[Solved] Problem installing bookworm with encrypted root

Message

toquinho · #1 Post by **toquinho** » 2024-12-09 05:10

Hello,
I am trying to install bookworm (debian-12.8.0-amd64-netinst.iso) with encrypted root and unencrypted boot following an old guide which I successfully used in the past:
https://xo.tc/setting-up-full-disk-encr ... essie.html

This guide was written before UEFI.

After setting up all the partitions, the partition table looks like this (sorry, I am copying and translating the table by hand, the images I am trying to upload do not show up correctly in the preview):

Code: Select all

  
Encrypted volume (nvme0n1p3_crypt) - 236.0 GB Linux device mapper (crypt)
    #1  236.0 GB    f   ext4        /
/dev/nvme0n1 - 256.1 GB SAMSUNG MZVL4256HBJD-00BTW
        1.0 MB              FREE SPACE
    #1  272.6 MB    B   K   ESP         EFI system p
    #2  511.7 MB        F   ext4        BOOT        /boot
    #3  236.0 GB        K   crypto      ROOT_CRYPT  (nvme0n1p3_crypt)
    #4   19.3 GB	FREE SPACE

I created a passphrase for the encrypted volume and interrupted the following process that fills it with zeros. Swap will be set up later in the remaining free space. The EFI partition is left over from the previous installation of an unencrypted bookworm and some remainders of the original Windows installation that came with the computer. I disabled secure boot in the UEFI to boot the installer from the USB-stick.

When being asked to write the changes to the disks, the installer says (again translating):

Code: Select all

The partition tables of the following devices were changed:
	Encrypted volume (nvme0n1p3_crypt)
	
Write partitions to disks?

When confirming, I get the following error (translating):

Code: Select all

The attempt to mount the file system of type ext4 on the encrypted volume (nvme0n1p3_crypt) on / failed.
You can continue partitioning...

Any help to fix this is greatly appreciated.

Best,

Toquinho

rolf3945 · #2 Post by **rolf3945** » 2024-12-09 12:01

Well, the basics are still the same. Strange.

I never use ext4 directly in such a setup, I generate a LVM for / and swap inside the luks container. To my experience the installer complains on the end of the partitioning process if no swap is defined or its not encrypted.

To efi: if its a modern computer I would use efi. Especially with a nvme.

Update: just tried it in a VM. Works. The swap complaint comes up but can be bypassed. I guess there could be a relation to the abort of the swipping of the luks volume. I would let the installer do it once completely, and then skip this step on further tries.

Just repeat the process and see how it goes.

pbear · #3 Post by **pbear** » 2024-12-10 00:21

Do you have a particular reason for not using one of the default options? Both the Standard and Live installers will do system encryption without you having to set up the partitions, etc.

Here's what a VM created with default Standard installer FDE looks like:

Code: Select all

pbear@debian-lvm:~$ lsblk -f
NAME                                          FSTYPE      FSVER LABEL UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
sda                                                                                                           
├─sda1                       vfat        FAT32          89EA-D550                               505.1M     1% /boot/efi
├─sda2                       ext2        1.0            6e0af423-d62f-4cd5-89cb-0ce391c2090f    300.4M    29% /boot
└─sda3                       crypto_LUKS 2              6e0d6c5b-cac8-484e-90d9-39c58ec4a583                  
  └─sda3_crypt               LVM2_member LVM2 001       AmbdfL-vd5C-MAap-JLGf-JVQX-Rfoe-lhZtTM                
    ├─debian--fde--vg-root   ext4        1.0            a05336f4-4b30-4425-8bbd-0d412cd68645     41.4G    22% /
    └─debian--fde--vg-swap_1 swap        1              c9d5949b-8005-426d-8184-43619e4307b1                  [SWAP]

Here's what a default Live installer FDE system looks like:

Code: Select all

pbear@debian-fde:~$ lsblk -f
sda                                                                                                                       
├─sda1                                        vfat        FAT32       05F5-B47C                             293.6M     2% /boot/efi
├─sda2                                        crypto_LUKS 1           38b865ad-0631-4965-a5a1-0122e446f33b                
│ └─luks-38b865ad-0631-4965-a5a1-0122e446f33b ext4        1.0         d89eae8c-9713-41b3-85df-0f75749e853c   83.2G    21% /
└─sda3                                        crypto_LUKS 1           f5724ee4-b537-4cb5-b42e-c499dd47a4d2                
  └─luks-f5724ee4-b537-4cb5-b42e-c499dd47a4d2 swap        1     swap  bf81eb7d-1bde-45cb-a5ac-c7e4b9800d6c                [SWAP]

Notice, no /boot partition. It's a regular folder inside the encrypted system partition. Also, no LVM. Live ISO uses the Calamares installer and these were design decisions by that developer team.

IMHO, the only reason to bother with manual encryption is if you want multiple partitions, e.g., here's a VM with separate system and data partitions (using the Standard installer):

Code: Select all

pbear@fde-data:~$ lsblk -f
vda                                                                                        
├─vda1                                                                                     
├─vda2         ext4        1.0         fa86dfc2-a60e-41d9-9650-6a19b59db7be    1.6G     9% /boot
├─vda3         crypto_LUKS 2           ea228fdb-ac26-43d5-abac-bb1a12fcd976                
│ └─vda3_crypt ext4        1.0         dbea55e4-6529-453a-8f5a-15d542fd5faf   21.2G    23% /
└─vda4         crypto_LUKS 2           1f7d876e-67d7-4aa7-81a4-1c2165071c14                
  └─vda4_crypt ext4        1.0         40a29a2a-6bed-4c79-a74a-64dd715c74c2    9.2G     0% /data

Notice, no swap partition. Instead, I use a swap file inside the encrypted system partition. And again no LVM, which I think is overkill just to support swap. Data partition is small because this was merely a proof-of-concept.

By the way, I don't use or recommend system encryption. Data encryption, yes, although even that is generally overdone IMHO. Most people only need to protect a small fraction of their files.

toquinho · #4 Post by **toquinho** » 2024-12-10 04:11

Thanks a lot for your quick help. The only reason why I did not use the default option with LUKS on LVM was that I was not aware of it because I had always followed the old guide for Jessie. Now I tried the option in the installer, and the installation is continuing smoothly.

toquinho · #5 Post by **toquinho** » 2024-12-10 04:14

Marked as solved.

Debian User Forums