On 2/3/25 23:39, Automætic wrote:
Hi,
I'm configuring a new Debian installation on my workstation, with both the
/boot partition and the root filesystem encrypted:
- /dev/nvme0n1p1 -> /EFI
- /dev/nvme0n1p2 -> LUKS2 (pbkdf2) -> /boot
- /dev/nvme0n1p3 -> LUKS2 -> LVM containing root and other volumes
The system boots, but requires entering the /boot password twice:
Once for GRUB, and once again during systemd initialization.
3. Is this setup even supported/recommended?
The only way that I found is to use keyfile:
( umask 0077 && dd if=/dev/urandom bs=1 count=64
of=/etc/keys/boot.key conv=excl,fsync ) || exit $?
cryptsetup luksAddKey /dev/${DEVICE_NAME} /etc/keys/boot.key
--key-slot=1 || exit $?
sed -i "/${DEVICE_NAME}_crypt/s/[^
]*/\/etc\/keys\/boot.key/3;/${DEVICE_NAME}_crypt/s/[^ ]*/key-slot=1/4"
/etc/crypttab || exit $?
chmod 0644 /etc/crypttab || exit $?
Note that this e-mail might be folded by my mailer.
--
John Doe
