Full disk encryption with luks and LVM

A

a_random_user

New Member
Nov 14, 2023
3
1
3
I'm wanting to do full disk encryption using luks.

I have a single nvme module with three partitions for system efi, boot and an encrypted parition containing an LVM PV for a VG that has LVs for root and swap (and eventually VMs). I started with a Debian Bookworm install, got the partition layout and encryption sorted and working. I enter my passphrase on boot, all works well. I have used Debian on desktops and laptops with this partition scheme using luks encryption over the years without issue.

I followed these instructions: https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_12_Bookworm. Following the first reboot the system won't prompt for my passphrase, it won't move on from 'Loading initramfs image...' (paraphrased).

I have repeated the installation with the same partition layout, starting with a Debian 12 install, but without the encryption, the LVM PV is directly on the third partition and the system boots properly, and I'm able to complete the installation steps and end up with a working PVE installation.

From what I've read, this is supposed to work, albeit unsupported. What am I missing?

Thanks
 
Hello,

You don't seem to be missing anything.

I did the same install as you intend to a couple weeks ago, it works fine:

[ 08:51 ] gdelanoy@laptop-GD ~
└─-~^~--> $ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
nvme0n1 259:0 0 476,9G 0 disk
├─nvme0n1p1 259:1 0 512M 0 part /boot/efi
├─nvme0n1p2 259:2 0 488M 0 part /boot
└─nvme0n1p3 259:3 0 476G 0 part
└─nvme0n1p3_crypt 253:0 0 475,9G 0 crypt
├─laptop--GD--vg-root 253:1 0 474,9G 0 lvm /
└─laptop--GD--vg-swap_1 253:2 0 976M 0 lvm [SWAP]
[ 08:51 ] gdelanoy@laptop-GD ~
└─-~^~--> $ pveversion
pve-manager/8.0.4/d258a813cfa6b390 (running kernel: 6.2.16-15-pve)
[ 08:51 ] gdelanoy@laptop-GD ~
└─-~^~--> $


I just did a regular Debian Bookworm installation, requiring encrypted LVM.
Installed PVE afterwards.

Have you tried running 'update-initramfs -u' after upgrading the kernel ?


Best regards,


--
G. Delanoy
 
The initramfs was updated as part of the pve-kernel installation as per below, however I tried as you sugggested and ran it manually, but no change.

Code: 
$ sudo apt install  pve-kernel-6.2
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  proxmox-kernel-6.2 proxmox-kernel-6.2.16-19-pve pve-firmware
Suggested packages:
  linux-image
The following packages will be REMOVED:
  firmware-linux-free firmware-misc-nonfree
The following NEW packages will be installed:
  proxmox-kernel-6.2 proxmox-kernel-6.2.16-19-pve pve-firmware pve-kernel-6.2
0 upgraded, 4 newly installed, 2 to remove and 0 not upgraded.
Need to get 178 MB of archives.
After this operation, 763 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://download.proxmox.com/debian/pve bookworm/pve-no-subscription amd64 pve-firmware all 3.8-3 [76.7 MB]
Get:2 http://download.proxmox.com/debian/pve bookworm/pve-no-subscription amd64 proxmox-kernel-6.2.16-19-pve amd64 6.2.16-19 [101 MB]
Get:3 http://download.proxmox.com/debian/pve bookworm/pve-no-subscription amd64 proxmox-kernel-6.2 all 6.2.16-19 [8,772 B]
Get:4 http://download.proxmox.com/debian/pve bookworm/pve-no-subscription amd64 pve-kernel-6.2 all 8.0.5 [4,516 B]                                            
Fetched 178 MB in 1min 18s (2,297 kB/s)                                                                                                                       
(Reading database ... 29753 files and directories currently installed.)
Removing firmware-linux-free (20200122-1) ...
Removing firmware-misc-nonfree (20230210-5) ...
Selecting previously unselected package pve-firmware.
(Reading database ... 28908 files and directories currently installed.)
Preparing to unpack .../pve-firmware_3.8-3_all.deb ...
Unpacking pve-firmware (3.8-3) ...
Selecting previously unselected package proxmox-kernel-6.2.16-19-pve.
Preparing to unpack .../proxmox-kernel-6.2.16-19-pve_6.2.16-19_amd64.deb ...
Unpacking proxmox-kernel-6.2.16-19-pve (6.2.16-19) ...
Selecting previously unselected package proxmox-kernel-6.2.
Preparing to unpack .../proxmox-kernel-6.2_6.2.16-19_all.deb ...
Unpacking proxmox-kernel-6.2 (6.2.16-19) ...
Selecting previously unselected package pve-kernel-6.2.
Preparing to unpack .../pve-kernel-6.2_8.0.5_all.deb ...
Unpacking pve-kernel-6.2 (8.0.5) ...
Setting up pve-firmware (3.8-3) ...
Setting up proxmox-kernel-6.2.16-19-pve (6.2.16-19) ...
Examining /etc/kernel/postinst.d.
run-parts: executing /etc/kernel/postinst.d/initramfs-tools 6.2.16-19-pve /boot/vmlinuz-6.2.16-19-pve
[B]update-initramfs: Generating /boot/initrd.img-6.2.16-19-pve[/B]
run-parts: executing /etc/kernel/postinst.d/zz-update-grub 6.2.16-19-pve /boot/vmlinuz-6.2.16-19-pve
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-6.2.16-19-pve
Found initrd image: /boot/initrd.img-6.2.16-19-pve
Found linux image: /boot/vmlinuz-6.1.0-13-amd64
Found initrd image: /boot/initrd.img-6.1.0-13-amd64
Warning: os-prober will not be executed to detect other bootable partitions.
Systems on them will not be added to the GRUB boot configuration.
Check GRUB_DISABLE_OS_PROBER documentation entry.
Adding boot menu entry for UEFI Firmware Settings ...
done
Setting up proxmox-kernel-6.2 (6.2.16-19) ...
Setting up pve-kernel-6.2 (8.0.5) ...

I can still boot the system using the Debian kernel and initramfs, but not with the pve kernel.
 
a_random_user said:
I'm wanting to do full disk encryption using luks.

I have a single nvme module with three partitions for system efi, boot and an encrypted parition containing an LVM PV for a VG that has LVs for root and swap (and eventually VMs). I started with a Debian Bookworm install, got the partition layout and encryption sorted and working. I enter my passphrase on boot, all works well. I have used Debian on desktops and laptops with this partition scheme using luks encryption over the years without issue.

I followed these instructions: https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_12_Bookworm. Following the first reboot the system won't prompt for my passphrase, it won't move on from 'Loading initramfs image...' (paraphrased).

I have repeated the installation with the same partition layout, starting with a Debian 12 install, but without the encryption, the LVM PV is directly on the third partition and the system boots properly, and I'm able to complete the installation steps and end up with a working PVE installation.

From what I've read, this is supposed to work, albeit unsupported. What am I missing?

Thanks
Click to expand...
Have you tried just entering you LUKS password and pressing enter even though there is no prompt? My PVE setup is similar - I never see the prompt but when I enter the password the boot process continues OK.
 
  • Like
Reactions: Guillaume Delanoy
Ha!

The thought had crossed my mind, but I decided not to bother trying because the cursor wasn't blinking. However, it does indeed work. Confirmed, I can type the passphrase and the system will boot normally. Thanks for your help.
 
  • Like
Reactions: Guillaume Delanoy
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom