grub2 - Finding an encrypted Debian

Question

I have a Triple-Boot-System, with Windows 7, Ubuntu 12.10 and Crunchbang (a Debian derivative - unstable Debian at that).

I am trying to get all encrypted: Windows with TrueCrypt FDE, chaining grub on an extra boot partition with the Windows Bootloader on MBR. Since Ubuntu cut out the encryption option (none in ubiquity and no alternate install), Ubuntu is not encrypted. Crunchbang though is.

My Partition map looks thus as follows:

sda1: Win7
sda2: win7-boot junk (installed it by default - what is that anyway?!)
sda3: /boot
sda4: ubuntu
sda5: encrypted -> sda8(?): crunchbang
sda6: encrypted -> sda9(?): swap
sda7: another ext4

Thing is, after installation, I could boot Windows and Crunchbang fine. update-grub however printed out that he found Ubuntu, no Crunchbang but after reboot he just gave me Crunchbang.

Reinstalled Ubuntu, including grub on sda3. Now he only finds Ubuntu.

The latter I think is quite obvious, how should grub find an encrypted os? But could someone explain to me how I can Dual-Boot two (in theory encrypted) Linux's with grub2?

score 1 · Answer 1 · answered Nov 18 '18 at 10:41

I had the same problem, when in my dual boot Debian box, the "not encrypted Debian instllation", updated grub and left out the "encrypted LVM" one.

This article helped me a lot, and I performed the following steps to activate the LVM volumes that are installed on /dev/sdg before calling update-grub.

$ sudo apt-get install cryptsetup
$ sudo apt-get install lvm2
$ sudo lsblk -f /dev/sdg  # Identify encrypted device
$ sudo file -s /dev/sdg5   
$ sudo cryptsetup luksOpen /dev/sdg5 encrypted_device  # Open the encrypted container
$ sudo vgdisplay --short  # Identify volume group
$ sudo lvs -o lv_name,lv_size -S vg_name=enc-vg  # List logical volumes
$ sudo lvchange -ay enc-vg  # Activate every logical volume
$ sudo update-grub
$ sudo lvchange -an enc-vg  # Deactivate active volumes
$ sudo cryptsetup luksClose encrypted_device  # Close the opened container

score 1 · Accepted Answer · answered Nov 21 '12 at 18:30

1

When you do an update-grub, it scans all the partitions it can see for OSs that it knows what to do with. If your encrypted partition is not mounted when it scans, it will not find the OSs that are encrypted.

So your first step is to decrypt the encrypted partitions and mount them to a block device. You can do this with cryptsetup:

cryptsetup luksOpen <device> <name>

So if your encrypted device is /dev/sda5 (your partition structure isn't clear), use something like

cryptsetup luksOpen /dev/sda5 crunch

to decrypt /dev/sda5 and mount the decrypted block device (not the filesystem!) on /dev/mapper/crunch. Then you can go ahead and mount /dev/mapper/crunch <some mountpoint> as normal.

answered Nov 21 '12 at 18:30

thirtythreeforty

1,212
7
19

Hm. After mounting the partition, running update-grub only finds Windows - so neither Crunchbang nor Ubuntu. But on reboot, grub shows Ubuntu (but not Crunchbang). – alex Nov 21 '12 at 19:17
Although I ended up doing stuff a bit differently (I am now using two different boot partitions for either OS), this answer was definitely the correct answer for the question and also helped me a lot. – alex Nov 24 '12 at 16:20

grub2 - Finding an encrypted Debian

2 Answers2