document how to update GRUB after conversion

[jkldgoefgkljefogeg]

I follow the documentation and encrypted root partition (Ubuntu 16.04 with a separate /boot partition unencrypted). After rebooting it is stuck in GRUB terminal. I added cryptdevice directives to GRUB_CMDLINE_LINUX but it did not help.

[johndoe31415]

When you re-encrypt your root partition, you need to take several additional steps (which have nothing to with luksipc, really):

1. Create an updated /etc/crypttab
2. update-initramfs
3. Edit /etc/fstab to mount /dev/mapper/XYZ instead of UUID=112233-44-556677
4. update-grub to have kernel command line.

I suggest you boot into a rescue Linux and do these steps and see if they work -- without additional help, I fear that I cannot remotely diagnose what is going on on your system. Which of these points have you already done?

[jkldgoefgkljefogeg]

I made a type. It's not re-encrypt, it's encrypting ext4 root partition previously unencrypted. I did update crypttab and fstab, also cryptdevice directives to GRUB_CMDLINE_LINUX. in crypttab I had root UUID=xxxx none luks but update-initramfs failed with unable to find root

[johndoe31415]

It's very difficult for me to follow what is going on. Please be as verbose as possible and post copy and paste of the error messages you saw. It appears superficially that you tried to run update-initramfs when you didn't have the LUKS mapping active and mounted, can that be? You need to mount your whole crypto-root device as you want it in the final configuration (including the device mapper name you specify in /etc/crypttab), bind-mount /dev, /proc and /sys, chroot into your new crypto-root system and execute update-initramfs from there. Did you do this?

[johndoe31415]

Side note: I'm not sure what the "cryptdevice" directive for the kernel command line is supposed to do, but I'm very sure it's not needed. I've several crypto-root systems running and have never used that cmdline switch.

[jkldgoefgkljefogeg]

cryptdevice is mentioned on archlinux wiki dm-crypt/System configuration Dm-crypt and dm-crypt/Device encryption

Ubuntu 16.04 LTS

/boot (EFI) and / in ext4 no separate /home partition, no LVM

Boot with Ubuntu Live CD, shrink root partition 100M at the end

./luksipc -d /dev/loop0 successfully finished

added key 1 and disabled key 0, verified with cryptsetup luksDump /dev/loop0

cryptsetup luksOpen /dev/loop0 newcryptofs success

resize2fs /dev/mapper/newcryptofs asked to fsck, successfully resized after fsck

reboot, stuck in grub terminal

boot Ubuntu Live CD, cryptsetup luksOpen /dev/loop0 newcryptofs, mount /dev/mapper/newcryptofs, /dev, /proc, unencrypted /boot (the partition on harddrive) partition to /mnt

chroot to /mnt

edit etc/defaults/grub GRUB_CMDLINE_LINUX="cryptdevice=/dev/disk/by-uuid/227d9a84-cb82-4864-84cf-94cd1369c7c2:root:allow-discards"

update-grub success

edit etc/crypttab root UUID=13c21bf6-4d92-42a7-877a-87cc31b1aa19 none luks

edit etc/fstab commented previous root /dev/mapper/root, options the same as previous root

update-initramfs failed device-mapper: table ioctl on failed: No such device root

reboot, still stuck in grub terminal

Basically I can mount the luks partition with live CD, but GRUB does not even try to mount it (no password asked)

[johndoe31415]

update-initramfs tries to find the mapping /dev/mapper/root, but you have opened the mapping temporarily as /dev/mapper/newcryptofs. Can you try mounting the mapping under the name that it'll also have at runtime ("root") and try again? I.e. luksOpen the device with dm name "root" instead of "newcryptofs".

[johndoe31415]

I'm assuming this fixed your issue and close this report.