Graphical password prompt for disk decryption on ArchLinux
In my last post, I described how I enabled encryption on my Linux root partition. However, during boot up, it asked the password using a plain text prompt. I was not satisfied with the design and found that there's a better way: Plymouth.
Plymouth is a package that provides a themeable graphical boot process / splash screen all the way up to the login manager. This includes a graphical password prompt as well. Here are the steps I took to set this up:
1. First, I installed plymouth-git from the AUR. ArchWiki suggests plymouth-git instead of plymouth because it is actually less likely to cause problems for most users than the stable package.
2. Next, I updated the HOOKS
section in my /etc/mkinitcpio.conf
to include sd-plymouth
:
3. And regenerated the initramfs:
4. Next, I added the following kernel parameters:
ArchWiki also suggests adding vt.global_cursor_default=0
,
but my experience was better without it. With this option, the cursor
in TTY terminals becomes hidden, not just for the boot sequence but even
later.
With the above changes, after reboot, a nice password prompt is shown with a spinner image. But, this hid the beautiful OEM ROG logo that comes first at boot up. So, here are further tweaks I did to make it look as I wanted.
5. First, I tried using the built-in BGRT theme. This is a variation of the spinner theme that keeps the OEM logo if available (BGRT stands for Boot Graphics Resource Table).
This did not show the spinner, but it still hid the OEM logo when asking for decryption password. Although it did show the logo again after password was entered. So, I guessed it just needed a little customization.
6. So, I made a copy of the bgrt theme to make my customizations.
7. These are the changes I had to make in bgrt-custom.plymouth
to make it show the prompt like I wanted:
Basically, I tweaked DialogClearsFirmwareBackground
, DialogVerticalAlignment
, and TitleVerticalAlignment
to my liking. To set this custom theme, I ran:
8.
This looked perfect. But, I noticed that this increased by boot up time
considerably. Plymouth was taking a long time before displaying the
password prompt. On further digging, I found a parameter called DeviceTimeout
in /etc/plymouth/plymouthd.conf
with default value of 8 seconds.
According to this merge request, this was needed to keep support for certain AMD GPUs. I don't have and AMD GPU, and anyway I think Plymouth is using the EFI framebuffer for this splash screen, not the GPU. So, I reduced it to 2 seconds to make things faster.
Interactions
Hi,
Thanks so much for this, was exactly what I was looking for and worked perfectly first time, I just had to remove the
sd-
prefix for encrypt and plymouth as I am using grub (no idea if that was required, but it seemed the right call so I did it and it worked :-)Hi Jason. Glad to know this was helpful.
sd-plymouth
has been replaced byplymouth
in a recent systemd update. I've updated the post as well.