/etc/crypttab:

lvm_crypt UUID=<luks-uuid> none luks

/etc/fstab:

/dev/vg00/lvol_devuan_swap	none	swap	sw	0	0
/dev/vg00/lvol_devuan_system	/	ext4	defaults,noatime	0	1
UUID=<boot-uuid>	/boot	ext4	defaults,noatime0	2

I had to update-initramfs -u -k all and update-grub.

Now it works without any problems! I can also hibernate and resume from the encrypted swap partition.

Thank you guys for all your help!

Does hibernate work with a swap partition inside an LVM?

It does on my PC (AMD5600G, Chimaera, emulated legacy boot, no encryption, kernel 5.18.0-0.deb11.4-amd64. RAID1).

I'm still finding hibernation a bit flaky - sometimes it attempt a reboot and I have to kill it with the power button (but then still resumes OK subsequently).

If you were to try to hibernate to a swapfile one obvious, bur solvable, problem is that you would have to make it significantly larger than 256Mb as it has to have space for what's in your RAM).

Any installer will do, there is nothing special to be done to make grub boot an encrypted root. I am using FDE with unencrypted /boot and an LVM in an encrypted partition for / and /swap for many years now, no issues. Legacy Bios or efi, mbr or gpt do not matter, all combinations work.

Does hibernate work with a swap partition inside an LVM?

refractainstaller does the following, where bs=1024 and count=1048576:

        dd if=/dev/zero of=/target/swapfile bs="$swapfile_blocksize" count="$swapfile_count" ; check_exit 
        mkswap /target/swapfile ; check_exit 
        chmod 600 /target/swapfile

The values for bs and count are in /etc/refractainstaller in case anyone wants to change the size of the swapfile. Currently it's set to 256mb. And then you have to edit the swap entry in /etc/fstab. Mine looks like this:

/swapfile	none	swap	sw	0	0

Should I create / and swap partitions inside an LVM as rolfie has suggested or is it possible to create a swap file on the encrypted file system?

I don't know the details of how it works, but grub has modules for crypto and for luks. Look under /boot/grub/.

Yeah, I almost warned you about the double password entry. It's very slow, too. I should have said that I recommend it if that's what you really want. Another way to make /boot secure is to remove it from the hard disk and put it on a usb stick. Then you can't boot without the stick. (also inconvenient.)

I think having /boot unencrypted is not really an issue for me, because it does not contain any personal data anyway. Sorry if the title was misleading.

How does the kernel know where to find the system-uuid? It is inside the LUKS partition. To see the UUID of the encrypted partition it would have to decrypt the LUKS partition first. How does it work?

Have a look at /etc/crypttab. The contents of this file is one of the inputs for grub and the initramfs.

Which partitioning software is it in this documentation?

These are pictures taken from the standard installer in normal mode.

Yeah, I almost warned you about the double password entry. It's very slow, too. I should have said that I recommend it if that's what you really want. Another way to make /boot secure is to remove it from the hard disk and put it on a usb stick. Then you can't boot without the stick. (also inconvenient.)

menuentry 'Devuan GNU/Linux' --class devuan --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-<system-uuid>' {
	load_video
	insmod gzio
	if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
	insmod part_msdos
	insmod ext2
	set root='hd0,msdos2'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2  <boot-uuid>
	else
	  search --no-floppy --fs-uuid --set=root <boot-uuid>
	fi
	echo	'Loading Linux 5.18.0-0.bpo.1-amd64 ...'
	linux	/vmlinuz-5.18.0-0.bpo.1-amd64 root=UUID=<system-uuid> ro  text iomem=relaxed
	echo	'Loading initial ramdisk ...'
	initrd	/initrd.img-5.18.0-0.bpo.1-amd64
}

How does the kernel know where to find the system-uuid? It is inside the LUKS partition. To see the UUID of the encrypted partition it would have to decrypt the LUKS partition first. How does it work?

First I tried without a separate /boot partition, but then I had to enter the disk password twice during boot: Once to start GRUB and then to boot Devuan. GRUB takes 17 seconds to decrypt which was very annoying.

Then I tried a different configuration with a separate /boot partition (also with refractainstaller), and it worked perfectly! GRUB starts without a password and I only have to enter the password to boot Devuan.

There is a guide for guided setup at: https://www.devuan.org/os/documentation … encryption which is much easier.

Which partitioning software is it in this documentation?