[dm-crypt] Mildly OT: LUKS and the Debian installer

Diagon saout.boxy at xoxy.net
Wed May 23 10:18:55 CEST 2018

On 05/22/2018 12:58 PM, Michael Ranft - m at michaelranft.com wrote:
> On Dienstag, 22. Mai 2018 00:50:39 CEST Diagon wrote:
>> So I'm doing something that I've done many times with Ubuntu.  That is,
>> preparing my disks in the live system (usually /boot on a USB stick and
>> / on luks, no partition table on that second drive), then running the
>> install, and finally pivoting in to fix crypttab and update the initramfs.
>> After many tries with the debian installer, I've almost been able to get
>> this to work, though it does need some tending to to get there.  The
>> problem comes after I've pivoted in.  I install cryptsetup, as I find
>> that it's not there, and then correct crypttab/initramfs.  Oddly, I find
>> the initramfs does not include cryptsetup.  Hmmm.
>> I'm getting crickets on the Debian user list, but I figure someone here
>> must have done something like this.  Any hope I might find help?
>> /D
> I did a similar thing with ascii 2 weeks ago (and wheezy years ago, ) because 
> I wanted different cryptsetup parameters than the installer offered: plain-dm 
> (no LUKS), hash sha512 and size 512.
> So I started the installer and did every step of it, including the 
> partitioning of crypted devices and choosing the modules for encryption etc 
> before.
> I stopped right before "install base-system". I opened a shell and copied 
> _all_ installed files and dirs of the new system (under /target: crypttab 
> etc). to secure them, then I destroyed the partitions with the unwanted 
> cryptsetup parameters and recreated them with the new params, modified 
> crypttab as desired.
> Then I proceeded with "install base system" and the following steps as usual.
> A minor difference: I used plain-dm-crypt and an underlying software raid 
> (mdadm etc). System runs fine and performance is more than acceptable (x220/i5 
> with 850 pro/840evo).
> Michael

Michael - I found the solution, which works on both Debian and Devuan.
I was given some kind help by someone on the Debian user's list, which I
am copying here:

In the file “/etc/cryptsetup-initramfs/conf-hook”, there is a line
“CRYPTSETUP” which is commented and/or has the default value “n”. If
this is the case, replace the line with “CRYPTSETUP=y”. So, the next use
of the command “update-initramfs” should solve your problem if I
understood it correctly.

I think “CRYPTSETUP=y” is automatically set if you create an encrypted
partition by following the installer’s instructions, but not when you do
it outside these instructions.

So, to explain my process for anyone who comes this way ...

(1) Create encrypted containers as needed using a live system.  Make
sure to create the filesystem you want in the containers
(2) Start the installer and run through "Load Installer Components".
Make sure you have loaded crypto-dm-modules
(3) Continue the installation through "Detect Hard Drives"
(4) Drop to the shell and run 'anna-install cryptsetup-udeb'.  Then open
your encrypted containers.
(5) Return and run "Detect Hard Drives" again.
(6) Continue to the partitioner.  You will see your /dev/mapper
device(s) listed.  Note that if there is no filesystem in the device,
when you select it, the partitioner will want to create a partition in
(7) Now you can do the rest of the install, though the installer will
not recognize that cryptsetup has to be included.

While I exited the install and then pivoted in to 'apt-get install
cryptsetup', fix the crypttab/fstab and
/etc/cryptsetup-initramfs/conf-hook, after which I update-initramfs and
update-grub, someone else may want to see if it is possible to finish
the process through the installer.  You may be able to do it like this:

(8) After "Select and Install Software", drop to a shell and
'apt-install cryptsetup'.  Then edit cryptab/fstab and fix
/etc/cryptsetup-initramfs/conf-hook as describe above.
(9) Exit the shell and return to finish the install.

My guess is it may work.


More information about the dm-crypt mailing list