How to get grub to boot from a newly encrypted partition
After looking through a bunch of different tutorials, guides, and docs, I solved it. I believe these were the necessary steps to fix:
I started Ubuntu from a Live USB stick, unlocked and mounted sda7, then inside it added an entry in /etc/crypttab for the encrypted partition:
sda7_crypt UUID=8fa9b089-… none luks
Modified my /etc/fstab entry to use the new mapped name instead of the UUID of the drive:
/dev/mapper/sda7_crypt / ext4 errors=remount-ro 0 1
And finally, modified the /etc/default/grub file to add:
GRUB_CMDLINE_LINUX="rd.luks.name=8fa9b089-…=sda7_crypt"
Then I installed grub-customizer on the Live USB, started it, it gave me an error message a button to "change environment" - selected the unlocked sda7 partition, and clicked the checkboxes to mount /boot and /boot/efi.
Then "Save" in grub-customizer, and reboot. Magic!
Related videos on Youtube
Comments
-
Daniel over 1 year
I recently encrypted my root partition (sda7) with luksipc. It worked well, I can unlock the partition and mount it when running from a live USB, but the OS doesn't load anymore.
My system has 4 relevant partitions:
/dev/sda1
- EFI/dev/sda5
- boot/dev/sda7
- root (now encrypted with LUKS)/dev/sda8
- swap
I only modified sda7, and I haven't modified my
/etc/fstab
,/etc/crypttab
, and/etc/grub.d/
files because I didn't know what to put in them. This is what I need help with!My
/etc/fstab
contains:UUID=211bd0c8-… / ext4 errors=remount-ro 0 1
(221bd0c8-… being the UUID of the unlocked sda7)
My
/etc/crypttab
contains an entry for the swap partition (sda8) but nothing for the encrypted sda7 (UUID=8fa9b089-…)My
/boot/grub/grub.cfg
has:linux /vmlinuz-4.15.0-36-generic root=UUID=221bd0c8-… ro quiet splash $vt_handoff initrd /initrd.img-4.15.0-36-generic
I'm not sure how this file is generated, but I used to use grub-cutomizer to edit my boot menu before :)
How can I get my laptop back? (without restoring a backup that is)
-
Tiberiu Golaes about 3 yearsThanks for your efforts. So your final setup doesn't have /boot partition encrypted, right? I was trying to set up a whole disk encryption with a single LUKS partition recently (which is mapped into /boot /root /home /var, all encrypted). Last time I did it several years ago I found it non-trivial and gave up (left /boot unencrypted). Now checking again.
-
Daniel about 3 years@DmitrySomov you're right, my /boot isn't encrypted. I didn't even know that's possible with a simple grub setup!