[dm-crypt] Mildly OT: LUKS and the Debian installer
saout.boxy at xoxy.net
Tue May 22 12:29:13 CEST 2018
On 05/22/2018 02:26 AM, Jonas Meurer - jonas at freesources.org wrote:
> Hi Diagon,
> Am 22.05.2018 um 09:50 schrieb Diagon:
>> So I'm doing something that I've done many times with Ubuntu. That is,
>> preparing my disks in the live system (usually /boot on a USB stick and
>> / on luks, no partition table on that second drive), then running the
>> install, and finally pivoting in to fix crypttab and update the initramfs.
>> After many tries with the debian installer, I've almost been able to get
>> this to work, though it does need some tending to to get there. The
>> problem comes after I've pivoted in. I install cryptsetup, as I find
>> that it's not there, and then correct crypttab/initramfs. Oddly, I find
>> the initramfs does not include cryptsetup. Hmmm.
> You mean the initramfs created by debian-installer? Have you tried
> recreating the initramfs from the installed system? 'update-initramfs
> -u' recreates the initramfs for latest installed kernel.
Yes, as I say. I pivot into the system after the installer is done.
Then I install cryptsetup, create the crypttab and `update-initramfs -k
all -v -c`
> If you have cryptsetup installed and an encrypted rootfs, cryptsetup
> should be added to the initramfs automatically.
No, that doesn't happen. Neither with the installer nor when I pivot in
I do not expect it to happen with the installer, and here's why. I
create the encrypted container myself since the debian installer only
allows me to create an encrypted container /in a partition/ and also has
limited options available. So I create the container before, and then
do the install. It's delicate with Debian, but I can get the installer
to recognize my /dev/mapper/luks.root and install there. But it does
not recognize that this is an encrypted container, so it does not
include cryptsetup in the install (or the resulting initramfs). I have
tried other things, like dropping to the shell during the install to
edit the cryptab and `apt-install cryptsetup`, but none of that helps.
The Ubuntu installer is much more straightforward, but also fails to
create a proper initramfs; though I can fix it later by pivoting in.
The odd thing is that with Debian I can't.
> If it doesn't, please
> file a bug against cryptsetup to the Debian bugtracking system
I am not sure what I am to say the bug is. It's rather mysterious to me
that the tactics I have used in the past are failing. Maybe the problem
is with the installer?
> In case you file a bug, please do the following in advance:
> * change the shebang in /usr/sbin/mkinitramfs to '#!/bin/sh -x'
> * run 'update-initramfs -u >/tmp/mkinitramfs.log 2>&1'
> * attach '/tmp/mkinitramfs.log' to the bugreport
> * (don't forget to change back the shebang of mkinitramfs afterwards)
More information about the dm-crypt