Web lists-archives.com

Re: system drive encryption question




Pascal Hambourg <pascal@xxxxxxxxxxxxxxx> writes:

> The version of GRUB included in Jessie at least can handle an encrypted 
> /boot. However the Debian installer does not handle this case correctly. 
> You must add the following line in /etc/default/grub in order for 
> grub-install to install the core image with crypto modules and for 
> update-grub to generate a proper grub.cfg :
>
> GRUB_ENABLE_CRYPTODISK=y
>
> (not =1 or =true as seen on some documentation)
>
> The procedure in the post you point to is flawed in Debian Jessie : if 
> you run update-grub or grub-mkconfig before adding the line in 
> /etc/default/grub, it won't add the required "cryptomount" commands to 
> open encrypted devices. Actually it is grub-mkconfig which is broken : 
> if the line is present, it adds an cryptomount command in every menu 
> entry, even when not needed (and generates boot-time errors). If the 
> line is missing, it adds insmod commands to load crypto modules when 
> needed but not the cryptomount commands.

I never said that it works on debian.  I just wanted to point out that
it is not strictly necessary to have an unencrypted /boot partition.