[pkg-cryptsetup-devel] Bug#1092977: debian-installer: systemd-cryptsetup package not installed on encrypted system

Pascal Hambourg pascal at plouf.fr.eu.org
Sat May 24 21:02:25 BST 2025 

On 24/05/2025 at 21:16, Cyril Brulebois wrote:
> Pascal Hambourg <pascal at plouf.fr.eu.org> (2025-05-24):
> 
>> Boot with debian-trixie-DI-rc1-amd64-netinst.iso, expert install, no
>> hack in the shell, encrypted /home using only regular menus ->
>> installed system boot: no passphrase prompt, fallback to emergency
>> shell. Install systemd-cryptsetup -> it works without any additional
>> configuration.
> 
> OK, thanks for confirming. I'm not sure if the logic around the
> cryptsetup-initramfs installation did or would pick up that use case.

I do not see why it wouldn't. It works in bookworm.

> Was cryptsetup-initramfs installed?

Yes:
May 24 10:12:30 apt-install: Queueing package cryptsetup-initramfs for 
later installation

> I'm not sure how to best spot the need for systemd-cryptsetup in those
> cases, I'm really just familiar with the usual guided encrypted LVM
> scenario… If someone wants to propose some logic, I'm all ears.

As you wrote, I think the simpler, safer and more versatile is to queue 
systemd-cryptsetup along with cryptsetup-initramfs so that the behaviour 
is the same as previous releases and won't surprise users.

If you want something more sophisticated, as Guilhem proposed: queue 
cryptsetup-initramfs for encrypted /, /usr and swap and queue 
systemd-cryptsetup for other encrypted volumes. But despite the mention 
in release notes, some users may be surprised after installing Trixie 
without systemd-cryptsetup when later adding an encrypted volume 
(requiring systemd-cryptsetup).

> What do /etc/fstab and /etc/crypttab look like?

/etc/fstab:
UUID=e88e70ed-524f-484e-9b26-b8768b7ca641 /               ext4 
errors=remount-ro 0       1
/dev/mapper/vda2_crypt /home           ext4    defaults        0       2
/dev/sr0        /media/cdrom0   udf,iso9660 user,noauto     0       0

/etc/crypttab:
vda2_crypt UUID=258de875-138e-4c10-8438-d36e287aa880 none 
luks,discard,x-initrd.attach

As expected, the initramfs /cryptroot/crypttab is empty because there is 
no need to mount /home early. A workaround would be to add the option 
"initramfs" in /etc/crypttab so that the line is added to the initramfs 
crypttab. But I do not advocate it, because any failure would spawn the 
initramfs shell which is much less convenient than systemd emergency shell.

PS: I suspect the option "x-initrd.attach" is not needed for /home, but 
it is probably harmless.

More information about the pkg-cryptsetup-devel mailing list