Bug#927165: debian-installer: improve support for LUKS

Guilhem Moulin guilhem at debian.org
Mon Jun 10 16:01:48 BST 2019


Hi there,

On Mon, 15 Apr 2019 at 23:24:19 +0200, Cyril Brulebois wrote:
>>> One could argue that cryptodisk support has never been supported by
>>> d-i anyway,
>>
>> Yup, and I suppose that's why I overlooked this in my mail to
>> debian-boot :-P  Jonathan Carter had a similar report last week
>>
>> https://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/2019-April/008196.html
>
> While I'm usually fine to dismiss some bug reports as “it's unsupported,
> sorry”, making users' life harder doesn't seem really reasonable… :/

During last week's gathering at MiniDebConf Hamburg we (cryptsetup package
maintainer + KiBi) talked and came up with the following guide/notes:

    https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html

I believe it covers the easiest way to set up GRUB unlocking, i.e., starting
from d-i's "encrypted LVM" partitioning method.  Tested with Debian
Installer Buster RC1, but should™ be relevant with:

  - Any d-i supporting the "encrypted LVM" partitioning method where
    encrypted have LUKS headers.  (Since Lenny?  Or perhaps even Etch, don't
    remember if Etch had support for LUKS already, or only plain dm-crypt
    and loop-AES.)
  - Any GRUB2 ≥2.00-1, so very early in Jessie's release cycle.
  - Any cryptsetup version, whether the default LUKS format version is 1
    (pre-Buster) or 2 (since 2:2.1.0-1, now in Buster).

The aim of our document is to describe how to setup GRUB unlocking from an
existing “standard” installation (thus subject to partman-partitioning's
limitations).  We aim to follow future d-i versions; should native support
for encrypted /boot (which — as of GRUB 2.02 — requires the underlying
device to be formatted as LUKS1) be implemented at some point, that'll be
documented there.

We also propose to add a link to this document from the release notes:
https://salsa.debian.org/ddp-team/release-notes/merge_requests/29 .

Cheers,
-- 
Guilhem.

PS. I've used GRUB unlocking on several devices (sometimes bypassing
    partman, sometimes not) since before Wheezy was released, and should
    have written that guide & shipped it to the cryptsetup package years ago
    (the closest form that comes to mind is my talk at DebConf18 which was
    not so detailed)… apologies for not doing so earlier.  I'm also a bit
    sad to have missed https://lists.debian.org/debian-boot/2019/01/msg00035.html .
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-grub-devel/attachments/20190610/c46bf3d4/attachment.sig>


More information about the Pkg-grub-devel mailing list