diff --git a/pkg/lib/lock.go b/pkg/lib/lock.go
index 98fc0c3..4cc0ac7 100644
--- a/pkg/lib/lock.go
+++ b/pkg/lib/lock.go
@@ -208,9 +208,12 @@ func formatLuks(device, name, mapper, label, pass string, logger types.KairosLog
 	}
 
 	l.Debug().Msg("discards")
-	out, err = SH(fmt.Sprintf("cryptsetup refresh --persistent --allow-discards %s", mapper))
+	// Refresh needs the password as its doing actions on the device directly
+	cmd := exec.Command("cryptsetup", "refresh", "--persistent", "--allow-discards", mapper)
+	cmd.Stdin = strings.NewReader(pass)
+	output, err := cmd.CombinedOutput()
 	if err != nil {
-		return fmt.Errorf("refresh err: %w, out: %s", err, out)
+		return fmt.Errorf("refresh err: %w, out: %s", err, string(output))
 	}
 
 	l.Debug().Msg("close")
diff --git a/pkg/lib/unlock.go b/pkg/lib/unlock.go
index 2fead66..78aa2f0 100644
--- a/pkg/lib/unlock.go
+++ b/pkg/lib/unlock.go
@@ -72,8 +72,14 @@ func UnlockAllWithLogger(tpm bool, log types.KairosLogger) error {
 						}
 					} else {
 						p.FilesystemLabel, err = config.GetLabelForUUID(volumeUUID)
+						// This is a not known filesystem label, so we will try to unlock by uuid or by partition label
+						// Notice that we lock by uuid and filesystem label so the label usually wont match between the fs label and partition label
+						// Unless set by the user to be the same one
 						if err != nil {
-							return err
+							if p.FilesystemLabel == "" || p.FilesystemLabel == "unknown" {
+								p.FilesystemLabel = p.Label
+							}
+							logger.Warn().Msg("Not known filesystem label, will try to unlock by uuid or by partition label")
 						}
 						err = UnlockDisk(p)
 						if err != nil {