Hi there, On Mon, 15 Apr 2019 at 23:24:19 +0200, Cyril Brulebois wrote: >>> One could argue that cryptodisk support has never been supported by >>> d-i anyway, >> >> Yup, and I suppose that's why I overlooked this in my mail to >> debian-boot :-P Jonathan Carter had a similar report last week >> >> https://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/2019-April/008196.html > > While I'm usually fine to dismiss some bug reports as “it's unsupported, > sorry”, making users' life harder doesn't seem really reasonable… :/
During last week's gathering at MiniDebConf Hamburg we (cryptsetup package maintainer + KiBi) talked and came up with the following guide/notes: https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html I believe it covers the easiest way to set up GRUB unlocking, i.e., starting from d-i's "encrypted LVM" partitioning method. Tested with Debian Installer Buster RC1, but should™ be relevant with: - Any d-i supporting the "encrypted LVM" partitioning method where encrypted have LUKS headers. (Since Lenny? Or perhaps even Etch, don't remember if Etch had support for LUKS already, or only plain dm-crypt and loop-AES.) - Any GRUB2 ≥2.00-1, so very early in Jessie's release cycle. - Any cryptsetup version, whether the default LUKS format version is 1 (pre-Buster) or 2 (since 2:2.1.0-1, now in Buster). The aim of our document is to describe how to setup GRUB unlocking from an existing “standard” installation (thus subject to partman-partitioning's limitations). We aim to follow future d-i versions; should native support for encrypted /boot (which — as of GRUB 2.02 — requires the underlying device to be formatted as LUKS1) be implemented at some point, that'll be documented there. We also propose to add a link to this document from the release notes: https://salsa.debian.org/ddp-team/release-notes/merge_requests/29 . Cheers, -- Guilhem. PS. I've used GRUB unlocking on several devices (sometimes bypassing partman, sometimes not) since before Wheezy was released, and should have written that guide & shipped it to the cryptsetup package years ago (the closest form that comes to mind is my talk at DebConf18 which was not so detailed)… apologies for not doing so earlier. I'm also a bit sad to have missed https://lists.debian.org/debian-boot/2019/01/msg00035.html .
Description: PGP signature