On Sat, 2019-02-02 at 22:56 -0800, Ross Boylan wrote:
> I am able to decrypt the partition outside of a VM without the rescue
> "CD". Since I can also decrypt using the installer CD as rescue, this
> means the failure is specific to booting via grub and initrd.
>
> This seems to indicate the installer created the encrypted partition
> properly but the boot environment it created is either handling the
> pass-phrase incorrectly (e.g., include \n) or is missing some other part of
> the machinery necessary. The most obvious candidate is from the error
> message
> > Check that kernel supports aes-xts-plain64 cipher
>
> I don't know how to check that, but looking in config-4.19.0-1-amd64 on the
> boot partition, I see some partial matches that might be relevant:
> CONFIG_CRYPTO_AES=y
> # CONFIG_CRYPTO_AES_TI is not set
> CONFIG_CRYPTO_AES_X86_64=m
> CONFIG_CRYPTO_AES_NI_INTEL=m
>
> CONFIG_CRYPTO_XTS=m
>
> I don't see anything that looks like plain.
You can't easily map crypto modes to config options like this. But if
you are using the standard kernel, I can assure that it supports full
disk encryption.
> The buster system created by the installer includes aesni-intel.ko, but the
> initrd does not.
cryptsetup-initramfs should have been installed, and it would add the
crypto modules (and other necessary files) to the initramfs. Is it
installed?
Ben.
--
Ben Hutchings
Horngren's Observation:
Among economists, the real world is often a special case.