Hi,
I just set up Debian 12.5 and wanted to setup "full encryption" (encrypted boot as well as data) as I have done in the past on Ubuntu. After a full day of battling, I have everything set up and working except for one annoyance:
When Grub boots, after I enter the initial passphrase for the boot volume, I get a second prompt to enter a passphrase for my encrypted LVM partition before the Grub bootloader is displayed. If I hit ESC, it goes to the bootloader and I can boot the system without issue. It's just very annoying that Grub thinks I want to decrypt the LVM system/data partition as well as the boot volume. (The LVM partition is decrypted using a keyfile stored in initramfs on /boot).
In my attempt to understand what was happening I discovered a few things that I think are relevant:
1. /boot/grub/grub.cfg contains a bunch of sections generated from different templates. In two of these sections, I see the offending data partition's UUID listed in the line "cryptomount -u (UUID)". It appears under the section generated by /etc/grub.d/00_header and /etc/grub.d/05_debian_theme. The section generated by /etc/grub.d/10_linux does not contain a cryptomount line with the incorrect data UUID, but instead contains cryptomount with the UUID of the boot partition (correct).
2. I discovered that if I rem out GRUB_ENABLE_CRYPTODISK=y from /etc/default/grub and regenerate the grub cfg file with update-grub, the lines containing the cryptomount with the wrong UUID go away, but the cryptomount lines with my boot partition UUID remain under the section generated by /etc/grub.d/10_linux. However, if I disable GRUB_ENABLE_CRYPTODISK, grub-install fails to run correctly on /boot/efi, complaining that grub can't be installed to an encrypted volume if GRUB_ENABLE_CRYPTODISK is disabled. FYI, the /boot partition is encrypted, but the /boot/efi partition is not.
I can see from the above that update-grub is auto-detecting both the encrypted boot partition and the encrypted data partition when GRUB_ENABLE_CRYPTODISK is enabled. What I can't figure out is where this is being done so I can remove the reference to my system/data partition. The partition is LUKS2 encrypted with --pbkdf argon2id, so Grub can't decrypt it anyway.
I read countless pages on setting up full disk encryption including several for Debian, and none of them mentioned this issue. I also never had this problem on any of the many Ubuntu systems I set up this way. Any help tracking this down would be greatly appreciated.
I just set up Debian 12.5 and wanted to setup "full encryption" (encrypted boot as well as data) as I have done in the past on Ubuntu. After a full day of battling, I have everything set up and working except for one annoyance:
When Grub boots, after I enter the initial passphrase for the boot volume, I get a second prompt to enter a passphrase for my encrypted LVM partition before the Grub bootloader is displayed. If I hit ESC, it goes to the bootloader and I can boot the system without issue. It's just very annoying that Grub thinks I want to decrypt the LVM system/data partition as well as the boot volume. (The LVM partition is decrypted using a keyfile stored in initramfs on /boot).
In my attempt to understand what was happening I discovered a few things that I think are relevant:
1. /boot/grub/grub.cfg contains a bunch of sections generated from different templates. In two of these sections, I see the offending data partition's UUID listed in the line "cryptomount -u (UUID)". It appears under the section generated by /etc/grub.d/00_header and /etc/grub.d/05_debian_theme. The section generated by /etc/grub.d/10_linux does not contain a cryptomount line with the incorrect data UUID, but instead contains cryptomount with the UUID of the boot partition (correct).
2. I discovered that if I rem out GRUB_ENABLE_CRYPTODISK=y from /etc/default/grub and regenerate the grub cfg file with update-grub, the lines containing the cryptomount with the wrong UUID go away, but the cryptomount lines with my boot partition UUID remain under the section generated by /etc/grub.d/10_linux. However, if I disable GRUB_ENABLE_CRYPTODISK, grub-install fails to run correctly on /boot/efi, complaining that grub can't be installed to an encrypted volume if GRUB_ENABLE_CRYPTODISK is disabled. FYI, the /boot partition is encrypted, but the /boot/efi partition is not.
I can see from the above that update-grub is auto-detecting both the encrypted boot partition and the encrypted data partition when GRUB_ENABLE_CRYPTODISK is enabled. What I can't figure out is where this is being done so I can remove the reference to my system/data partition. The partition is LUKS2 encrypted with --pbkdf argon2id, so Grub can't decrypt it anyway.
I read countless pages on setting up full disk encryption including several for Debian, and none of them mentioned this issue. I also never had this problem on any of the many Ubuntu systems I set up this way. Any help tracking this down would be greatly appreciated.
Statistics: Posted by Graphite — 2024-06-09 21:20 — Replies 0 — Views 25