Web lists-archives.com

Re: Won't boot if /, home, swap are encrypted




On Mon 22 Oct 2018 at 00:05:45 (+0000), Matthew Crews wrote:
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Sunday, October 21, 2018 10:29 AM, Roberto C. Sánchez <roberto@xxxxxxxxxx> wrote:
> 
> > On Sun, Oct 21, 2018 at 01:25:09PM +0000, D&P Dimov wrote:
> >
> > > I did a new install of latest Debian 9.5 stable on a new Dell laptop. Debian is the only OS there now. If I encrypt /, home, and swap, it won't boot after install. If I leave them unencrypted, it boots fine. What am I missing?
> > > Thanks!
> >
> > It will be much easier to help you if you could post the complete output
> > of the boot sequence up to the failure. If that is not possible, then
> > perhaps the last screenful or last few lines. Or even a photograph of
> > the screen showing where the boot sequence is stuck.
> 
> To satisfy my curiosity, I fired up a VM and in the VM used the Debian installer to automatically partition for an encrypted install, with separate /, /home, and /swap. It made a 1MB blank partition, 512MiB /boot/efi partition flagged as bootable, 244MiB /boot partition, and allocated the rest of the disk to the LUKS container. In the LUKS container contained /, /home, and /swap. See the attached picture.

It needs to be pointed out that the 1MB FREE SPACE at the start of the
disk (and the one at the end) is not a blank partition: it is free space.

> After installation was complete, here is the output of lsblk.
> 
> NAME                        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
> sda                           8:0    0   20G  0 disk
> ├─sda1                        8:1    0  512M  0 part  /boot/efi
> ├─sda2                        8:2    0  244M  0 part  /boot
> └─sda3                        8:3    0 19.3G  0 part
>   └─sda3_crypt              254:0    0 19.3G  0 crypt
>     ├─debian--vm--vg-root   254:1    0  6.4G  0 lvm   /
>     ├─debian--vm--vg-swap_1 254:2    0    2G  0 lvm   [SWAP]
>     └─debian--vm--vg-home   254:3    0 10.9G  0 lvm   /home
> sr0                          11:0    1 55.3M  0 rom
> 
> 
> It seems the best practice is:
> 1MB blank partition at the beginning of the drive

Noted above. This is to give you partition alignment of 1MiB for
efficiency. For GPT disks like this, I also add a 3MiB partition
(giving me 4MiB alignment) set to "BIOS boot" which, like it says,
allows it to be booted in legacy mode if ever required.

> 512MB EFI partition (or larger) mounted at /boot/efi, flagged as bootable
> 256MB /boot partition (or larger as desired), NOT flagged as bootable.
> Then the rest of the drive partitioned as desired (ie a LUKS container)
> 
> If all of these conditions are met, then encrypted boot with EFI *should* work correctly.
> 
> So I'm at a loss, D&P Dimov, as to why you had difficulty. You said it was a config in your BIOS that you needed to change?

Cheers,
David.