I fixed mine by doing 3 things, but I think only 2 of them were necessary:
-
Add KEYFILE_PATTERN=/crypto_keyfile.bin in /etc/cryptsetup-initramfs/conf-hook
-
Edit /etc/crypttab and replace “none” after the UUID with /crypto_keyfile.bin, then in the series of comma-separated strings at the end, change it to luks,discard,key-slot=1,keyscript=/bin/cat
Rebuild initramfs:
sudo update-initramfs -c -k all
According to the crypttab documentation, the 3rd argument in the crypttab line is passed to the keyscript. That would be “none” in the crypttab the installer creates, but that means it’s simply passing “none” to /bin/cat and trying to decrypt the volume with that. That can’t work. Adding /crypto_keyfile.bin makes it pass the file to /bin/cat so it can enter the password, so to speak. Oddly, it doesn’t work fully if I remove keyscript=/bin/cat, when it should work without any keyscript. When I did that, it did decrypt, but then it just froze on a blinking cursor, never loading KDE. It’s strange because I have done this many times on Ubuntu and Debian systems. Neon seems to have a non-standard way of decrypting the volumes using /bin/cat or something.
The 3rd thing I did, which think is likely unnecessary, but if the above doesn’t work, you can try it. Add the keyfile manually to both encrypted volumes:
sudo cryptsetup luksAddKey /dev/the_partition /crypto_keyfile.bin
This will add the key file to slot 2 (0-index). You will have to change /etc/crypttab again to point to the correct slot:
luks,discard,key-slot=2,keyscript=/bin/cat
Again, rebuild initramfs.
If step 3 is required, then I suspect key slot 1 (the one generated for the key file by the installer) was created with some kind of bad data and should be removed for security purposes.
Just a note: To avoid errors/warnings while rebuilding initramfs, make sure to decrypt the root volume using the same name/id shown in /etc/crypttab. (The 1st is root, 2nd is swap.)
Edit: Leave out “discard” from crypttab if you are concerned about the security implications.