On Mon 22 Oct 2018 at 00:05:45 (+0000), Matthew Crews wrote: > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Sunday, October 21, 2018 10:29 AM, Roberto C. Sánchez <robe...@debian.org> > wrote: > > > On Sun, Oct 21, 2018 at 01:25:09PM +0000, D&P Dimov wrote: > > > > > I did a new install of latest Debian 9.5 stable on a new Dell laptop. > > > Debian is the only OS there now. If I encrypt /, home, and swap, it won't > > > boot after install. If I leave them unencrypted, it boots fine. What am I > > > missing? > > > Thanks! > > > > It will be much easier to help you if you could post the complete output > > of the boot sequence up to the failure. If that is not possible, then > > perhaps the last screenful or last few lines. Or even a photograph of > > the screen showing where the boot sequence is stuck. > > To satisfy my curiosity, I fired up a VM and in the VM used the Debian > installer to automatically partition for an encrypted install, with separate > /, /home, and /swap. It made a 1MB blank partition, 512MiB /boot/efi > partition flagged as bootable, 244MiB /boot partition, and allocated the rest > of the disk to the LUKS container. In the LUKS container contained /, /home, > and /swap. See the attached picture.
It needs to be pointed out that the 1MB FREE SPACE at the start of the disk (and the one at the end) is not a blank partition: it is free space. > After installation was complete, here is the output of lsblk. > > NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT > sda 8:0 0 20G 0 disk > ├─sda1 8:1 0 512M 0 part /boot/efi > ├─sda2 8:2 0 244M 0 part /boot > └─sda3 8:3 0 19.3G 0 part > └─sda3_crypt 254:0 0 19.3G 0 crypt > ├─debian--vm--vg-root 254:1 0 6.4G 0 lvm / > ├─debian--vm--vg-swap_1 254:2 0 2G 0 lvm [SWAP] > └─debian--vm--vg-home 254:3 0 10.9G 0 lvm /home > sr0 11:0 1 55.3M 0 rom > > > It seems the best practice is: > 1MB blank partition at the beginning of the drive Noted above. This is to give you partition alignment of 1MiB for efficiency. For GPT disks like this, I also add a 3MiB partition (giving me 4MiB alignment) set to "BIOS boot" which, like it says, allows it to be booted in legacy mode if ever required. > 512MB EFI partition (or larger) mounted at /boot/efi, flagged as bootable > 256MB /boot partition (or larger as desired), NOT flagged as bootable. > Then the rest of the drive partitioned as desired (ie a LUKS container) > > If all of these conditions are met, then encrypted boot with EFI *should* > work correctly. > > So I'm at a loss, D&P Dimov, as to why you had difficulty. You said it was a > config in your BIOS that you needed to change? Cheers, David.
