Hey, I recently reinstalled my system which ended up with me having to also reinstall GRUB (UEFI things...).
I've managed to set it all up but the problem is that now my /boot partition is encrypted meaning I have to enter the decryption password twice (once for grub and once for the kernel).
This is the layout I want:
/dev/sda1 -> /boot (not encrypted)
/dev/sda2 -> LVM (encrypted)
However, when I try to run grub-install it throws and error saying that the drive is encrypted and that I have to enable encryption in the /etc/default/grub file.
Here's what I think is happening:
The debian guide to install grub says I should mount /dev/sda1 to /boot/efi and then run grub-install /dev/sda.
I'm not sure if grub-install then finds an encrypted LVM on the same drive and therefore thinks the whole drive should be encrypted, or if its due to the fact that /boot/efi is "inside" the encrypted lvm since / is encrypted.
Anyway, is it me who is doing something stupid here?
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
GRUB encryption problem
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: GRUB encryption problem
I do not see an EFI system partition ("UEFI things" you mentionned).Dronar wrote:This is the layout I want:
/dev/sda1 -> /boot (not encrypted)
/dev/sda2 -> LVM (encrypted)
Is sda1 a regular /boot partition or is it an EFI system partition ?
An EFI system partition has the special type "EFI system", formated as FAT and contains a directory "EFI" containing EFI executable files *.efi. It is usually mounted on /boot/efi as expected by GRUB but some systemd people suggest it should be mounted on /boot.
Can we see the output of the following commands to get a better picture of your setup ?
Code: Select all
fdisk -l
blkid
cat /etc/fstab
Code: Select all
GRUB_ENABLE_CRYPTODISK=y
If you're installing GRUB in EFI mode then you do not specify any boot device to grub-install, because GRUB EFI does not install any boot image in an MBR or PBR. It installs the core image as a regular .efi file in the EFI system partition mounted on /boot/efi.Dronar wrote:The debian guide to install grub says I should mount /dev/sda1 to /boot/efi and then run grub-install /dev/sda.
If a EFI partition is mounted on /boot/efi, /boot/efi contents comes from that partition and is not "inside" the encrypted LVM. But /boot/efi is not /boot : the rest of /boot is in the encrypted LVM if you do not mount another regular partition on /boot (aka /boot partition).Dronar wrote:I'm not sure if grub-install then finds an encrypted LVM on the same drive and therefore thinks the whole drive should be encrypted, or if its due to the fact that /boot/efi is "inside" the encrypted lvm since / is encrypted.