Re: Encrypted /boot partition gets decrypted twice during boot

To: debian-user@lists.debian.org
Subject: Re: Encrypted /boot partition gets decrypted twice during boot
From: john doe <johndoe65534@mail.com>
Date: Thu, 6 Feb 2025 02:40:33 +0100
Message-id: <[🔎] 473fb8b1-a5d2-4b5d-9625-c4e3c4a46261@mail.com>
In-reply-to: <[🔎] kLCY630DzuZJW1NCh3ETuqeFwbtu4pil0ap94L86tUrctTcp86Cj3lTqhENlq-nM251oa4V4XRnN06I2f0KWKfu3NIhDFd-bCW7mfvZVRLk=@protonmail.com>
References: <[🔎] kLCY630DzuZJW1NCh3ETuqeFwbtu4pil0ap94L86tUrctTcp86Cj3lTqhENlq-nM251oa4V4XRnN06I2f0KWKfu3NIhDFd-bCW7mfvZVRLk=@protonmail.com>

On 2/3/25 23:39, Automætic wrote:

Hi,

I'm configuring a new Debian installation on my workstation, with both the /boot partition and the root filesystem encrypted:
- /dev/nvme0n1p1 -> /EFI
- /dev/nvme0n1p2 -> LUKS2 (pbkdf2) -> /boot
- /dev/nvme0n1p3 -> LUKS2 -> LVM containing root and other volumes

The system boots, but requires entering the /boot password twice:
Once for GRUB, and once again during systemd initialization.

3. Is this setup even supported/recommended?


The only way that I found is to use keyfile:

        ( umask 0077 && dd if=/dev/urandom bs=1 count=64
of=/etc/keys/boot.key conv=excl,fsync ) || exit $?
        cryptsetup luksAddKey /dev/${DEVICE_NAME} /etc/keys/boot.key
--key-slot=1 || exit $?
        sed -i "/${DEVICE_NAME}_crypt/s/[^
]*/\/etc\/keys\/boot.key/3;/${DEVICE_NAME}_crypt/s/[^ ]*/key-slot=1/4"
/etc/crypttab || exit $?
        chmod 0644 /etc/crypttab || exit $?

Note that this e-mail might be folded by my mailer.

--
John Doe

Reply to:

References:
- Encrypted /boot partition gets decrypted twice during boot
  - From: Automætic <automaetic@protonmail.com>

Prev by Date: Re: Root, sudo and installing packages [WAS Re: user is not in the suder's file]
Next by Date: Re: Dell Latitude 5400 + plasma - keyboard?
Previous by thread: Re: Encrypted /boot partition gets decrypted twice during boot
Next by thread: Re: SMTP servers
Index(es):
- Date
- Thread