Re: Encrypted /boot partition gets decrypted twice during boot
On 2025-02-03, Automætic wrote:
> Both devices are properly configured in /etc/crypttab with the UUIDs
> for /dev/nvme0n1p2 and /dev/nvme0n1p3 respectively (as outputted by
> blkid).
You set this manually ?
> I checked the initramfs contents using 'unmkinitramfs' in
> /tmp/initramfs/ to review main/cryptroot/crypttab, but it only contains
> an entry for lvm_crypt, boot_crypt is missing.
It seems the right way as initrd is loaded from /boot which is already
unencrypted. And this is why update-initramfs filters your /etc/crypttab
and puts only root fs in initrd /cryptroot/crypttab. To avoid asking a
second password after initrd, you could use a key file in your
/etc/crypttab.
I don't know much about grub but it could set a different mapping from
what you set in /etc/fstab. If you really want to investigate if this
mapping is up during initrd, you could add a script in
/etc/initramfs-tools/scripts/init-premount with something like :
#!/bin/sh
# initramfs magic
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
echo "sourcing initramfs functions"
. /scripts/functions
# Begin real processing below this line
blkid >> /run/initramfs/my.log
mount >> /run/initramfs/my.log
Run update-initramfs and after booting you should get logs in
/run/initramfs/my.log
Reply to: