1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Re: Bug#1103457: Unable to boot LUKS-encrypted system

    From Uwe =?utf-8?Q?Kleine-K=C3=B6nig?=@21:1/5 to Aaron Rainbolt on Thu Jul 31 15:20:01 2025
    Hello,

    On Thu, Apr 17, 2025 at 02:04:18PM -0500, Aaron Rainbolt wrote:
    Package: dracut
    Version: 106-5
    Severity: critical
    X-Debbugs-Cc: [email protected], [email protected]

    Unsure if the chosen severity is appropriate, but this bug renders
    affected systems unbootable and the recovery procedure is a serious
    headache, so I think this counts as "breaking the whole system".

    Steps to reproduce:

    * Install Debian Trixie with LUKS full disk encryption. The encryption
    + LVM setup created by D-I works, as does a encrypted root +
    unencrypted /boot setup made using Calamares with a live Debian
    Trixie ISO.
    * Boot into the installed system.
    * Install `dracut` with `sudo apt install dracut`.
    * Reboot.

    Expected result: The system should present a passphrase prompt for you
    to unlock the disk, upon providing the passphrase the disk should be
    unlocked and the system should boot.

    Actual result: The system hangs on the Plymouth screen for about 360
    seconds. If you attempt to boot with `rd.debug` set, you will see it's
    unable to find the root filesystem.

    What's happening here, based on my research, is that dracut does not
    install the info needed to find the LUKS volume into the initramfs
    unless `hostonly=yes` is set. As a result, the initramfs isn't able to
    find the encrypted disk, and then of course the system fails to boot.

    If you end up with an unbootable system, the recovery procedure requires booting the system from a live USB, manually decrypting the LUKS volume
    with the right name, mounting it, mounting in the boot directory, bind-mounting in critical other directories, then chrooting in and regenerating the initramfs that way. It's doable, yes, but it's not
    easy, and I believe if you don't specify the right name when decrypting
    the disk, you'll probably end up with a broken initramfs when you
    regenerate it.

    I ran into that problem, too. An easier recovery procedure for me was
    passing "rd.auto" on the kernel command line.

    Also note that dracut 107-1 and later default to host-only operation.

    Best regards
    Uwe

    -----BEGIN PGP SIGNATURE-----

    iQEzBAABCgAdFiEEP4GsaTp6HlmJrf7Tj4D7WH0S/k4FAmiLbAQACgkQj4D7WH0S /k4PJQf/QFkGt0YD2tR78iHHvYC/C8EJkoaFw+t/ZCeJwOsKJJjwbWN9f80EJP8N 1ktKrQ/abXNUYPBleAbcHYyZckI0HUUQQDC8LWP9WIONP2TPGhl/H5B578ozHqPu w3UZbeZW82h28Ueb5LpEeJLmvuLHk2MLLVGfxNHejdDjZyYxdSW75QuUL48Ac5My wO1QxfMb17g4JR61BFXaojSWn9eewV0Qrdmx781Iy2NJeqlMigyT4vIK1vRI5idH Dzh7VxvNdTJta4jCvsMFtwP9gNBzUvZisHUY4ZhRArqWnG7e1F1o3fG1OhVRxSgn 1JipxGotACEpIL4B6f3LmNEQmBc9AA==
    =vFvi
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)