linux

Linux LUKS + usb key - why doesn't it work?

Good ...
We have Archlinux.
I encrypted the Luks'om disk, it asks for the password when loading - everything is as it should be. works.
Added a key for the disk to open it with the key:
cryptsetup luksAddKey /dev/sda2 /mnt/file.key
Added an entry to /etc/default/grub specifying the uuid of the drive (blkid - helped me find it):

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:main cryptkey=/dev/disk/by-uuid/0018-F528:vfat:/file.key"

Registered in /etc/mkinitcpio.conf

MODULES="ata_generic ata_piix nls_cp437 vfat"
HOOKS="base udev autodetect modconf block encrypt lvm2 filesystems keyboard fsck"

After doing:

grub-mkconfig -o /boot/grub/grub.cfg
mkinitcpio -p linux

After reboot I get an error:

Starting version 229
[ 2.712166] sd 4:0:0:0: [sdb] No Caching mode page found
[ 2.712166] sd 4:0:0:0: [sdb] Assuming drive cache: write through
ERROR: device 'UUID=276f2d59-4k5h-4585-dfty-059hjftu657c' not found. Skipping fsck.
ERROR: Unable to find root device 'UUID=276f2d59-4k5h-4585-dfty-059hjftu657c'.
You are being dropped to a recovery shell
    Type 'exit' to try and continue booting
sh: can't access tty; job control tured off

There is a flash drive with a key, he just found it at the beginning.
For the test, I removed the key from the flash drive - then it swears that there is no key on the flash drive.
I can open the container with the key without any problems:

cryptsetup open /dev/sda2 lvm --key-file=/tmp/file.key

/tmp - I mounted a flash drive here.
If I remove the key completely ( luksRemoveKey ) - it loads normally, asks for a password and the system boots normally further.
How to solve the problem?
Wrongly registered in /etc/default/grub?
Here is the content of /etc/default/grub

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX="GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:main cryptkey=/dev/disk/by-uuid/0018-F528:vfat:/file.key""

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE=auto

# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep

# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true

Here is the content of /boot/grub/grub.cfg

#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
insmod part_gpt
insmod part_msdos
if [ -s $prefix/grubenv ]; then
  load_env
fi
if [ "${next_entry}" ] ; then
   set default="${next_entry}"
   set next_entry=
   save_env next_entry
   set boot_once=true
else
   set default="0"
fi

if [ x"${feature_menuentry_id}" = xy ]; then
  menuentry_id_option="--id"
else
  menuentry_id_option=""
fi

export menuentry_id_option

if [ "${prev_saved_entry}" ]; then
  set saved_entry="${prev_saved_entry}"
  save_env saved_entry
  set prev_saved_entry=
  save_env prev_saved_entry
  set boot_once=true
fi

function savedefault {
  if [ -z "${boot_once}" ]; then
    saved_entry="${chosen}"
    save_env saved_entry
  fi
}

function load_video {
  if [ x$feature_all_video_module = xy ]; then
    insmod all_video
  else
    insmod efi_gop
    insmod efi_uga
    insmod ieee1275_fb
    insmod vbe
    insmod vga
    insmod video_bochs
    insmod video_cirrus
  fi
}

if [ x$feature_default_font_path = xy ] ; then
   font=unicode
else
insmod part_msdos
insmod ext2
set root='hd0,msdos3'
if [ x$feature_platform_search_hint = xy ]; then
  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos3 --hint-efi=hd0,msdos3 --hint-baremetal=ahci0,msdos3  aefcbefe-5dd9-46ea-b54b-2f240d924219
else
  search --no-floppy --fs-uuid --set=root aefcbefe-5dd9-46ea-b54b-2f240d924219
fi
    font="/usr/share/grub/unicode.pf2"
fi

if loadfont $font ; then
  set gfxmode=auto
  load_video
  insmod gfxterm
  set locale_dir=$prefix/locale
  set lang=ru_RU
  insmod gettext
fi
terminal_input console
terminal_output gfxterm
if [ x$feature_timeout_style = xy ] ; then
  set timeout_style=menu
  set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
  set timeout=5
fi
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/10_linux ###
menuentry 'Arch Linux' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-276f2d59-4k5h-4585-dfty-059hjftu657c' {
  load_video
  set gfxpayload=keep
  insmod gzio
  insmod part_msdos
  insmod ext2
  set root='hd0,msdos1'
  if [ x$feature_platform_search_hint = xy ]; then
    search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1  a80c4147-b1af-4192-b9d5-b031b7c6f45b
  else
    search --no-floppy --fs-uuid --set=root a80c4147-b1af-4192-b9d5-b031b7c6f45b
  fi
  echo	'Загружается Linux linux …'
  linux	/vmlinuz-linux root=UUID=276f2d59-4k5h-4585-dfty-059hjftu657c rw cryptdevice=/dev/sda2:main cryptkey=/dev/disk/by-uuid/0018-F528:vfat:/file.key quiet
  echo	'Загружается начальный виртуальный диск …'
  initrd	 /initramfs-linux.img
}
submenu 'Дополнительные параметры для Arch Linux' $menuentry_id_option 'gnulinux-advanced-276f2d59-4k5h-4585-dfty-059hjftu657c' {
  menuentry 'Arch Linux, с Linux linux' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-linux-advanced-276f2d59-4k5h-4585-dfty-059hjftu657c' {
    load_video
    set gfxpayload=keep
    insmod gzio
    insmod part_msdos
    insmod ext2
    set root='hd0,msdos1'
    if [ x$feature_platform_search_hint = xy ]; then
      search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1  a80c4147-b1af-4192-b9d5-b031b7c6f45b
    else
      search --no-floppy --fs-uuid --set=root a80c4147-b1af-4192-b9d5-b031b7c6f45b
    fi
    echo	'Загружается Linux linux …'
    linux	/vmlinuz-linux root=UUID=276f2d59-4k5h-4585-dfty-059hjftu657c rw cryptdevice=/dev/sda2:main cryptkey=/dev/disk/by-uuid/0018-F528:vfat:/file.key quiet
    echo	'Загружается начальный виртуальный диск …'
    initrd	 /initramfs-linux.img
  }
  menuentry 'Arch Linux, with Linux linux (fallback initramfs)' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-linux-fallback-276f2d59-4k5h-4585-dfty-059hjftu657c' {
    load_video
    set gfxpayload=keep
    insmod gzio
    insmod part_msdos
    insmod ext2
    set root='hd0,msdos1'
    if [ x$feature_platform_search_hint = xy ]; then
      search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1  a80c4147-b1af-4192-b9d5-b031b7c6f45b
    else
      search --no-floppy --fs-uuid --set=root a80c4147-b1af-4192-b9d5-b031b7c6f45b
    fi
    echo	'Загружается Linux linux …'
    linux	 /vmlinuz-linux root=UUID=276f2d59-4k5h-4585-dfty-059hjftu657c rw cryptdevice=/dev/sda2:main cryptkey=/dev/disk/by-uuid/0018-F528:vfat:/file.key quiet
    echo	'Загружается начальный виртуальный диск …'
    initrd	 /initramfs-linux-fallback.img
  }
}

### END /etc/grub.d/10_linux ###

### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###

### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###

### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###

### BEGIN /etc/grub.d/41_custom ###
if [ -f  ${config_directory}/custom.cfg ]; then
  source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f  $prefix/custom.cfg ]; then
  source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###

### BEGIN /etc/grub.d/60_memtest86+ ###
### END /etc/grub.d/60_memtest86+ ###

Everything is commented out in /etc / crypttab
And here is /etc/fstab

# /dev/mapper/main-root
UUID=276f2d59-4k5h-4585-dfty-059hjftu657c / ext4 rw,relatime,data=ordered 0 1

# /dev/sda1 LABEL=boot
UUID=159f2d60-9f7n-1385-dfty-498sdfgi057k /boot ext2 rw,relatime,block_validity,barrier,user_xattr,acl 0 1

I tried to change uuid in fstab to /dev/mapper/main-root - but of course it didn't help.
this is the line that confused me in /boot/grub/grub.cfg

linux	/vmlinuz-linux root=UUID=276f2d59-4k5h-4585-dfty-059hjftu657c rw cryptdevice=/dev/sda2:main cryptkey=/dev/disk/by-uuid/0018-F528:vfat:/file.key quiet

I understand. it first looks for that disk. and only then the key, but since he did not open it, he swears for this .... somehow it is necessary to change their places apparently ...
Tell me how you can solve the issue.
Thank you.