cryptsetup is responsible for unlocking dm-crypt devices. The cryptsetup Debian packages provide a whole slew of helper scripts that integrate cryptsetup into the Debian operating system. The most important ones are the cryptdisks init script and the cryptroot initramfs scripts, both implementing support for the /etc/crypttab configuration file and for automatic unlocking of encrypted devices during the boot process.
This page collects information on debugging different features of the Debian cryptsetup packages in case of problems.
cryptroot initramfs scripts
Debug cryptroot initramfs script
In order to debug the cryptroot initramfs script during initramfs stage, the following steps are required:
Boot into the initramfs rescue shell by adding break=premount as kernel option during boot.
In grub, this can be done interactively from the grub boot menu: <E> to edit, and <Ctrl>+<X> to boot once you've edited the kernel line.
Append -x to the shebang (first line) of cryptroot initramfs script:
sed -i -e '1s,^#!/bin/sh,& -x,' /scripts/local-top/cryptroot
- Run the cryptroot initramfs script manually, redirecting output to a log file:
/scripts/local-top/cryptroot 2>&1 | tee /run/initramfs/cryptroot.debug
Please note: if the boot process is broken, you might need to mount an external storage device (e.g. a USB flash drive) inside the initramfs and redirect the output to a log files on this external device.
Continue the boot process (by pressing <Ctrl>+<D>) and save a copy of the debug log file at /run/initramfs/cryptroot.debug. The content of /run/ will be lost after reboot.
Sometimes, debugging the initramfs directly, can be helpful as well. See InitramfsDebug#Saving_debug_information for details.
Gather debugging information in the initramfs rescue shell
Useful commands to gather information from initramfs rescue shell:
- Check for device-mapper support (these directories/symlinks exist only if kernel has device-mapper support):
ls -l /sys/class/misc/device-mapper /sys/devices/virtual/misc/device-mapperCheck, whether dm-crypt kernel module is loaded:
lsmod | grep dm-crypt
- Display cryptroot configuration and list loaded kernel modules:
- Gather information about the available block devices:
blkid ls -l /dev/disk/by-*/