The "rescue mode" of the Debian Installer currently does not support systems that were created using encrypted LVM as set up if you selected Guided partitioning. The procedure below documents what manual steps to follow to get a chroot shell on such a system.
- Boot the installer in rescue mode.
- Proceed until you get the dialog asking which device to use as root file system.
Switch to VT 2 (using alt-F2) and enable the shell.
Enter the following commands to enable LUKS crypto support:
# anna-install crypto-modules cryptsetup-udeb # depmod -a # modprobe aes
Use fdisk to check the partition layout of your harddisk. If you used guided partitioning, by default this will be (using sda as example):
/dev/sda1 : boot partition /dev/sda2 : extended partition /dev/sda5 : encrypted partition containing the physical LVM volume
If fdisk is not available, try anna-install fdisk-udeb to load it.
Enable the encrypted partition; make sure you use the correct device name as the first part of the last parameter:
# cryptsetup luksOpen /dev/sda5 sda5_crypt
After entering this command you should be prompted for your LUKS passphrase and if everything is well you should get a confirmation saying:
key slot 0 unlocked. Command successful.
You can now use lvdisplay to view which logical volumes your system has. The second part of the device name will vary and is normally the same as the hostname you selected during the installation.?BRFor example:
# lvdisplay | grep "LV Name" LV Name /dev/myhost/root LV Name /dev/myhost/home LV Name /dev/myhost/swap_1
The number of logical volumes can vary, depending on the partitioning scheme you selected.Enable the logical volumes (using the correct last parameter):
# vgchange -a y myhost 3 logical volume(s) in volume group "myhost" now active
You can now mount your partitions, including the boot partition:
# mkdir /target # mount /dev/myhost/root /target # mount /dev/myhost/home /target/home # mount /dev/sda1 /target/boot
And it is advisable to also mount proc and sysfs for the chroot:
# mount proc /target/proc -t proc # mount sysfs /target/sys -t sysfs
At this point it is advisable to check that the crypto device listed in /target/etc/crypttab matches the device you specified in the luksOpen command earlier in this procedure (in this example: sda5_crypt). If it does not, this could cause errors, for example when running update-initramfs.?BRIf the name does not match, you can correct it using:
# dmsetup rename <current_name> <name_according_to_crypttab>
Finally, chroot into your system:
# chroot /target
Comments
- LUKS stands for "Linux Unified Key Setup".
The following command can be used to check if a partition is a LUKS-encrypted device:
# cryptsetup isLuks /dev/sda5 && echo OK
If you set up encrypted partitions manually and used loop-AES encryption (possibly using random keys), you should also load support for that using:
# anna-install partman-crypto-loop