One of my systems is running Debian sid with an encrypted root device, incl encrypted /boot.
Encryption is unlocked using a passphrase in GRUB2 (before the menu is shown). Since GRUB can’t pass along the key to the kernel, a keyfile is put in the initrd so that the kernel can unlock the disk without asking for the passphrase again.
Only problem is that some recent update in Debian broke the boot. I got to the boot menu, booted the default configuration and… nothing.
Due to the framebuffer configuration I got no meaningful kernel log out of the system, either.
After lots of digging I found out that the initrd is missing the keyfile – looks like there was a recent change to how
crypttab is parsed.
I used a setup similar to the one described on this blogpost (and many others). I had to change crypttab to not use a
cat is the default), and I added the
initramfs option for good measure.
It now looks like this:
crypt UUID=12345 /that-secret-key-of-mine.key luks,initramfs
That helped update-initramfs over the hump and the system boots again. Yay!