B. Alexander wrote:
[snip] The fix is probably simple, but I haven't found the right combination of secret sauce to get all drives decrypted before the system issues vgchange -a y, which results in a panic or other Bad Things.
I'd say the design of your setup is the problem. Obviously, this doesn't answer your question, but consider encrypting the logical volume instead of the physical volumes. It makes much more sense to me.
Does anyone know the right way to get the drives decrypted first?
The fun might take place in your init scripts or in your initramfs, depending on your configuration. Unfortunately, things are currently moving in this domain, and I'm not sure about Debian's position here -- thus I cannot recommend you a hack over any other. Maybe someone can.
I (very) quickly overviewed the initscripts, it looks like the same code in /lib/cryptsetup/cryptdisks.functions is called twice by cryptdisks-early (before lvm2), and then by cryptdisks (after lvm2). Supposedly, the -early script can't decrypt some devices, I just don't know why. By the looks of it all, I wouldn't be surprised if there were some dependency problems for unusual setups; is the problematic device a raid volume or something?
If you mount your filesystems in your initramfs (which should really be done only for the root fs), you might be able to put some hooks in /etc/initramfs-tools. I'm not really comfortable with it, so you should read the initramfs-tools(8) manual page or wait for more help.
-thib