[dm-crypt] Mildly OT: LUKS and the Debian installer

Diagon saout.boxy at xoxy.net
Tue May 22 12:29:13 CEST 2018

On 05/22/2018 02:26 AM, Jonas Meurer - jonas at freesources.org wrote:
> Hi Diagon,
> Am 22.05.2018 um 09:50 schrieb Diagon:
>> So I'm doing something that I've done many times with Ubuntu.  That is,
>> preparing my disks in the live system (usually /boot on a USB stick and
>> / on luks, no partition table on that second drive), then running the
>> install, and finally pivoting in to fix crypttab and update the initramfs.
>> After many tries with the debian installer, I've almost been able to get
>> this to work, though it does need some tending to to get there.  The
>> problem comes after I've pivoted in.  I install cryptsetup, as I find
>> that it's not there, and then correct crypttab/initramfs.  Oddly, I find
>> the initramfs does not include cryptsetup.  Hmmm.
> You mean the initramfs created by debian-installer? Have you tried
> recreating the initramfs from the installed system? 'update-initramfs
> -u' recreates the initramfs for latest installed kernel.

Yes, as I say.  I pivot into the system after the installer is done.
Then I install cryptsetup, create the crypttab and `update-initramfs -k
all -v -c`

> If you have cryptsetup installed and an encrypted rootfs, cryptsetup
> should be added to the initramfs automatically. 

No, that doesn't happen.  Neither with the installer nor when I pivot in

I do not expect it to happen with the installer, and here's why.  I
create the encrypted container myself since the debian installer only
allows me to create an encrypted container /in a partition/ and also has
limited options available.  So I create the container before, and then
do the install. It's delicate with Debian, but I can get the installer
to recognize my /dev/mapper/luks.root and install there.  But it does
not recognize that this is an encrypted container, so it does not
include cryptsetup in the install (or the resulting initramfs).  I have
tried other things, like dropping to the shell during the install to
edit the cryptab and `apt-install cryptsetup`, but none of that helps.

The Ubuntu installer is much more straightforward, but also fails to
create a proper initramfs; though I can fix it later by pivoting in.
The odd thing is that with Debian I can't.

> If it doesn't, please
> file a bug against cryptsetup to the Debian bugtracking system
> (bugs.debian.org).

I am not sure what I am to say the bug is.  It's rather mysterious to me
that the tactics I have used in the past are failing.  Maybe the problem
is with the installer?

> In case you file a bug, please do the following in advance:
> * change the shebang in /usr/sbin/mkinitramfs to '#!/bin/sh -x'
> * run 'update-initramfs -u >/tmp/mkinitramfs.log 2>&1'
> * attach '/tmp/mkinitramfs.log' to the bugreport
> * (don't forget to change back the shebang of mkinitramfs afterwards)
> Cheers,
>  jonas

More information about the dm-crypt mailing list