[dm-crypt] Mildly OT: LUKS and the Debian installer

Diagon saout.boxy at xoxy.net
Wed May 23 10:18:55 CEST 2018


On 05/22/2018 12:58 PM, Michael Ranft - m at michaelranft.com wrote:
> On Dienstag, 22. Mai 2018 00:50:39 CEST Diagon wrote:
>> So I'm doing something that I've done many times with Ubuntu.  That is,
>> preparing my disks in the live system (usually /boot on a USB stick and
>> / on luks, no partition table on that second drive), then running the
>> install, and finally pivoting in to fix crypttab and update the initramfs.
>>
>> After many tries with the debian installer, I've almost been able to get
>> this to work, though it does need some tending to to get there.  The
>> problem comes after I've pivoted in.  I install cryptsetup, as I find
>> that it's not there, and then correct crypttab/initramfs.  Oddly, I find
>> the initramfs does not include cryptsetup.  Hmmm.
>>
>> I'm getting crickets on the Debian user list, but I figure someone here
>> must have done something like this.  Any hope I might find help?
>>
>> /D
> 
> 
> I did a similar thing with ascii 2 weeks ago (and wheezy years ago, ) because 
> I wanted different cryptsetup parameters than the installer offered: plain-dm 
> (no LUKS), hash sha512 and size 512.
> So I started the installer and did every step of it, including the 
> partitioning of crypted devices and choosing the modules for encryption etc 
> before.
> I stopped right before "install base-system". I opened a shell and copied 
> _all_ installed files and dirs of the new system (under /target: crypttab 
> etc). to secure them, then I destroyed the partitions with the unwanted 
> cryptsetup parameters and recreated them with the new params, modified 
> crypttab as desired.
> Then I proceeded with "install base system" and the following steps as usual.
> A minor difference: I used plain-dm-crypt and an underlying software raid 
> (mdadm etc). System runs fine and performance is more than acceptable (x220/i5 
> with 850 pro/840evo).
> HTH
> Michael

Michael - I found the solution, which works on both Debian and Devuan.
I was given some kind help by someone on the Debian user's list, which I
am copying here:

------------
In the file “/etc/cryptsetup-initramfs/conf-hook”, there is a line
“CRYPTSETUP” which is commented and/or has the default value “n”. If
this is the case, replace the line with “CRYPTSETUP=y”. So, the next use
of the command “update-initramfs” should solve your problem if I
understood it correctly.

I think “CRYPTSETUP=y” is automatically set if you create an encrypted
partition by following the installer’s instructions, but not when you do
it outside these instructions.
----------

So, to explain my process for anyone who comes this way ...

(1) Create encrypted containers as needed using a live system.  Make
sure to create the filesystem you want in the containers
(2) Start the installer and run through "Load Installer Components".
Make sure you have loaded crypto-dm-modules
(3) Continue the installation through "Detect Hard Drives"
(4) Drop to the shell and run 'anna-install cryptsetup-udeb'.  Then open
your encrypted containers.
(5) Return and run "Detect Hard Drives" again.
(6) Continue to the partitioner.  You will see your /dev/mapper
device(s) listed.  Note that if there is no filesystem in the device,
when you select it, the partitioner will want to create a partition in
there.
(7) Now you can do the rest of the install, though the installer will
not recognize that cryptsetup has to be included.

While I exited the install and then pivoted in to 'apt-get install
cryptsetup', fix the crypttab/fstab and
/etc/cryptsetup-initramfs/conf-hook, after which I update-initramfs and
update-grub, someone else may want to see if it is possible to finish
the process through the installer.  You may be able to do it like this:

(8) After "Select and Install Software", drop to a shell and
'apt-install cryptsetup'.  Then edit cryptab/fstab and fix
/etc/cryptsetup-initramfs/conf-hook as describe above.
(9) Exit the shell and return to finish the install.

My guess is it may work.

/D



More information about the dm-crypt mailing list