You are not logged in.
Pages: 1
Yes!!!! Success!!! Thank you fsmithred!!
Your hint about keyfiles, I couldn't find an exact post. This one https://dev1galaxy.org/viewtopic.php?id=597 Talks has an unencrypted boot, encrypted root. But searching, found https://cryptsetup-team.pages.debian.ne … -boot.html
Root at install is LUKS1 encrypted. So only section 4 is needed. Boot is already on the root partition. So I only needed to followed the steps in section
4 Avoiding the extra password prompt
Reboot and success!
golinux: Found why the code buttons didn't work previously. Plugins. The posts today were on mobile without them. Added exception rules for the site.
face palm
It uses square brackets not < > . Thanks for that. How'd I miss the buttons!
Is there an option to make the forums more mobile friendly?
Secure boot: In the BIOS is an option to use it, or use legacy. Also an option to try different combinations.
I don't think it's the problem. As I get the boot is happening. I think some config setting that's not getting the right volume for root_fs.
Grub unlocks root_fs to load the kernel from. So it's unlocked initially.
Secure boot turned on or off makes no difference to this.
The system boots. I just need to enter the crypt password twice.
I want to stop that.
I used the code tags, but preview of the post didn't show any change. The help showed indenting at least 2 spaces was the alternative.
But, that doesn't help the readability either.
Edit: Looked into secure boot more. Secure boot is turned on in the BIOS, but secure boot is NOT being used.
mokutil --sb-state
SecureBoot disabled
Platform is in Setup Mode
Found https://wiki.debian.org/SecureBoot but decided not to test it.
Chimaera desktop-live used.
Lenovo x230
Boot desktop-live and installed to /dev/sda2, choose encrypted root. No separate boot partition. /dev/sda1 is the EFI partition. Installed boot loader. No errors during the install. On reboot the boot failed. HD not recognised as a bootable device. Booted from the desktop-live usb again. Unencrypted /dev/sda2 and chroot'ed into the install and run
grub-install --uefi-secure-boot --target=x86_64-efi /dev/sda
Installing for x86_64-efi platform.
Installation finished. No error reported.
Reboot:
Attempting to decrypt master key...
Enter passphrase for hd0,gpt2 (94454ab59343fd43c99):
I enter the sda2 crypt password and screen changes graphical options, and I pick:
Booting 'Devuan GNU/Linux'
Loading Linux 5.10.0-19-amd64 ...
Loading initial ramdisk ...
But then it drops back to console:
[ 0.190978] x86/cpu: VDX (outside TXT) disabled by BIOS
[ 2.425227] integrity: Couldn't parse dbx signatures: -74
Please unlock disk root_fs: _
If I enter the crypt password again, the boot continues and I can log in.
VDX (outside TXT) disabled by BIOS
I have these turned options off in the BIOS. Turning them on makes no difference to the boot. Adds a few more error messages if they are on. I don't know why I have them off atm.
Turning secure boot on/off in the BIOS doesn't matter
I think it's a configuration issue with grub? sda2 is decrypted by grub to show the menu, and to be able to start loading the ramdisk. After much trouble shooting editing files, gave up. Run the installer again.
Only option I picked from the installer was encrypted root. I also choose to install the bootloader. The install completed without problems. Reboot and the problem of two password prompts persists. I unlock grub, get the GUI boot option menu, select and ramdisk starts to load before dropping back to the console for password. After which the system boots.
How can I fix this so I don't need to enter the disk encryption password twice?
Here are the current files:
cat /etc/crypttab
# <target name> <source device> <key file> <options>
root_fs UUID=68355f0d-4b1f-428f-85e0-7bdc0fc63f2c none luks
cat /etc/fstab
/dev/mapper/root_fs / ext4 defaults,noatime 0 1
/swapfile none swap sw 0 0
UUID=10D7-FB08 /boot/efi vfat umask=0077 0 1
cat /etc/default/grub
# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.
# For full documentation of the options in this file, see:
# info -f grub -n 'Simple configuration'
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX=""
# Uncomment to enable BadRAM filtering, modify to suit your needs
# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
# Uncomment to disable graphical terminal (grub-pc only)
#GRUB_TERMINAL=console
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
#GRUB_GFXMODE=640x480
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
#GRUB_DISABLE_LINUX_UUID=true
# Uncomment to disable generation of recovery mode menu entries
#GRUB_DISABLE_RECOVERY="true"
# Uncomment to get a beep at grub start
#GRUB_INIT_TUNE="480 440 1"
GRUB_THEME=/usr/share/desktop-base/grub-themes/desktop-grub-theme/theme.txt
GRUB_ENABLE_CRYPTODISK=y
sudo fdisk -l
Disk /dev/sda: 119.24 GiB, 128035676160 bytes, 250069680 sectors
Disk model: SAMSUNG MZ7PA128
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 65F1E106-FA8A-47F1-BB09-4CF534271C34
Device Start End Sectors Size Type
/dev/sda1 2048 616447 614400 300M EFI System
/dev/sda2 616448 250068991 249452544 118.9G Linux filesystem
Disk /dev/mapper/root_fs: 118.95 GiB, 127717605376 bytes, 249448448 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Pages: 1