Bug#1108047: grub-common: GRUB_ENABLE_CRYPTODISK=y silently dropped
Anonymous
sterlingdrake094 at gmail.com
Thu Jun 19 18:26:56 BST 2025
Package: grub-common
Version: 2.12-8
Severity: important
Dear Maintainers,
The upgrade to GRUB 2.12-8 on my system (UEFI + Secure Boot enabled, full disk encryption including /boot inside LUKS1) silently replaced my /etc/default/grub file and removed GRUB_ENABLE_CRYPTODISK=y.
grub-install failed with the error:
grub-install: feil: du forsøkte å installere på kryptert disk uten å slå på cryptodisk først. Endre eller legg til «GRUB_ENABLE_CRYPTODISK=y» i fila «/etc/default/grub».
I was not prompted to resolve the config file conflict during the upgrade. Instead, my previous config was saved as /etc/default/grub.ucf-old, and the new version was installed silently. This behavior is unexpected and risky, as it can leave encrypted systems unbootable after upgrade.
System details:
Debian Testing (trixie)
Secure Boot enabled
LUKS1 encryption on root and swap
/boot resides inside the encrypted root
GRUB_ENABLE_CRYPTODISK was previously set
Best regards
More information about the Pkg-grub-devel
mailing list