev/mapper/multikeyfile | less
  # Create the containers
  # cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --key-file /dev/mapper/multikeyfile --keyfile-offset 0 --keyfile-size 512 luksFormat /dev/sdXY
  # cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --key-file /dev/mapper/multikeyfile --keyfile-offset 512 --keyfile-size 512 luksFormat /dev/sdAB
  Next add a kernel parameter to identify the drives in the same sequence as their keys appear in the multikeyfile. I used PARTUUID:
  multidecrypt=PARTUUID=<drive1>:PARTUUID=<drive2>
  In /etc/mkinitcpio.conf add the multidecrypt hook in the HOOKS field in the same place you would normally place the encrypt hook.
  Run mkinitcpio as you normally do to recreate your initramfs.
  Here are the actual hook files:
  /etc/initcpio/hooks/multidecrypt
  #!/usr/bin/ash
  run_hook() {
  modprobe -a -q dm-crypt >/dev/null 2>&1
  modprobe -a -q loop >/dev/null 2>&1
  [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
  if [ -z "${multidecrypt}" ]; then
  err "No dm-crypt luks devices specified for multidecrypt, aborting..."
  exit 1
  fi
  echo ""
  echo "YOU SHALL NOT PASS !!!!!!!"
  #loop until we get a real password
  while ! eval cryptsetup open --type luks /multikeyfile multikeyfile ${CSQUIET}; do
  sleep 2;
  done
  if [ ! -e "/dev/mapper/multikeyfile" ]; then
  err "multikeyfile decryption failed, aborting..."
  exit 1
  fi
  luksdevnum=1
  for luksdev in ${multidecrypt//:/ }; do
  if resolved=$(resolve_device "${luksdev}" ${rootdelay}); then
  eval cryptsetup open --type luks --key-file /dev/mapper/multikeyfile --keyfile-offset $((($luksdevnum-1)*512)) --keyfile-size 512 ${resolved} container${luksdevnum} ${CSQUIET}
  if [ ! -e "/dev/mapper/container${luksdevnum}" ]; then
  err "container${luksdevnum} creation failed, continuing with other specified devices..."
  fi
  else
  err "Could not resolve ${luksdev}, continuing with other specified devices..."
  fi
  let luksdevnum++
  done
  #clean up
  cryptsetup close multikeyfile
  # vim: set ft=sh ts=4 sw=4 et:
  /etc/initcpio/install/multidecrypt
  #!/bin/bash
  build() {
  local mod
  add_module dm-crypt
  if [[ $CRYPTO_MODULES ]]; then
  for mod in $CRYPTO_MODULES; do
  add_module "$mod"
  done
  else
  add_all_modules '/crypto/'
  fi
  # add loop module for mounting of keyfile
  add_module loop
  add_binary "cryptsetup"
  add_binary "dmsetup"
  add_file "/usr/lib/udev/rules.d/10-dm.rules"
  add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
  add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
  add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
  add_file "/boot/multikeyfile" "/multikeyfile"
  add_runscript
  help() {
  cat <<HELPEOF
  This hook allows for startup decryption of multiple dm-crypt luks encrypted
  devices. Users should specify the devices to be unlocked using:
  'multidecrypt=device[[:device]...]'
  on the kernel command line, where 'device' is the path to the raw device,
  specified using PARTUUID or some other means. Devices will be available as
  /dev/mapper/container[1,2,3...] etc.
  The hook expects a dm-crypt luks encrypted file called /boot/multikeyfile to
  exist. This keyfile contains a concatenation of 4096 bit keys for each
  encrypted device in the same order as specified in the multidecrypt kernel
  command line argument.
  If decryption of one of the devices fails, the hook will attempt to continue
  to decrypt any other specified devices. This is useful for btrfs software
  raid if a device has failed as an example.
  You will be prompted for the password to the multikeyfile container at runtime.
  This means you must have a keyboard available to input it, and you may need the
  keymap hook as well to ensure that the keyboard is using the layout you expect.
  HELPEOF
  # vim: set ft=sh ts=4 sw=4 et:
  Last edited by dude42 (2015-06-06 04:08:06)

  frostschutz wrote:
  --keyfile-size is not bits but bytes.
  If you really set up your encryption the way you described, the key for your first container will be 1024 random bytes followed by zero bytes, and the key of your second container will be 4096 bytes of /dev/zero.
  Thanks frostschutz !

• Events Spanning Multiple Days

  I'm converting to iCal from another application I've used for years. Does iCal support any way to insert and display a line, banner, bar, etc. accross multiple days in the Month View so that I can display the fact that I'm on the road or on vacation, etc. for the days covered by the line, banner, bar, etc?
  I would be happy to provide a picture of what the application I've been using does to support this need.
  PowerBook G4   Mac OS X (10.4.8)   iCal v2.0.4 (1055)

  Regal909,
  Is this what you are looking for? Creating an all-day or multi-day event:You can create an event that lasts one or more complete days (for example, for a vacation), or an event that spans multiple days with different start and end times.
  To create an all-day event, make sure you're in Day or Week view, then double-click in the white area at the top of the iCal window (just below the date). If you want your all-day event to last multiple days, drag a corner of the event across the days in the main calendar view (or type the end date in the Info drawer).
  To create a multi-day event, make sure you're in Day or Week view, then drag from the start time to the end time of the event (you can drag across multiple days). You can also type the start and end dates and times in the event's Info drawer.
  All-day events are shown across the top of the day in the main calendar view. 


  Tip: You can also make any event an all-day event by selecting the "all-day event" checkbox in the event's Info drawer.;~)

• How can I copy text spanning multiple pages in iBook?

  I like to drop sections of text from i
  books into letters, journal entries etc and for the life of me I cannot figure out the functionality of grabbing text that spans multiple pages.

  Hi James,
  Thank you so much for taking the time to help me out.  You actually solved the problem.  I am able to select as much text as I want now.  The bummer is the lame feature where you cannot take more than a couple hundred words at a time.  The section I wanted was about one and a half pages and it took me 3 separate copy pastes to get it all.  Does anyone know of software or a trick to overcome this limitation?
  James thanks again.  I really appreciate your help.

• Can join queries in Oracle 8i and above span multiple databases

  Hi,
  In Oracle 8i and above, can join queries span multiple databases??
  For eg., I have two databases A and B, and say database A has table A_T and
  database B has table B_T. Assume that both the databases are on the same
  server.
  Can I run a join query from my application using OCI calls that spans across
  tables from multiple databases, namely, A_T and B_T?
  My query probably looks like this - Select * from A.A_T, B.B_T;
  Thank you,
  Sashi

  In Oracle 8i and above, can join queries span multiple databases??
  For eg., I have two databases A and B, and say database A has table A_T and
  database B has table B_T. Assume that both the databases are on the same
  server.
  Can I run a join query from my application using OCI calls that spans across
  tables from multiple databases, namely, A_T and B_T?
  My query probably looks like this - Select * from A.A_T, B.B_T;If you create a database link from database A to B your SQL would look something like this:
  select * from A.A_T, B.B_T@dbB where A.A_T.PK = B.B_T.PK@dbB
  The Oracle manuals should have the information you need on creating a database link.

• How best to make a transaction span multiple HTTP requests?

  Hi, all. What is the best way to implement a transaction that spans multiple
  HTTP requests? Many J2EE applications must solve this problem, but I can't
  any guidelines for an implementation.
  Consider an application that implements a multi-step wizard. Each step
  gathers data from the user; step one gets the user's name, and step two gets
  his dog's name. When the user completes the wizard, the application saves
  the user & dog in two entity beans. Conceptually, the application treats
  this wizard like a single, long-running transaction. The transaction begins
  when the user launches the wizard. Submitting the JSP for step one adds the
  Boy bean to the transaction, and submitting step two adds the Dog bean.
  Finishing the wizard commits the transaction. Exiting the wizard or timing
  out causes the transaction to rollback.
  Although the wizard looks like a transaction, the entire sequence of user
  interactions can't be captured in a single JTA UserTransaction. A
  UserTransaction must be associated with a single thread, but each wizard
  step is handled asynchronously by its own execution thread. It's impossible
  to funnel the conversation through one thread that can demarcate the
  transaction. (This would be a pretty dumb solution for other reasons, but I
  don't want to get lost in details.)
  I think the standard way to solve this problem is to store conversation
  state in a stateful session bean (or the http session) and create / update
  both entity beans in a transactional EJB method after the wizard completes.
  Unfortunately, this solution prevents me from leveraging a lot of great
  transaction management features provided by the app server. For example, I
  can't use optimistic concurrency to make sure that the dog object hasn't
  changed in the database between the start and end of the wizard. Also, I'm
  forced to keep track of changes to the dog object in the conversation state,
  then replicate these changes to an entity bean at the end of the wizard.
  Keeping track of state in a stateful bean is pretty straightforward, but it
  seems like there must be an existing solution that leverages the appserver's
  concurrency and state management features. Am I missing something? Is there
  code, a pattern, or an article that describes the best way to implement a
  multi-step process that looks transactional? I suppose WLI does what I want,
  but that feels like killing a roach with a SCUD missle. Thanks for any
  advice.
  Dave

  Dave Smith wrote:
  Without a transaction, will the app server manage the version column
  automatically, assuming of course that <concurrency-strategy> is
  "Optimistic" and <verify-columns> is set to "Version"? Of course, I'll have
  to expose the version as a cmp-field, which is fine with me.Yes
  >
  Do you know offhand, so that I don't have to get off my lazy ass and write a
  test, whether the CMP service will create the version column when it
  generates db tables? (I realize it's not good to let WLS generate the tables
  in a production system.)No, I don't think it does.
  >
  I assume from your answer that I'm on my own for implementing stuff like and
  transaction inheritance and tracking object modifications? Well, we'll give you a bit of help on the object modifications. The
  usual pattern is when you're pushing the JavaBean back to the CMP you
  call all the setXXX methods on the CMP bean. Our CMP container will
  check if the value you are setting is the same as read from the db. If
  so, it will not update that column.
  -- Rob
  If so, no big
  deal. I was just hoping somebody would say, "Oh, you want the Jakarta
  SuperBeans project" or something.
  Thanks,
  Dave
  "Rob Woollen" <[email protected]> wrote in message
  news:[email protected]...
  I'd recommend that you include a separate version or timestamp column in
  your db schema.
  Then do something like this:
  Client Server
  1) First HTTP Request
  2) Read current Dog and Boy Entity Beans
  (if any) and copy their values into a JavaBean.
  You want to include the version
  column(s) in the JavaBean(s) along with the data values.
  You probably also want to store the JavaBeans in
  your HTTP Session.
  3) Client proceeds through wizard interacting with JavaBeans
  4) Finish with Wizard, copy JavaBean values (including
  version columns) to CMP 2.0 Entity Beans.
  The version column will give you the optimistic concurrency protection
  that you desire without opening a JTA transaction to span user input.
  -- Rob
  Dave Smith wrote:
  Hi, all. What is the best way to implement a transaction that spans
  multiple
  HTTP requests? Many J2EE applications must solve this problem, but Ican't
  any guidelines for an implementation.
  Consider an application that implements a multi-step wizard. Each step
  gathers data from the user; step one gets the user's name, and step twogets
  his dog's name. When the user completes the wizard, the applicationsaves
  the user & dog in two entity beans. Conceptually, the application treats
  this wizard like a single, long-running transaction. The transactionbegins
  when the user launches the wizard. Submitting the JSP for step one addsthe
  Boy bean to the transaction, and submitting step two adds the Dog bean.
  Finishing the wizard commits the transaction. Exiting the wizard ortiming
  out causes the transaction to rollback.
  Although the wizard looks like a transaction, the entire sequence ofuser
  interactions can't be captured in a single JTA UserTransaction. A
  UserTransaction must be associated with a single thread, but each wizard
  step is handled asynchronously by its own execution thread. It'simpossible
  to funnel the conversation through one thread that can demarcate the
  transaction. (This would be a pretty dumb solution for other reasons,but I
  don't want to get lost in details.)
  I think the standard way to solve this problem is to store conversation
  state in a stateful session bean (or the http session) and create /update
  both entity beans in a transactional EJB method after the wizardcompletes.
  Unfortunately, this solution prevents me from leveraging a lot of great
  transaction management features provided by the app server. For example,I
  can't use optimistic concurrency to make sure that the dog object hasn't
  changed in the database between the start and end of the wizard. Also,I'm
  forced to keep track of changes to the dog object in the conversationstate,
  then replicate these changes to an entity bean at the end of the wizard.
  Keeping track of state in a stateful bean is pretty straightforward, butit
  seems like there must be an existing solution that leverages theappserver's
  concurrency and state management features. Am I missing something? Isthere
  code, a pattern, or an article that describes the best way to implementa
  multi-step process that looks transactional? I suppose WLI does what Iwant,
  but that feels like killing a roach with a SCUD missle. Thanks for any
  advice.
  Dave

• Root on LVM & shutting down

  I was originally going to post this problem b/c I believed it was causing corruption in my filesystem; I have since decided that it's in fact botched suspend2-attempts that are causing the corruptions (which ALSO isn't good, of course). Anyway, as the title indicates, I run root-on-lvm, and have the nagging problem that when rc.shutdown goes to deactivate the logical volumes, it fails since root is obviously still being used. It seems like sort of a chicken-and-egg problem, since you can't unmount root before deactivating the volume group since you need the lvm binary, but you can't deactivate the volume group b/c root is still mounted... I guess I'm just checking that this sort of behaviour is "normal", and that other users running root-on-lvm see it also. I'm trying to eliminate this as a cause for my filesystem corruptions.

  Hi I've managed to solve this problem. See my post https://bbs.archlinux.org/viewtopic.php … 95#p827495

• What is the difference of specifying affinity to span multiple caches?

  What is the difference of methods between specifying affinity to span multiple caches and specifying it on a single cache?
  Can I do it in the same way?

  Thank you for reply.
  From the Docs of Coherence we can see that the data affinity is commonly referred to the related entries is contained within a single cache. The following is some fragmentss excerpted from Coherence Docs:
  "Data affinity describes the concept of ensuring that a group of related cache entries is contained within a single cache partition. This ensures that all relevant data is managed on a single primary cache node (without compromising fault-tolerance)."
  "Affinity may span multiple caches (as long as they are managed by the same cache service, which will generally be the case)."

• Premiere Pro won't span multiple monitors

  Premier Pro CS3
  I cannot get the PP app to span multiple monitors. Previously I have used Premiere to span two 22" monitors so I can have a very wide timeline. Now that I have installed CS3, it "takes over" my second monitor as a "Program" monitor and I cannot figure out how to shut it off. It also makes this monitor useless for any other applications that I have open while CS3 is open. Help!

  Well, now it's working and I have NO CLUE WHY... perhaps opening and closing Premiere 5 times is required before the videocard gets into the act. In any case, it has just started working and I completed an entire editing sequence with no freaky behavior at all.
  I love it when a plan comes together - but it's sure nice to know "why" for next time ocasionally... I did use an older saved sequence as a starting point this time, so perhaps something was corrupted in the "new workspace" that I tried to save.
  Now, of course, I'm afraid to ever turn this computer off again, or even close Premiere...
  Thanks to all for your help - you will all get a free autographed copy of my next book, "Dual Monitors for Dummies"...

• Creating a dynamic table that spans multiple pages

  Hi guys,
  I have a script that is able to add rows to a dynamic table.
  The issue I am having now is I want this dynamic table to span multiple pages.
  I'm not exactly sure how to do this. It looks like to me that the table stops once it reaches the height of the text frame enclosing it.
  How do you create a table / text frame that expands to it's contents and not the size of the text frame enclosing it. Ideally I want this table to span multiple pages.

  OK, I have 3 screenshot to see if that will help.  My book is a transcription of some old county records around 1800. I have a section of my book that had a list of items in text separated by a right tab.
  I highlighted that text and converted it to a table.  In portrait mode I can scroll and see all the table.
  When I switch to landscape mode the table is cut off and does not wrap to the next page.
  The text after the table appears on the next page.  The preview on the ipad is the same. 
  Thanks for any help on figuring this out. Also, I enjoy your podcasts.
  MB

• Cell value spanning multiple rows in JTable

  Hi,
  I have a JTable where I want a single column value alone to span multiple rows.
  Something like
  Course No. | Location | Cost
  | loc1 | 1000
  1 ---------------------------------------------
  | loc2 | 2000
  How can I create a JTable like this?
  Thanks for the help.

  I have a link for that,
  http://www2.gol.com/users/tame/
  go in swing examples, JTable #4.
  Hope it helps :)

• Backup spanning multiple DVDs

  Time Machine works great for making regular back ups to a local drive.  However, I want to periodically make offsite back ups to DVD in case something catastrophic happens to my home.  But since my files are in the 100 GB range, the backup would need to span multiple disks.  Does anyone know an easy way to span multiple disks?  Is there a way to do it in Leopard, or are there free or inexpensive tools on the web for doing this?
  Note, I have already considered a couple of alternatives, but none of them are workable for me:
  1)  I don't want to back up to somewhere on the web because it seems more secure to have a physical copy in hand.  Besides, I don't want to pay for the amount of space I'd need.
  2)  I could make a disk image of the backup and use a file splitting application to burn it to the disks.  But that would require as much free HD space for the disk image as the size of the files I want to back up.

  Hi, Dorian, and welcome to Apple Discussions. It would be far easier, faster, and less expensive if your time is worth anything to you, to buy a portable external hard drive on which to make your backups instead of making them on a stack of DVDs. I shudder to think of the time and attention it would take to burn ten or twenty or more DVDs on a regular basis. After going through that once, you'd never want to do it again. With a hard drive, by contrast, you just set the backup process in motion and go to bed for the night. In the morning, take the drive to wherever you were going to store those DVDs.
  With external hard drives of 500GB all the way up to 2TB now selling for as little as $125 (see the link below for one example), it makes no sense at all to use DVDs for backup.
  http://www.newegg.com/Product/Product.aspx?Item=N82E16822148360

• Empty pages being generated when report spans multiple pages

  hi folks
  I have a problem when generating my pdf form that I hope you can shed some light on.
  Firstly, I have a table within a table.
  Eg. For each line of Table_1, a new page must be displayed.
  Then for Table_2 a list of employees with the matching criteria in line_1 of Table_1 are displayed on page 1. For the next line of Table_1, the same, and so on.
  My problem comes in when there are too many employees in Table_2 to fit on a single page, they span onto the next page (as they should), but the pdf form also now displays blank pages at random.
  Something like this:
  Page 1
  --empty
  Page 2
  -Table_1-Line_1
  -Table_2 (lines 1 - 30 of 35)
  Page 3
  -Table_1-Line_1
  -Table_2 (lines 31-35 of 35)
  Page 4
  -Table_1-line_2
  -Table_2 (lines 1 - 10 of 10)
  Page 5
  --empty
  Why the empty pages? Any help will be much appreciated.
  thanks.
  Also worth noting. If Table_2 doesn't span multiple pages, then I don't get the empty pages.
  thanks in advance
  Anton Kruse

  Hello,
  it is clear why your first page is blank. That is because you set "top of next page" (tab binding) for every line of the outer table so every "section" starts on the new page. That is why even the first page starts on the second page (top of NEXT page for the first line is SECOND page).
  About the last page... I have experienced problems when I used margins - when your page content is long, but not that long to break the page and you use a margin so the last row + margin should break the page, the last row is left on the last-1 page and the margin "appears" on the last page.
  Hope this helps a bit, Otto

• [solved] kernel 2.6.27 - open LUKS encrypted root partition fails

  Hi,
  after updating to kernel 2.6.27 the passphrase for my LUKS encrypted root partition does not work anymore.
  I get this error messages:
  Enter LUKS passphrase:
  device-mapper: table: 254:0 crypt: Error allocating crypto tfm
  device-mapper: ioctl: error adding target to table
  device-mapper: ioctl: device doesn't appear to be in the dev hash table.
  Command failed: No key available with this passphrase.
  Enter LUKS passphrase:
  With a old (2.6.25) vanilla kernel it works.
  any ideas?
  EDIT
  Solved.
  The Problem was that I had this line in my mkinitcpio.conf to get rid of the padlock-error-message at boot.
  #CRYPTO_MODULES="aes_i586 aes_generic sha256_generic"
  With kernel 2.6.27 there are new / more modules needed to open the LUKS encryptet root partition.
  So I removed the line from mkinitcpio.conf and deletet the padlock modules in /lib/modules/2.6.27-ARCH before regenarating the initrd image.
  Thanks to GerBra for the tip.
  Last edited by SiD (2008-10-22 11:41:56)

  I'm not shure, but think ... yes.

• [Solved] Problem booting root in LVM, which spans two LUKS partitions

  Hello,
  I recently switched to Arch from OpenSuse, and I'm having a bit of trouble getting my encrypted disks to boot properly. I have two disks, the first is a 4 TB drive set up like this:
  MBR partition table
  Partition 1 - Windows 7, 200GB
  Partition 2 - Linux boot, 200MB
  Partition 3 - Luks partition, 1.7TB
  Partition 4 - Luks partition, 1.7TB
  Within partition 3 and 4 is an LVM volume which spans the two partitions. The reason for that is just that I can't have a 3.4TB partition on an MBR formatted drive (as I understand it). I have the root volume and swap, etc within this LVM. The second hard drive is simply a data drive, also encrypted. My problem is that I don't know how to tell the system to open both of these encrypted partitions at boot, in order to boot the root volume. This worked fine under OpenSuse and I only needed to enter the Luks password once (it is the same for both partitions).
  As it is right now, my boot parameters in /etc/default/grub look like this:
  GRUB_CMDLINE_LINUX_DEFAULT="quiet nomodeset cryptdevice=/dev/sda3:sda3_crypt root=/dev/mapper/vg_arch-root"
  Currently the system boots, asks for the password to /dev/sda3, hangs for roughly 20 seconds and then kicks me into a root prompt. I can manually open /dev/sda4 at this point using cryptsetup and the system will continue booting normally... but I would like to have it set up properly, so I don't need to do that. Considering OpenSuse does this out of the box I figured it should be possible under Arch. Any help would be appreciated.
  Thanks
  Last edited by keitolainen (2015-06-09 21:56:08)

  As a quick update in case anyone is reading this, I cleaned up the script a bit and hopefully made it something closer to a "proper" fix.
  Rather than editing /usr/lib/initcpio/hooks/encrypt directly, I did the following:
  cp /usr/lib/initcpio/hooks/encrypt /etc/initcpio/hooks/
  then changed the following section of /etc/initcpio/hooks/encrypt from:
  # Ask for a passphrase
  if [ ${dopassphrase} -gt 0 ]; then
  echo ""
  echo "A password is required to access the ${cryptname} volume:"
  #loop until we get a real password
  while ! eval cryptsetup open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do
  sleep 2;
  done
  fi
  to:
  # Ask for a passphrase
  if [ ${dopassphrase} -gt 0 ]; then
  echo ""
  while true ; do
  echo -n "A password is required to access the ${cryptname} volume: "
  read -sr password
  echo $password | cryptsetup open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}
  if [ $? = 0 ] ; then
  break
  fi
  done
  echo $password | cryptsetup open --type luks /dev/sda4 sda4_crypt
  echo ""
  fi
  then edited /etc/mkinitcpio.conf and changed:
  FILES=""
  to:
  FILES="/etc/initcpio/hooks/encrypt"
  and ran
  mkinitcpio
  This is working well for me and I think it's a little cleaner than the solution I posted earlier. Sorry for the awkward bash, if anyone has a more elegant solution please let me know.