Hi, I'm configuring a new Debian installation on my workstation, with both the /boot partition and the root filesystem encrypted: - /dev/nvme0n1p1 -> /EFI - /dev/nvme0n1p2 -> LUKS2 (pbkdf2) -> /boot - /dev/nvme0n1p3 -> LUKS2 -> LVM containing root and other volumes
The system boots, but requires entering the /boot password twice: Once for GRUB, and once again during systemd initialization. Both devices are properly configured in /etc/crypttab with the UUIDs for /dev/nvme0n1p2 and /dev/nvme0n1p3 respectively (as outputted by blkid). GRUB_CMDLINE_LINUX contains the correct cryptdevice parameters for both partitions, also with UUIDs. I checked the initramfs contents using 'unmkinitramfs' in /tmp/initramfs/ to review main/cryptroot/crypttab, but it only contains an entry for lvm_crypt, boot_crypt is missing. That leads me to believe that after GRUB hands off control to the kernel, the boot_crypt mapping is lost. Systemd then attempts to decrypt boot_crypt again. Things I attempted: 1. Systemd unit overrides to prevent the second decryption 2. Moving the boot_crypt entry to the first line in crypttab, just in case the cryptroot hook located at /usr/share/initramfs-tools/hooks/cryptroot processes only the first entry. Of course, that didn't do anything - Debian is pretty stable after all. 3. Various initramfs configuration attempts Every time after making changes, I executed: update-initramfs -u -k all grub-install --target=x86_64-efi --efi-directory=/efi (I deleted my old /boot/efi folder and remapped the /dev/nvme0n1p1 device to /efi in /etc/fstab and as far as I can see, it works fine) update-grub reboot now Very, very often, my changes resulted either in timeouts and /boot not being mounted, or the overrides not working. So here are some questions I need help with: 1. Why isn't a crypttab entry for boot_crypt included in the initramfs? 2. Is there a recommended way to preserve the device mapping from GRUB? 3. Is this setup even supported/recommended? System details: Kernel: 6.1.0-30-amd64 Debian version: 6.1.124-1 (2025-01-12) x86_64 GNU/Linux 'dpkg -l | grep -E "grub|cryptsetup" outputs the following packets: cryptsetup, cryptsetup-bin, cryptsetup-initramfs, grub-common, grub-efi-amd64, grub-efi-amd64-bin, grub-efi-amd64-signed, grub2-common and libcryptsetup12:amd64 I really hope you can help me. Best regards, Automætic
