- /dev/nvme0n1p1 -> /EFI
- /dev/nvme0n1p2 -> LUKS2 (pbkdf2) -> /boot
- /dev/nvme0n1p3 -> LUKS2 -> LVM containing root and other volumes
The system boots, but requires entering the /boot password twice:
Once for GRUB, and once again during systemd initialization.
Both devices are properly configured in /etc/crypttab with the UUIDs for /dev/nvme0n1p2 and /dev/nvme0n1p3 respectively (as outputted by blkid).
GRUB_CMDLINE_LINUX contains the correct cryptdevice parameters for both partitions, also with UUIDs.
I checked the initramfs contents using 'unmkinitramfs' in /tmp/initramfs/ to review main/cryptroot/crypttab, but it only contains an entry for lvm_crypt, boot_crypt is missing.
That leads me to believe that after GRUB hands off control to the kernel, the boot_crypt mapping is lost.
Systemd then attempts to decrypt boot_crypt again.
Things I attempted:
1. Systemd unit overrides to prevent the second decryption
2. Moving the boot_crypt entry to the first line in crypttab, just in case the cryptroot hook located at /usr/share/initramfs-tools/hooks/cryptroot processes only the first entry. Of course, that didn't do anything - Debian is pretty stable after all.
3. Various initramfs configuration attempts
Every time after making changes, I executed:
update-initramfs -u -k all
grub-install --target=x86_64-efi --efi-directory=/efi (I deleted my old /boot/efi folder and remapped the /dev/nvme0n1p1 device to /efi in /etc/fstab and as far as I can see, it works fine)
update-grub
reboot now
Very, very often, my changes resulted either in timeouts and /boot not being mounted, or the overrides not working.
So here are some questions I need help with:
1. Why isn't a crypttab entry for boot_crypt included in the initramfs?
2. Is there a recommended way to preserve the device mapping from GRUB?
3. Is this setup even supported/recommended?
System details:
Kernel: 6.1.0-30-amd64
Debian version: 6.1.124-1 (2025-01-12) x86_64 GNU/Linux
'dpkg -l | grep -E "grub|cryptsetup" outputs the following packets:
cryptsetup, cryptsetup-bin, cryptsetup-initramfs, grub-common, grub-efi-amd64, grub-efi-amd64-bin, grub-efi-amd64-signed, grub2-common and libcryptsetup12:amd64
I really hope you can help me.
Best regards,
Automætic