Re: Won't boot if /, home, swap are encrypted
- Date: Sun, 21 Oct 2018 22:50:28 -0500
- From: David Wright <deblis@xxxxxxxxxxxxxxxxx>
- Subject: Re: Won't boot if /, home, swap are encrypted
On Mon 22 Oct 2018 at 00:05:45 (+0000), Matthew Crews wrote:
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Sunday, October 21, 2018 10:29 AM, Roberto C. Sánchez <roberto@xxxxxxxxxx> wrote:
> > On Sun, Oct 21, 2018 at 01:25:09PM +0000, D&P Dimov wrote:
> > > I did a new install of latest Debian 9.5 stable on a new Dell laptop. Debian is the only OS there now. If I encrypt /, home, and swap, it won't boot after install. If I leave them unencrypted, it boots fine. What am I missing?
> > > Thanks!
> > It will be much easier to help you if you could post the complete output
> > of the boot sequence up to the failure. If that is not possible, then
> > perhaps the last screenful or last few lines. Or even a photograph of
> > the screen showing where the boot sequence is stuck.
> To satisfy my curiosity, I fired up a VM and in the VM used the Debian installer to automatically partition for an encrypted install, with separate /, /home, and /swap. It made a 1MB blank partition, 512MiB /boot/efi partition flagged as bootable, 244MiB /boot partition, and allocated the rest of the disk to the LUKS container. In the LUKS container contained /, /home, and /swap. See the attached picture.
It needs to be pointed out that the 1MB FREE SPACE at the start of the
disk (and the one at the end) is not a blank partition: it is free space.
> After installation was complete, here is the output of lsblk.
> NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
> sda 8:0 0 20G 0 disk
> ├─sda1 8:1 0 512M 0 part /boot/efi
> ├─sda2 8:2 0 244M 0 part /boot
> └─sda3 8:3 0 19.3G 0 part
> └─sda3_crypt 254:0 0 19.3G 0 crypt
> ├─debian--vm--vg-root 254:1 0 6.4G 0 lvm /
> ├─debian--vm--vg-swap_1 254:2 0 2G 0 lvm [SWAP]
> └─debian--vm--vg-home 254:3 0 10.9G 0 lvm /home
> sr0 11:0 1 55.3M 0 rom
> It seems the best practice is:
> 1MB blank partition at the beginning of the drive
Noted above. This is to give you partition alignment of 1MiB for
efficiency. For GPT disks like this, I also add a 3MiB partition
(giving me 4MiB alignment) set to "BIOS boot" which, like it says,
allows it to be booted in legacy mode if ever required.
> 512MB EFI partition (or larger) mounted at /boot/efi, flagged as bootable
> 256MB /boot partition (or larger as desired), NOT flagged as bootable.
> Then the rest of the drive partitioned as desired (ie a LUKS container)
> If all of these conditions are met, then encrypted boot with EFI *should* work correctly.
> So I'm at a loss, D&P Dimov, as to why you had difficulty. You said it was a config in your BIOS that you needed to change?