/ linux

Debian sid, GRUB2, lvm, luks

One of my systems is running Debian sid with an encrypted root device, incl encrypted /boot.

Encryption is unlocked using a passphrase in GRUB2 (before the menu is shown). Since GRUB can't pass along the key to the kernel, a keyfile is put in the initrd so that the kernel can unlock the disk without asking for the passphrase again.

Only problem is that some recent update in Debian broke the boot. I got to the boot menu, booted the default configuration and… nothing.
Due to the framebuffer configuration I got no meaningful kernel log out of the system, either.

After lots of digging I found out that the initrd is missing the keyfile - looks like there was a recent change to how crypttab is parsed.

I used a setup similar to the one described on this blogpost (and many others). I had to change crypttab to not use a keyscript (cat is the default), and I added the initramfs option for good measure.

It now looks like this:

crypt UUID=12345 /that-secret-key-of-mine.key luks,initramfs

That helped update-initramfs over the hump and the system boots again. Yay!

Patrick Georgi

Patrick Georgi

Von der Stadt aufs Land. Freund des retro computings und des inneren Exils. Die Gedanken sind frei. Dieses Recht findet seine Schranken in den Vorschriften der allgemeinen Gesetze.

Read More