how can I install a boot for my encrypted root partition?
From what I know, you do not need to set GRUB_CMDLINE_LINUX to your crypto block device. Instead, make sure the following is OK:
- Installing grub: Make sure grub is installed on your /boot partition. if it still complains about ext2, then format your /boot to ext3 or ext4 (I am assuming you have no valuable data whatsoever on your /boot parition).
I recommend the following clean way (from a liveUSB or your rescue disk):
sudo -i
cryptsetup open /dev/sda5 my_encrypted_device
mount /dev/mapper/my_encrypted_device /mnt
mount --bind /dev/ /mnt/dev && mount --bind /dev/pts /mnt/dev/pts && mount --bind /proc /mnt/proc && mount --bind /sys /mnt/sys
mount /dev/<YOUR_BOOT_PARTITION> /mnt/boot
chroot /mnt
apt purge --auto-remove grub-pc
Hit Enter to confirm the removal.
apt install grub-pc
Inside the terminal, use spacebar to select where to install grub, press tab then enter.
- /etc/crypttab: Your entry should be in the form:
TARGET SOURCE_DEVICE KEY_FILE OPTIONS
(e.g. my_encrypted_device /dev/sda5 none luks)
Remember that the key file parameter none requests the key file to be given interactively by user
- /etc/fstab: The first field of your / entry should contain the same device mapping name (i.e. my_encrypted_device)
- update-initramfs: DO NOT FORGET TO UPDATE YOUR RAM FILESYSTEM!
update-initramfs -u -k all
You should have a working boot-up now.
Note: GRUB could be installed on your encrypted device as you said
Related videos on Youtube
07 : 45
04 : 31
03 : 02
19 : 23
03 : 08
nic ferrier
Updated on September 18, 2022Comments
-
nic ferrier over 1 year
I dist upgraded and lost the kernel on my boot partition somehow.
I've managed to restore most of it (by booting an old 14, mounting the encrypted partition and chrooting into it - hence the /mnt below) but I still can't boot. It never asks for my root partition password and gets stuck inside an initramfs shell.
I've tried adding this to /etc/default/grub
GRUB_CMDLINE_LINUX="cryptdevice=/dev/disk/by-uuid/8711af09-1c70-414a-af43-e859ddabf09f:cryptroot root=/dev/mapper/cryptroot"where that UUID is in my /etc/crypttab:
sda5_crypt UUID=8711af09-1c70-414a-af43-e859ddabf09f none luks,discardbut when I do that and run grub-install like so:
grub-install --boot-directory=/mnt/boot /dev/sda1I get this:
Installing for i386-pc platform. grub-install: error: attempt to install to encrypted disk without cryptodisk enabled. Set `GRUB_ENABLE_CRYPTODISK=1' in file `/etc/default/grub'..From what I can find GRUB_ENABLE_CRYPTODISK is only for when you're encrypting your whole disk - I'm not. I've got a separate EXT2 boot partition mounted on /boot (or /mnt/boot on the USB booted machine).
When I do turn on that option:
GRUB_ENABLE_CRYPTODISK=yand run the grub-install, I get:
Installing for i386-pc platform. grub-install: warning: Filesystem `ext2' doesn't support embedding. grub-install: error: embedding is not possible, but this is required for RAID and LVM install.All the examples I can find seem to be for whole disc installs, no one seems to be talking about this case.
Please help!
-
oldfred over 7 yearsYou have to mount both / which is your encrypted partition, so unencrypt it also. And also mount /boot. Then grub install should work. May be easier to use Boot-Repair, but you have to help Boot-Repair by unencryting your / (root) and checking that you have separate /boot (it usually knows). help.ubuntu.com/community/Boot-Repair If embedding is mentioned you are installing to a partition like sda1, when you should install to sda. Or you have gpt and do not have bios_grub partition.
-
