On 24/05/2025 at 21:16, Cyril Brulebois wrote:
Pascal Hambourg <pas...@plouf.fr.eu.org> (2025-05-24):
Boot with debian-trixie-DI-rc1-amd64-netinst.iso, expert install, no
hack in the shell, encrypted /home using only regular menus ->
installed system boot: no passphrase prompt, fallback to emergency
shell. Install systemd-cryptsetup -> it works without any additional
configuration.
OK, thanks for confirming. I'm not sure if the logic around the
cryptsetup-initramfs installation did or would pick up that use case.
I do not see why it wouldn't. It works in bookworm.
Was cryptsetup-initramfs installed?
Yes:
May 24 10:12:30 apt-install: Queueing package cryptsetup-initramfs for
later installation
I'm not sure how to best spot the need for systemd-cryptsetup in those
cases, I'm really just familiar with the usual guided encrypted LVM
scenario… If someone wants to propose some logic, I'm all ears.
As you wrote, I think the simpler, safer and more versatile is to queue
systemd-cryptsetup along with cryptsetup-initramfs so that the behaviour
is the same as previous releases and won't surprise users.
If you want something more sophisticated, as Guilhem proposed: queue
cryptsetup-initramfs for encrypted /, /usr and swap and queue
systemd-cryptsetup for other encrypted volumes. But despite the mention
in release notes, some users may be surprised after installing Trixie
without systemd-cryptsetup when later adding an encrypted volume
(requiring systemd-cryptsetup).
What do /etc/fstab and /etc/crypttab look like?
/etc/fstab:
UUID=e88e70ed-524f-484e-9b26-b8768b7ca641 / ext4
errors=remount-ro 0 1
/dev/mapper/vda2_crypt /home ext4 defaults 0 2
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
/etc/crypttab:
vda2_crypt UUID=258de875-138e-4c10-8438-d36e287aa880 none
luks,discard,x-initrd.attach
As expected, the initramfs /cryptroot/crypttab is empty because there is
no need to mount /home early. A workaround would be to add the option
"initramfs" in /etc/crypttab so that the line is added to the initramfs
crypttab. But I do not advocate it, because any failure would spawn the
initramfs shell which is much less convenient than systemd emergency shell.
PS: I suspect the option "x-initrd.attach" is not needed for /home, but
it is probably harmless.