[dm-crypt] Mildly OT: LUKS and the Debian installer

Jonas Meurer jonas at freesources.org
Wed May 23 20:58:49 CEST 2018


Am 23.05.2018 um 10:18 schrieb Diagon:
> Michael - I found the solution, which works on both Debian and Devuan.
> I was given some kind help by someone on the Debian user's list, which I
> am copying here:
> ------------
> In the file “/etc/cryptsetup-initramfs/conf-hook”, there is a line
> “CRYPTSETUP” which is commented and/or has the default value “n”. If
> this is the case, replace the line with “CRYPTSETUP=y”. So, the next use
> of the command “update-initramfs” should solve your problem if I
> understood it correctly.
> I think “CRYPTSETUP=y” is automatically set if you create an encrypted
> partition by following the installer’s instructions, but not when you do
> it outside these instructions.
> ----------

That's only partially correct. "CRYPTSETUP=y" is meant for special cases
where the crypsetup initramfs hook doesn't detect an encrypted device
that needs to be unlocked during initramfs. With setting "CRYPTSETUP=y"
you can enforce cryptsetup inclusion in the initramfs.

On most setups, this setting is superfluous. The cryptsetup initramfs
hook script automatically detects that cryptsetup is needed and includes
it into the initramfs.

Now that you have a working system with cryptsetup in the initramfs, I'd
be curious about the following:

If you comment out "CRYPTSETUP=y" in /etc/cryptsetup-initramfs/conf-hook
and recreate your initramfs with `update-initramfs -u` from your running
system, is cryptsetup still included in the initramfs? You can check
this by running the following command afterwards:

$ lsinitramfs /boot/initrd.img-$(uname -r) |grep cryptsetup


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://www.saout.de/pipermail/dm-crypt/attachments/20180523/07892fda/attachment.asc>

More information about the dm-crypt mailing list