5

I have Ubuntu 18.04 with full disk encryption with two partitions: EFI ESP and LUKS1 encrypted root partition (no separate /boot). After installing grub and rebooting, it just shows normal grub > prompt instead of asking for LUKS password and booting Ubuntu. The kernel unlocks root filesystem by using LUKS keyfile in /etc/luks/boot_os.keyfile.

Grub configuration file in /boot/efi/EFI/ubuntu/grub.cfg doesn't include cryptomount command so it's not even trying to unlock root partition:

search.fs_uuid ee03828b-76bc-4143-a2fb-f86719a90fca root cryptouuid/88251fdb112a4924a9c69892f17322e8 set prefix=($root)'/boot/grub' configfile $prefix/grub.cfg

If I manually edit this file adding:

cryptomount -u 88251fdb112a4924a9c69892f17322e8

as the first line, grub asks for password and system boots fine.

How can I convince grub-install to include cryptomount in grub.cfg inside ESP, so that system upgrade won't break my system?

Other config files:

/etc/default/grub

GRUB_DEFAULT=0 GRUB_TIMEOUT_STYLE=hidden GRUB_TIMEOUT=0 GRUB_HIDDEN_TIMEOUT=1 GRUB_HIDDEN_TIMEOUT_QUIET=true GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian` GRUB_CMDLINE_LINUX_DEFAULT="quiet splash" GRUB_CMDLINE_LINUX="" GRUB_DISABLE_OS_PROBER=true GRUB_ENABLE_CRYPTODISK=y GRUB_PRELOAD_MODULES="luks cryptodisk"

/etc/fstab

# <file system> <mount point> <type> <options> <dump> <pass> /dev/mapper/nvme0n1p2_crypt / ext4 errors=remount-ro 0 1 /swapfile none swap sw 0 0 UUID=6225-46A9 /boot/efi vfat defaults 0 1

/etc/crypttab

# <target name> <source device> <key file> <options> nvme0n1p2_crypt UUID=88251fdb-112a-4924-a9c6-9892f17322e8 /etc/luks/boot_os.keyfile luks,discard

/etc/cryptsetup-initramfs/conf-hook

KEYFILE_PATTERN=/etc/luks/*.keyfile

Partitions:

lsblk -e7 -f

NAME FSTYPE LABEL UUID MOUNTPOINT sda ├─sda1 vfat SYSTEM E463-AB68 ├─sda2 ├─sda3 └─sda4 ntfs WinRE_DRV B27667B5766778CD nvme0n1 ├─nvme0n1p1 vfat 6225-46A9 /boot/efi └─nvme0n1p2 crypto_LUKS 88251fdb-112a-4924-a9c6-9892f17322e8 └─nvme0n1p2_crypt ext4 ee03828b-76bc-4143-a2fb-f86719a90fca /

Also, I don't care about dual-boot right now, so I disabled OS prober in /etc/default/grub.

Improve this question

1 Answer 1

Reset to default
0

in /etc/default/grub you took the cryptodisk from an Arch example, right?

Not for Ubuntu. It's Debian. initramfs is compiled different.

Better add GRUB_ENABLE_CRYPTODISK=y and GRUB_PRELOAD_MODULES="part_gpt part_msdos" just because initramfs is created a different way.

NEVER EVER GRUB_PRELOAD_MODULES="luks cryptodisk" in Ubuntu.

Obey the step to compile the update-initramfs -k all -c the Debian / Ubuntu way. Then "install" grub.

If you like to see a complete process description (warning: in German) look here (proven to work):

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.