Boot Omarchy without a LUKS passphrase

When Omarchy runs on something like a home server in a physically secure spot, the machine should come back up after a reboot without anyone touching a keyboard. That’s a special case. The keyfile lives inside the encrypted root, but it’s readable through initramfs, so anyone with hardware access can grab it. Don’t do this on a laptop or a machine in a shared space.

Create the keyfile and tell LUKS about it

sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
sudo chmod 600 /root/keyfile
sudo cryptsetup luksAddKey /dev/nvme0n1p2 /root/keyfile

Find the right partition with lsblk -f. luksAddKey will ask for your existing LUKS passphrase once.

Extend the Limine kernel command line

Open /etc/default/limine and extend KERNEL_CMDLINE[default]:

... cryptdevice=PARTUUID=xxx:root:allow-discards cryptkey=rootfs:/root/keyfile root=/dev/mapper/root ...

Replace xxx with your own PARTUUID. The new bits are :allow-discards and the cryptkey= parameter.

Pack the keyfile into initramfs

Set the FILES= line in /etc/mkinitcpio.conf:

FILES=(/root/keyfile)

Rebuild initramfs and bootloader

sudo mkinitcpio -P
sudo limine-update

If mkinitcpio asks about limine-mkinitcpio, confirm with Y.

Reboot

sudo reboot

The server now comes up without prompting for a passphrase.

Rolling it back

sudo cryptsetup luksRemoveKey /dev/nvme0n1p2 /root/keyfile

Then strip cryptkey= and :allow-discards out of /etc/default/limine, clear the FILES= line in /etc/mkinitcpio.conf, and run sudo mkinitcpio -P plus sudo limine-update once more.

Create the keyfile and tell LUKS about it¶

Extend the Limine kernel command line¶

Pack the keyfile into initramfs¶

Rebuild initramfs and bootloader¶

Reboot¶

Rolling it back¶