I am trying to do what I think is a pretty standard setup of encrypted /
partition and unencrypted /boot
using the Debian installer (for Stretch-rc1). I created /boot
by selecting the option EFI System Partition
, as this is a UEFI system. I then created an encrypted LUKS volume and put the root file system there. Although all this was done with the installer, the GPT and the unformatted partitions were first created with fdisk.
When I try to finish writing the changes to disk, I get an error:
Encryption configuration failure
You have selected the root file system to be stored on an encrypted partition. This feature requires a separate /boot partition on which the kernel and initrd can be stored. You should go back and setup a /boot partition.
I am confused because I did this earlier without the encryption and everything worked fine. Looking at the ESP /boot
partition shows the bootable flag is on. Perhaps I have a fundamental misunderstanding of what Debian wants to do with the ESP? I welcome any suggestions to get this working.
Best Answer
I ended up getting this fixed.
Basically, I needed three partitions rather than two:
ESP
(FAT
, unencrypted)/boot
(ext
, unencrypted)/
(any valid Linux file system, encrypted)The unencrypted
EFI
system partition (ESP
) only contains the bootloader (e.g. GRUB), not the kernel or its initrd/initramfs (initial ramdisk image containing the kernel). The bootloader by itself cannot decrypt and access the root file system to get to initrd. So initrd needs to live on its own unencrypted/boot
partition, formatted as anext
file system (e.g.ext4
), which can be unpacked by the bootloader. Once the kernel has been unpacked, it will be able to take over the remaining boot process to decrypt and mount the root file system.I found this answer helpful.