GRUB encryption problem

Help with issues regarding installation of Debian

GRUB encryption problem

Postby Dronar » 2017-12-06 21:17

Hey, I recently reinstalled my system which ended up with me having to also reinstall GRUB (UEFI things...).
I've managed to set it all up but the problem is that now my /boot partition is encrypted meaning I have to enter the decryption password twice (once for grub and once for the kernel).

This is the layout I want:
/dev/sda1 -> /boot (not encrypted)
/dev/sda2 -> LVM (encrypted)

However, when I try to run grub-install it throws and error saying that the drive is encrypted and that I have to enable encryption in the /etc/default/grub file.

Here's what I think is happening:
The debian guide to install grub says I should mount /dev/sda1 to /boot/efi and then run grub-install /dev/sda.
I'm not sure if grub-install then finds an encrypted LVM on the same drive and therefore thinks the whole drive should be encrypted, or if its due to the fact that /boot/efi is "inside" the encrypted lvm since / is encrypted.

Anyway, is it me who is doing something stupid here?
Dronar
 
Posts: 6
Joined: 2013-06-13 11:25

Re: GRUB encryption problem

Postby p.H » 2017-12-06 21:48

Dronar wrote:This is the layout I want:
/dev/sda1 -> /boot (not encrypted)
/dev/sda2 -> LVM (encrypted)

I do not see an EFI system partition ("UEFI things" you mentionned).
Is sda1 a regular /boot partition or is it an EFI system partition ?
An EFI system partition has the special type "EFI system", formated as FAT and contains a directory "EFI" containing EFI executable files *.efi. It is usually mounted on /boot/efi as expected by GRUB but some systemd people suggest it should be mounted on /boot.

Can we see the output of the following commands to get a better picture of your setup ?
Code: Select all
fdisk -l
blkid
cat /etc/fstab

If GRUB must be able to read files (its own files and modules or kernel and initrd files) on LUKS, it must be installed after adding this in /etc/default/grub :
Code: Select all
GRUB_ENABLE_CRYPTODISK=y

("y", not "1" or "true")

Dronar wrote:The debian guide to install grub says I should mount /dev/sda1 to /boot/efi and then run grub-install /dev/sda.

If you're installing GRUB in EFI mode then you do not specify any boot device to grub-install, because GRUB EFI does not install any boot image in an MBR or PBR. It installs the core image as a regular .efi file in the EFI system partition mounted on /boot/efi.

Dronar wrote:I'm not sure if grub-install then finds an encrypted LVM on the same drive and therefore thinks the whole drive should be encrypted, or if its due to the fact that /boot/efi is "inside" the encrypted lvm since / is encrypted.

If a EFI partition is mounted on /boot/efi, /boot/efi contents comes from that partition and is not "inside" the encrypted LVM. But /boot/efi is not /boot : the rest of /boot is in the encrypted LVM if you do not mount another regular partition on /boot (aka /boot partition).
p.H
 
Posts: 177
Joined: 2017-09-17 07:12


Return to Installation

Who is online

Users browsing this forum: No registered users and 3 guests

fashionable