Oh yes, it was actual several days ago that I tried setting it up. I did indeed do the GRUB_ENABLE_CRYPTODISK="y" step...
On Sat, 2020-02-29 at 12:58 +0100, sashab wrote: > Hi jnqnfe, > > As the boot partition is encrypted, > grub has no access to grub.cfg before > decrypting it. > > Have you set > GRUB_ENABLE_CRYPTODISK="y" > in > /etc/default/grub > and called > update-grub > afterwards? > > For more information see > info -f grub -n 'Simple configuration' | grep CRYPTODISK -A6 > > > With kind regards, > sashab > > On 2/28/20 8:35 AM, jnq...@gmail.com wrote: > > I decided to play with having an encrypted /boot on an old system > > but I > > cannot boot with it and I don't know why. Please advise. > > > > The system has UEFI. The disk uses GPT. Grub version is 2.04-5 > > (debian). > > > > Procedure followed: > > - The system already had encrypted root (luks v2) > > - I am aware that grub currently only supports luks v1 for > > encrypted > > /boot > > 1) made a backup of all contents of /boot (excluding /boot/efi) > > 2) unmounted /boot/efi and /boot > > 3) overwrote /dev/sda2 (/boot) with cryptsetup as a new luks v1 > > volume > > 4) opened the new encrypted /dev/sda2 > > 5) created an ext4 filesystem inside it > > 6) copied all of the backed up files into it > > 7) ensured that all of the ownership and permissions for them was > > correct (comparing with another system) > > 8) remounted as /boot > > 9) remounted /dev/sda1 as /boot/efi > > 10) added an entry to /etc/crypttab > > 11) adjusted /etc/fstab > > 12) ran `update-initramfs -u` and `update-grub` (not sure which > > order > > if it matter, pretty sure I've run them each multiple times now > > anyway) > > 13) rebooted > > > > note, below i've replaced the real UUID's with simple replacements > > like > > 'aaa'... > > > > the partition table looks like this: > > > > NAME FS UUID MOUNT > > /dev/sda1 fat32 aaa /boot/efi > > /dev/sda2 - bbb - > > /dev/sda3 - ccc - > > /dev/mapper/sda2_crypt ext4 ddd /boot > > /dev/mapper/sda3_crypt ext4 eee / > > > > when I boot, I get a prompt like this: > > attempting to decrypt master key... > > enter passphrase for hd0,gpt2 (bbb): > > > > but several moments after entering the password I get: > > error:access denied > > error: no such cryptodisk found > > error: no such device: ddd > > Loading Linux 5.4.0-3-amd64 ... > > error: no server specified > > Loading initial ramdisk ... > > error: you need to load the kernel first > > > > crypttab: > > ``` > > boot_crypt UUID=bbb none luks > > root_crypt UUID=ccc none luks > > ``` > > > > fstab: > > ``` > > # <file system> <mount point> <type> <options> <dump> <pass> > > /dev/mapper/root_crypt / ext4 errors=remount-ro 0 1 > > /dev/mapper/boot_crypt /boot ext4 errors=remount-ro 0 2 > > UUID=aaa /boot/efi vfat umask=0077 0 2 > > /dev/sr1 /media/cdrom0 udf,iso9660 user,noauto 0 > > 0 > > /dev/sr0 /media/cdrom1 udf,iso9660 user,noauto 0 > > 0 > > /swapfile none swap defaults 0 0 > > ``` > > > > /boot/grub.cfg (autogenerated) looks like this (stripped down): > > ``` > > insmod luks > > insmod cryptodisk > > ... > > if [ x$feature_default_font_path = xy ] ; then > > font=unicode > > else > > insmod ext2 > > set root='hd0' > > if [ x$feature_platform_search_hint = xy ]; then > > search --no-floppy --fs-uuid --set=root --hint-bios=hd0 -- > > hint- > > efi=hd0 --hint-baremetal=ahci0 eee > > else > > search --no-floppy --fs-uuid --set=root eee > > fi > > font="/usr/share/grub/unicode.pf2" > > fi > > ... > > insmod ext2 > > set root='hd0' > > if [ x$feature_platform_search_hint = xy ]; then > > search --no-floppy --fs-uuid --set=root --hint-bios=hd0 --hint- > > efi=hd0 --hint-baremetal=ahci0 eee > > else > > search --no-floppy --fs-uuid --set=root eee > > fi > > ... > > menuentry 'Debian GNU/Linux' --class debian --class gnu-linux -- > > class > > gnu --class os $menuentry_id_option 'gnulinux-simple-eee' { > > ... > > insmod cryptodisk > > insmod luks > > insmod gcry_rijndael > > insmod gcry_rijndael > > insmod gcry_sha256 > > insmod ext2 > > cryptomount -u bbb > > set root='cryptouuid/bbb' > > if [ x$feature_platform_search_hint = xy ]; then > > search --no-floppy --fs-uuid --set=root --hint-bios=hd0 -- > > hint-efi=hd0 --hint-baremetal=ahci0 --hint='cryptouuid/bbb' ddd > > else > > search --no-floppy --fs-uuid --set=root ddd > > fi > > echo 'Loading Linux 5.4.0-3-amd64 ...' > > linux /vmlinuz-5.4.0-3-amd64 root=UUID=eee ro > > cryptdevice=/dev/sda3:root root=/dev/mapper/root_crypt quiet > > echo 'Loading initial ramdisk ...' > > initrd /initrd.img-5.4.0-3-amd64 > > } > > submenu 'Advanced options for Debian GNU/Linux' > > $menuentry_id_option > > 'gnulinux-advanced-eee' { > > ... > > } > > ... > > ``` > > > > I can unlock /dev/sda2 fine with cryptsetup in a live environment > > (as > > well as /dev/sda3), so it surely cannot be as simple as entering > > the > > wrong password... > > > >