Web lists-archives.com

Re: Won't boot if /, home, swap are encrypted

Dear Mathew,

Thank you for looking into this further.

I did not have to change anything in the BIOS - it was fine all along. Here are some differences from what you have and some of my issues:

1. I did not have a 1MB free space. I didn't know that I had to leave that free space. The Debian installation instructions regarding partitioning (https://www.debian.org/releases/stretch/amd64/ch06s03.html.en#di-partition) show a table at the end of " Guided Partitioning" (which was achieved with Manual Partitioning, as per the table caption below it) that has free space, but there is no indication that it is required. The next section on that same webpage covers manual partitioning and doesn't indicate that free space requirement either. At the end, I installed and booted successfully into Debian without this free space.

2. The table from the debian instructions (referenced above) does not show a bootable EFI, only a bootable /boot. Though the text does specify "If you have booted in EFI mode then within the guided partitioning setup there will be an additional partition, formatted as a FAT32 bootable filesystem, for the EFI boot loader." I think that the instructions can be improved by showing an EFI partition like in the screenshot you sent. I think I also kept forcing the /boot to have a "Boot Flag: On". It seems counter intuitive, but apparently the /boot partition must not have a bootable flag - also something that maybe should be clarified in the instructions.

3. You keep referring to the EFI partition as being mounted on "/boot/efi", which I could do by manually typing this mount point, but this was not acceptable to the installer - it came back telling me that I don't have an EFI. So instead, the EFI needs to be selected from the menu, where it is listed under swap as "EFI System Partition".

Next time I install Debian on another machine (should be soon), I think I'll do graphic install so I can take screenshots along the way and make a set of instructions for less experienced users like me. Encrypting the /, home, and swap was also not straight forward to me from the instructions - two videos by Rex Kneisley is what helped me figure out how to do it. (Though the encryption part was not the cause of not being able to boot into the newly installed system.) So I'll be sure to include screenshots of these steps as well. Any ideas as to where may be a good place to post such instructions and screenshots? Do you think anyone would be interested in including them with the official installation guide?


On Sunday, October 21, 2018, 8:06:28 PM EDT, Matthew Crews <mailinglists@xxxxxxxxxxxxx> wrote:

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Sunday, October 21, 2018 10:29 AM, Roberto C. Sánchez <roberto@xxxxxxxxxx> wrote:

> On Sun, Oct 21, 2018 at 01:25:09PM +0000, D&P Dimov wrote:
> > I did a new install of latest Debian 9.5 stable on a new Dell laptop. Debian is the only OS there now. If I encrypt /, home, and swap, it won't boot after install. If I leave them unencrypted, it boots fine. What am I missing?
> > Thanks!
> It will be much easier to help you if you could post the complete output
> of the boot sequence up to the failure. If that is not possible, then
> perhaps the last screenful or last few lines. Or even a photograph of
> the screen showing where the boot sequence is stuck.

To satisfy my curiosity, I fired up a VM and in the VM used the Debian installer to automatically partition for an encrypted install, with separate /, /home, and /swap. It made a 1MB blank partition, 512MiB /boot/efi partition flagged as bootable, 244MiB /boot partition, and allocated the rest of the disk to the LUKS container. In the LUKS container contained /, /home, and /swap. See the attached picture.

After installation was complete, here is the output of lsblk.

NAME                        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
sda                          8:0    0  20G  0 disk
├─sda1                        8:1    0  512M  0 part  /boot/efi
├─sda2                        8:2    0  244M  0 part  /boot
└─sda3                        8:3    0 19.3G  0 part
  └─sda3_crypt              254:0    0 19.3G  0 crypt
    ├─debian--vm--vg-root  254:1    0  6.4G  0 lvm  /
    ├─debian--vm--vg-swap_1 254:2    0    2G  0 lvm  [SWAP]
    └─debian--vm--vg-home  254:3    0 10.9G  0 lvm  /home
sr0                          11:0    1 55.3M  0 rom

It seems the best practice is:
1MB blank partition at the beginning of the drive
512MB EFI partition (or larger) mounted at /boot/efi, flagged as bootable
256MB /boot partition (or larger as desired), NOT flagged as bootable.
Then the rest of the drive partitioned as desired (ie a LUKS container)

If all of these conditions are met, then encrypted boot with EFI *should* work correctly.

So I'm at a loss, D&P Dimov, as to why you had difficulty. You said it was a config in your BIOS that you needed to change?