Skip to content

Graphical password prompt for disk decryption on ArchLinux

Srijan Choudhary
2 min read

In my last post, I described how I enabled encryption on my Linux root partition. However, during boot up, it asked the password using a plain text prompt. I was not satisfied with the design and found that there's a better way: Plymouth.

Plymouth is a package that provides a themeable graphical boot process / splash screen all the way up to the login manager. This includes a graphical password prompt as well. Here are the steps I took to set this up:

1. First, I installed plymouth-git from the AUR. ArchWiki suggests plymouth-git instead of plymouth because it is actually less likely to cause problems for most users than the stable package.

2. Next, I updated the HOOKS section in my /etc/mkinitcpio.conf to include sd-plymouth:

HOOKS=(base systemd plymouth autodetect modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)

3. And regenerated the initramfs:

# mkinitcpio -P

4. Next, I added the following kernel parameters:

quiet splash

ArchWiki also suggests adding vt.global_cursor_default=0, but my experience was better without it. With this option, the cursor in TTY terminals becomes hidden, not just for the boot sequence but even later.

With the above changes, after reboot, a nice password prompt is shown with a spinner image. But, this hid the beautiful OEM ROG logo that comes first at boot up. So, here are further tweaks I did to make it look as I wanted.

5. First, I tried using the built-in BGRT theme. This is a variation of the spinner theme that keeps the OEM logo if available (BGRT stands for Boot Graphics Resource Table).

# plymouth-set-default-theme -R bgrt

This did not show the spinner, but it still hid the OEM logo when asking for decryption password. Although it did show the logo again after password was entered. So, I guessed it just needed a little customization.

6. So, I made a copy of the bgrt theme to make my customizations.

# cd /usr/share/plymouth/themes
# cp -r bgrt bgrt-custom
# cd bgrt-custom
# mv bgrt.plymouth bgrt-custom.plymouth

7. These are the changes I had to make in bgrt-custom.plymouth to make it show the prompt like I wanted:

diff --git a/../bgrt/bgrt.plymouth b/bgrt-custom.plymouth
index e8e9713..ca7a293 100644
--- a/../bgrt/bgrt.plymouth
+++ b/bgrt-custom.plymouth
@@ -30,8 +30,8 @@ Name[he]=BGRT
 Name[fa]=BGRT
 Name[fi]=BGRT
 Name[ie]=BGRT
-Name=BGRT
-Description=Jimmac's spinner theme using the ACPI BGRT graphics as background
+Name=BGRT-Custom
+Description=Customized Jimmac's spinner theme using the ACPI BGRT graphics as background
 ModuleName=two-step

 [two-step]
@@ -39,9 +39,9 @@ Font=Cantarell 12
 TitleFont=Cantarell Light 30
 ImageDir=/usr/share/plymouth/themes//spinner
 DialogHorizontalAlignment=.5
-DialogVerticalAlignment=.382
+DialogVerticalAlignment=.75
 TitleHorizontalAlignment=.5
-TitleVerticalAlignment=.382
+TitleVerticalAlignment=.75
 HorizontalAlignment=.5
 VerticalAlignment=.7
 WatermarkHorizontalAlignment=.5
@@ -52,7 +52,7 @@ BackgroundStartColor=0x000000
 BackgroundEndColor=0x000000
 ProgressBarBackgroundColor=0x606060
 ProgressBarForegroundColor=0xffffff
-DialogClearsFirmwareBackground=true
+DialogClearsFirmwareBackground=false
 MessageBelowAnimation=true

 [boot-up]

Basically, I tweaked DialogClearsFirmwareBackground, DialogVerticalAlignment, and TitleVerticalAlignment to my liking. To set this custom theme, I ran:

plymouth-set-default-theme -R bgrt-custom

8. This looked perfect. But, I noticed that this increased by boot up time considerably. Plymouth was taking a long time before displaying the password prompt. On further digging, I found a parameter called DeviceTimeout in /etc/plymouth/plymouthd.conf with default value of 8 seconds.

According to this merge request, this was needed to keep support for certain AMD GPUs. I don't have and AMD GPU, and anyway I think Plymouth is using the EFI framebuffer for this splash screen, not the GPU. So, I reduced it to 2 seconds to make things faster.

linux

Related Posts

Exploring conflicting oneshot services in systemd

Exploring ways to make two systemd services using a shared resource work with each other

Exploring conflicting oneshot services in systemd

Encrypting an existing Linux system's root partition

Encrypt an unencrypted root partition on an Arch Linux system

Read only root on Linux

In many cases, it is required to run a system in such a way that it is tolerant of uncontrolled power losses, resets, etc. After such an event occurs, it should atleast be able to boot up and connect to the network so that some action can be taken remotely.