[pkg-cryptsetup-devel] Bug#1140141: cryptsetup: Failure to boot fresh install via cryptroot-unlock with an encrypted home partition
Alez
alez at mailbox.org
Tue Jun 16 16:38:29 BST 2026
Hmm. As far as the installer goes, having the debian-installer mark the
device with |x-initrd.attach| which appears to have similar
functionality (systemd fomat) but not |initramfs| seems like an
oversight or a bug in itself. The installer should leave the computer in
a bootable state. I suppose the installer should either also add the
|initramfs| option, or else the |x-initrd.attach |flag it already adds
should produce similar behaviour for the purposes of determining drives
required at initramfs time.
On Tue, 16 Jun 2026 16:07:46 +0200 Guilhem Moulin <guilhem at debian.org>
wrote:
> Hi,
>
> On Tue, 16 Jun 2026 at 08:02:47 -0500, Alex wrote:
> > I created a fresh install of Debian Trixie with the installation
media. During the installation, I created a separate partition for /home
in a LUKS encrypted device.
> > Upon booting for the first time, I could unlock these devices and
boot normally by interacting directly with the physical computer, but
when attempting to log in remotely via dropbear and unlock with
cryptroot-unlock, I was unable to do so successfully (I was not prompted
to unlock the /home device).
> >
> > I tested with only an encrypted /root separate from /boot. Using
the same procedure, I was able to successfully boot using dropbear and
cryptroot-unlock in this case.
> >
> > It appears that cryptroot-unlock does not properly prompt for all
required boot devices even when booting can take place correctly via the
normal terminal when interacting directly with the physical computer.
>
> cryptroot-unlock processes only devices that are configured for
> unlocking at initramfs stage there. Either because they are required
> (the device is holding the root file system, /usr, or the resume
> device), or because they have been manually configured with the
> `initramfs` crypttab(5) option.
>
> It appears your device is not configured to be unlocked at initramfs
> stage. When at the computer (not remotely), the unlocking happens by
> systemd later in the boot process. Use the `initramfs` crypttab(5)
> option and rebuild the initramfs if you want to unlock it at initramfs
> stage instead.
>
> --
> Guilhem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20260616/48809f17/attachment.htm>
More information about the pkg-cryptsetup-devel
mailing list