Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

GRUB encryption problem

Ask for help with issues regarding the Installations of the Debian O/S.
Post Reply
Message
Author
Dronar
Posts: 6
Joined: 2013-06-13 11:25

GRUB encryption problem

#1 Post by Dronar »

Hey, I recently reinstalled my system which ended up with me having to also reinstall GRUB (UEFI things...).
I've managed to set it all up but the problem is that now my /boot partition is encrypted meaning I have to enter the decryption password twice (once for grub and once for the kernel).

This is the layout I want:
/dev/sda1 -> /boot (not encrypted)
/dev/sda2 -> LVM (encrypted)

However, when I try to run grub-install it throws and error saying that the drive is encrypted and that I have to enable encryption in the /etc/default/grub file.

Here's what I think is happening:
The debian guide to install grub says I should mount /dev/sda1 to /boot/efi and then run grub-install /dev/sda.
I'm not sure if grub-install then finds an encrypted LVM on the same drive and therefore thinks the whole drive should be encrypted, or if its due to the fact that /boot/efi is "inside" the encrypted lvm since / is encrypted.

Anyway, is it me who is doing something stupid here?
Top
p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: GRUB encryption problem

#2 Post by p.H »

Dronar wrote:This is the layout I want:
/dev/sda1 -> /boot (not encrypted)
/dev/sda2 -> LVM (encrypted)
I do not see an EFI system partition ("UEFI things" you mentionned).
Is sda1 a regular /boot partition or is it an EFI system partition ?
An EFI system partition has the special type "EFI system", formated as FAT and contains a directory "EFI" containing EFI executable files *.efi. It is usually mounted on /boot/efi as expected by GRUB but some systemd people suggest it should be mounted on /boot.

Can we see the output of the following commands to get a better picture of your setup ?

Code: Select all

fdisk -l
blkid
cat /etc/fstab
If GRUB must be able to read files (its own files and modules or kernel and initrd files) on LUKS, it must be installed after adding this in /etc/default/grub :

Code: Select all

GRUB_ENABLE_CRYPTODISK=y
("y", not "1" or "true")
Dronar wrote:The debian guide to install grub says I should mount /dev/sda1 to /boot/efi and then run grub-install /dev/sda.
If you're installing GRUB in EFI mode then you do not specify any boot device to grub-install, because GRUB EFI does not install any boot image in an MBR or PBR. It installs the core image as a regular .efi file in the EFI system partition mounted on /boot/efi.
Dronar wrote:I'm not sure if grub-install then finds an encrypted LVM on the same drive and therefore thinks the whole drive should be encrypted, or if its due to the fact that /boot/efi is "inside" the encrypted lvm since / is encrypted.
If a EFI partition is mounted on /boot/efi, /boot/efi contents comes from that partition and is not "inside" the encrypted LVM. But /boot/efi is not /boot : the rest of /boot is in the encrypted LVM if you do not mount another regular partition on /boot (aka /boot partition).
Top
Post Reply

Return to “Installation”