On 24/05/2025 at 21:16, Cyril Brulebois wrote:
Pascal Hambourg <pas...@plouf.fr.eu.org> (2025-05-24):

Boot with debian-trixie-DI-rc1-amd64-netinst.iso, expert install, no
hack in the shell, encrypted /home using only regular menus ->
installed system boot: no passphrase prompt, fallback to emergency
shell. Install systemd-cryptsetup -> it works without any additional
configuration.

OK, thanks for confirming. I'm not sure if the logic around the
cryptsetup-initramfs installation did or would pick up that use case.

I do not see why it wouldn't. It works in bookworm.

Was cryptsetup-initramfs installed?

Yes:
May 24 10:12:30 apt-install: Queueing package cryptsetup-initramfs for later installation

I'm not sure how to best spot the need for systemd-cryptsetup in those
cases, I'm really just familiar with the usual guided encrypted LVM
scenario… If someone wants to propose some logic, I'm all ears.

As you wrote, I think the simpler, safer and more versatile is to queue systemd-cryptsetup along with cryptsetup-initramfs so that the behaviour is the same as previous releases and won't surprise users.

If you want something more sophisticated, as Guilhem proposed: queue cryptsetup-initramfs for encrypted /, /usr and swap and queue systemd-cryptsetup for other encrypted volumes. But despite the mention in release notes, some users may be surprised after installing Trixie without systemd-cryptsetup when later adding an encrypted volume (requiring systemd-cryptsetup).

What do /etc/fstab and /etc/crypttab look like?

/etc/fstab:
UUID=e88e70ed-524f-484e-9b26-b8768b7ca641 / ext4 errors=remount-ro 0 1
/dev/mapper/vda2_crypt /home           ext4    defaults        0       2
/dev/sr0        /media/cdrom0   udf,iso9660 user,noauto     0       0

/etc/crypttab:
vda2_crypt UUID=258de875-138e-4c10-8438-d36e287aa880 none luks,discard,x-initrd.attach

As expected, the initramfs /cryptroot/crypttab is empty because there is no need to mount /home early. A workaround would be to add the option "initramfs" in /etc/crypttab so that the line is added to the initramfs crypttab. But I do not advocate it, because any failure would spawn the initramfs shell which is much less convenient than systemd emergency shell.

PS: I suspect the option "x-initrd.attach" is not needed for /home, but it is probably harmless.

Reply via email to