"systemd[1]: Failed to mount /run/systemd/cryptsetup/keydev-crypt5" <= boot error after Bullseye (Debian 11) debootstrap installation
by libCognition from LinuxQuestions.org on (#5J649)
After performing a debootstrap installation of Debian Bullseye and booting for the first time, I get the GRUB menu & select the 1st option, then:
Code:Please unlock disk crypt4:
cryptsetup: crypt4: set up successfully
[17.934028] systemd[1]: Failed to mount /run/systemd/cryptsetup/keydev-crypt5
[FAILED] Failed to mount /run/systemd/cryptsetup/keydev-crypt5.
[DEPEND] Dependency failed for Cryptography Setup for crypt5.
[DEPEND] Dependency failed for Local Encrypted Volumes.
[17.945201] systemd[1]: Failed to mount /run/systemd/cryptsetup/keydev-crypt6
[FAILED] Failed to mount /run/systemd/cryptsetup/keydev-crypt6.
[DEPEND] Dependency failed for Cryptography Setup for crypt6.
[20.142061] platform regulatory.0: firmware: failed to load regulatory.db (-2)
[20.142122] firmware_class: See https://wiki.debian.org/Firmware for information about missing firmware
<> Please enter passphrase for disk home: (press TAB for no echo) _All steps taken to perform a Bullseye debootstrap installation, which led to the above errors with dm-crypt:
Code:$ sudo sgdisk --clear -a 1\
--new=1:34:2047 -c 1:"BIOS boot" --typecode=1:$(sgdisk --list-types | sed -ne 's/.*\(....\).bios.*/\1/gip')\
-a 2048\
--new=2:0:+12582912 -c 2:"swap" --typecode=2:$(sgdisk --list-types | sed -ne 's/.*\(....\).Linux.swap.*/\1/gip')\
--new=3:0:+327680 -c 3:"boot" --typecode=3:$(sgdisk --list-types | sed -ne 's/.*\(....\).Linux.file.*/\1/gip')\
--new=4:0:+222298112 -c 4:"top" --typecode=4:$(sgdisk --list-types | sed -ne 's/.*\(....\).Linux.x86.64.root.*/\1/gip')\
--new=5:0:+293601280 -c 5:"home" --typecode=5:$(sgdisk --list-types | sed -ne 's/.*\(....\).Linux..home.*/\1/gip')\
--new=6:0:0 -c 6:"var" --typecode=6:$(sgdisk --list-types | sed -ne 's/.*\(....\).Linux.file.*/\1/gip')\
/dev/sdbThe partition table looks like this:
Code:$ sgdisk -p /dev/sdb
First usable sector is 34, last usable sector is (redacted)
Partitions will be aligned on 8-sector boundaries
Total free space is 0 sectors (0 bytes)
Number Start (sector) End (sector) Size Code Name
1 34 2047 1007.0 KiB EF02 BIOS boot
2 2048 12584959 6.0 GiB 8200 swap
3 12584960 12912639 160.0 MiB 8300 boot
4 12912640 ... ... 8304 root
5 ... ... ... 8302 home
6 ... ... ... 8300 varThe BIOS boot partition is there because this is a GPT-BIOS situation. The grub-install command must write data to the BIOS boot that directs it to boot the UUID of the /boot partition.
Code:$ mkswap --label swap /dev/sdb2
$ sync
$ swapon /dev/sdb2
$ cryptsetup -v -y luksFormat /dev/sdb4
$ cryptsetup luksOpen /dev/sdb4 crypt4
$ mkfs.ext4 -L top /dev/mapper/crypt4
$ mkfs.ext4 -L boot /dev/sdb3
$ mkdir /mnt/debian_target
$ mount /dev/mapper/crypt4 !$To avoid entering 3 passwords for 3 encrypted volumes, the /home & /var partitions use a key file instead of a pw, which is then stored on the "/" partition.
Code:$ dd if=/dev/urandom of=/mnt/debian_target/etc/luks_p5.key bs=4k count=1
$ dd if=/dev/urandom of=/mnt/debian_target/etc/luks_p6.key bs=4k count=1
$ cryptsetup -v -y luksFormat /dev/sdb5 /mnt/debian_target/etc/luks_p5.key
$ cryptsetup -v -y luksFormat /dev/sdb6 /mnt/debian_target/etc/luks_p6.key
$ cryptsetup luksOpen --key-file /mnt/debian_target/etc/luks_p5.key /dev/sdb5 crypt5
$ cryptsetup luksOpen --key-file /mnt/debian_target/etc/luks_p6.key /dev/sdb6 crypt6
$ mkfs.ext4 -L home /dev/mapper/crypt5
$ mkfs.ext4 -L var /dev/mapper/crypt6
$ for mp in /boot /home /var; do mkdir /mnt/debian_target$mp; done
$ mount /dev/sdb3 /mnt/debian_target/boot
$ mount /dev/mapper/crypt5 /mnt/debian_target/home
$ mount /dev/mapper/crypt6 /mnt/debian_target/var
$ mkdir -p /media/cdrom
$ mount -o loop /images/debian-edu-bullseye-DI-rc1-amd64-BD-1.iso /media/cdromThe Release.gpg files are missing from the ISO image, but since the hash and sigs of the whole ISO check out, there is no cause for concern. The --no-check-gpg option was needed, & it's safe in this case:
Code:$ torsocks /usr/sbin/debootstrap --arch amd64 --no-check-gpg bullseye /mnt/debian_target file:///media/cdrom
$ mount --rbind /dev /mnt/debian_target/dev
$ cp /previous_drive/etc/fstab /mnt/debian_target/etc/
$ cp /previous_drive/etc/crypttab /mnt/debian_target/etc/
$ blkid
$ emacs /mnt/debian_target/etc/*tab; #edit fstab & crypttab to reference new UUIDs from the blkid command
$ cp /previous_drive/etc/adjtime /mnt/debian_target/etc/
$ cat /previous_drive/etc/network/interfaces >> /mnt/debian_target/etc/network/interfaces
$ emacs /mnt/debian_target/etc/network/interfaces; # ensure it's all proper
$ cp /previous_drive/etc/hosts /mnt/debian_target/etc/
$ cp /previous_drive/etc/modules /mnt/debian_target/etc/
$ emacs /mnt/debian_target/etc/modules; #comment out modules not installed yet
$ sed -e 's/stretch/bullseye/gi' /previous_drive/etc/apt/sources.list > /mnt/debian_target/etc/sources.list
$ find /previous_drive/etc/apt/sources.list.d -type f ! -iname \*~ -exec bash -c 'for fn; sed -e "s/stretch/bullseye/gi" "$fn" > /mnt/debian_target"$fn"; done' _ {} +
$ rsync -va --progress /images/debian-edu-bullseye-DI-rc1-amd64-BD-1.iso /mnt/debian_target/images/
$ mkdir /mnt/debian_target/media/debian_install_bd
$ mount -o loop /mnt/debian_target/images/debian-edu-bullseye-DI-rc1-amd64-BD-1.iso /mnt/debian_target/media/debian_install_bd
$ printf '\n\n%s\n' '/images/debian-edu-bullseye-DI-rc1-amd64-BD-1.iso /media/debian_install_bd udf,iso9660 loop,ro,user,noauto 0 0' >> /mnt/debian_target/etc/fstab
$ chroot /mnt/debian_target apt-cdrom -m -d=/media/debian_install_bd addNormally `apt update` would work at this point, but it failed. I had to comment out "deb cdrom:..." from sources.list and treat the ISO image less like a CD and more like local files, as follows:
Code:$ printf '\n\n%s\n' 'deb [trusted=yes check-valid-until=no] file:/media/debian_install_bd/ bullseye main contrib' >> /mnt/debian_target/etc/apt/sources.list
$ chroot /mnt/debian_target apt update
$ chroot /mnt/debian_target apt install linux-image-amd64 bash-completion grub-pc cryptsetup locales
$ chroot /mnt/debian_target dpkg-reconfigure locales
$ chroot /mnt/debian_target adduser bleeAt this point I had to remove all drives that the target should not try to boot. The grub-install command creates a boot hook for all installations it finds even if unmounted. Cables of irrelevant drives must physically be detached before the next step.
Code:$ chroot /mnt/debian_target grub-install /dev/sdb
$ chroot /mnt/debian_target update-initramfs -u -t -k all
$ chroot /mnt/debian_target update-grub
$ mount --make-rslave /mnt/debian_target
$ umount -R /mnt/debian_targetIf I understand correctly, the initrd has served its purpose after using the first password to mount "/". Mounting /home (crypt5) and /var (crypt6) is the job of the kernel, correct?
/mnt/debian_target/etc/crypttab:
Code:crypt4 UUID="abc-dead-beef" none luks,discard
crypt5 UUID="xyz-dead-beef" /etc/luks_p5.key luks,discard,noearly
crypt6 UUID="123-dead-beef" /etc/luks_p6.key luks,discard,noearlyI added "noearly" hoping that delaying the mounting would help, but it made no difference. This is cryptroot/crypttab from within the initrd-*.img:
Code:crypt4 UUID=abc-dead-beef none luks,discardApparently that implies crypt5 & crypt6 are not mounted as part of the initrd process. And notice that the text asking for a password to crypt5 is phrased differently than crypt4.
Code:Please unlock disk crypt4:
cryptsetup: crypt4: set up successfully
[17.934028] systemd[1]: Failed to mount /run/systemd/cryptsetup/keydev-crypt5
[FAILED] Failed to mount /run/systemd/cryptsetup/keydev-crypt5.
[DEPEND] Dependency failed for Cryptography Setup for crypt5.
[DEPEND] Dependency failed for Local Encrypted Volumes.
[17.945201] systemd[1]: Failed to mount /run/systemd/cryptsetup/keydev-crypt6
[FAILED] Failed to mount /run/systemd/cryptsetup/keydev-crypt6.
[DEPEND] Dependency failed for Cryptography Setup for crypt6.
[20.142061] platform regulatory.0: firmware: failed to load regulatory.db (-2)
[20.142122] firmware_class: See https://wiki.debian.org/Firmware for information about missing firmware
<> Please enter passphrase for disk home: (press TAB for no echo) _All steps taken to perform a Bullseye debootstrap installation, which led to the above errors with dm-crypt:
Code:$ sudo sgdisk --clear -a 1\
--new=1:34:2047 -c 1:"BIOS boot" --typecode=1:$(sgdisk --list-types | sed -ne 's/.*\(....\).bios.*/\1/gip')\
-a 2048\
--new=2:0:+12582912 -c 2:"swap" --typecode=2:$(sgdisk --list-types | sed -ne 's/.*\(....\).Linux.swap.*/\1/gip')\
--new=3:0:+327680 -c 3:"boot" --typecode=3:$(sgdisk --list-types | sed -ne 's/.*\(....\).Linux.file.*/\1/gip')\
--new=4:0:+222298112 -c 4:"top" --typecode=4:$(sgdisk --list-types | sed -ne 's/.*\(....\).Linux.x86.64.root.*/\1/gip')\
--new=5:0:+293601280 -c 5:"home" --typecode=5:$(sgdisk --list-types | sed -ne 's/.*\(....\).Linux..home.*/\1/gip')\
--new=6:0:0 -c 6:"var" --typecode=6:$(sgdisk --list-types | sed -ne 's/.*\(....\).Linux.file.*/\1/gip')\
/dev/sdbThe partition table looks like this:
Code:$ sgdisk -p /dev/sdb
First usable sector is 34, last usable sector is (redacted)
Partitions will be aligned on 8-sector boundaries
Total free space is 0 sectors (0 bytes)
Number Start (sector) End (sector) Size Code Name
1 34 2047 1007.0 KiB EF02 BIOS boot
2 2048 12584959 6.0 GiB 8200 swap
3 12584960 12912639 160.0 MiB 8300 boot
4 12912640 ... ... 8304 root
5 ... ... ... 8302 home
6 ... ... ... 8300 varThe BIOS boot partition is there because this is a GPT-BIOS situation. The grub-install command must write data to the BIOS boot that directs it to boot the UUID of the /boot partition.
Code:$ mkswap --label swap /dev/sdb2
$ sync
$ swapon /dev/sdb2
$ cryptsetup -v -y luksFormat /dev/sdb4
$ cryptsetup luksOpen /dev/sdb4 crypt4
$ mkfs.ext4 -L top /dev/mapper/crypt4
$ mkfs.ext4 -L boot /dev/sdb3
$ mkdir /mnt/debian_target
$ mount /dev/mapper/crypt4 !$To avoid entering 3 passwords for 3 encrypted volumes, the /home & /var partitions use a key file instead of a pw, which is then stored on the "/" partition.
Code:$ dd if=/dev/urandom of=/mnt/debian_target/etc/luks_p5.key bs=4k count=1
$ dd if=/dev/urandom of=/mnt/debian_target/etc/luks_p6.key bs=4k count=1
$ cryptsetup -v -y luksFormat /dev/sdb5 /mnt/debian_target/etc/luks_p5.key
$ cryptsetup -v -y luksFormat /dev/sdb6 /mnt/debian_target/etc/luks_p6.key
$ cryptsetup luksOpen --key-file /mnt/debian_target/etc/luks_p5.key /dev/sdb5 crypt5
$ cryptsetup luksOpen --key-file /mnt/debian_target/etc/luks_p6.key /dev/sdb6 crypt6
$ mkfs.ext4 -L home /dev/mapper/crypt5
$ mkfs.ext4 -L var /dev/mapper/crypt6
$ for mp in /boot /home /var; do mkdir /mnt/debian_target$mp; done
$ mount /dev/sdb3 /mnt/debian_target/boot
$ mount /dev/mapper/crypt5 /mnt/debian_target/home
$ mount /dev/mapper/crypt6 /mnt/debian_target/var
$ mkdir -p /media/cdrom
$ mount -o loop /images/debian-edu-bullseye-DI-rc1-amd64-BD-1.iso /media/cdromThe Release.gpg files are missing from the ISO image, but since the hash and sigs of the whole ISO check out, there is no cause for concern. The --no-check-gpg option was needed, & it's safe in this case:
Code:$ torsocks /usr/sbin/debootstrap --arch amd64 --no-check-gpg bullseye /mnt/debian_target file:///media/cdrom
$ mount --rbind /dev /mnt/debian_target/dev
$ cp /previous_drive/etc/fstab /mnt/debian_target/etc/
$ cp /previous_drive/etc/crypttab /mnt/debian_target/etc/
$ blkid
$ emacs /mnt/debian_target/etc/*tab; #edit fstab & crypttab to reference new UUIDs from the blkid command
$ cp /previous_drive/etc/adjtime /mnt/debian_target/etc/
$ cat /previous_drive/etc/network/interfaces >> /mnt/debian_target/etc/network/interfaces
$ emacs /mnt/debian_target/etc/network/interfaces; # ensure it's all proper
$ cp /previous_drive/etc/hosts /mnt/debian_target/etc/
$ cp /previous_drive/etc/modules /mnt/debian_target/etc/
$ emacs /mnt/debian_target/etc/modules; #comment out modules not installed yet
$ sed -e 's/stretch/bullseye/gi' /previous_drive/etc/apt/sources.list > /mnt/debian_target/etc/sources.list
$ find /previous_drive/etc/apt/sources.list.d -type f ! -iname \*~ -exec bash -c 'for fn; sed -e "s/stretch/bullseye/gi" "$fn" > /mnt/debian_target"$fn"; done' _ {} +
$ rsync -va --progress /images/debian-edu-bullseye-DI-rc1-amd64-BD-1.iso /mnt/debian_target/images/
$ mkdir /mnt/debian_target/media/debian_install_bd
$ mount -o loop /mnt/debian_target/images/debian-edu-bullseye-DI-rc1-amd64-BD-1.iso /mnt/debian_target/media/debian_install_bd
$ printf '\n\n%s\n' '/images/debian-edu-bullseye-DI-rc1-amd64-BD-1.iso /media/debian_install_bd udf,iso9660 loop,ro,user,noauto 0 0' >> /mnt/debian_target/etc/fstab
$ chroot /mnt/debian_target apt-cdrom -m -d=/media/debian_install_bd addNormally `apt update` would work at this point, but it failed. I had to comment out "deb cdrom:..." from sources.list and treat the ISO image less like a CD and more like local files, as follows:
Code:$ printf '\n\n%s\n' 'deb [trusted=yes check-valid-until=no] file:/media/debian_install_bd/ bullseye main contrib' >> /mnt/debian_target/etc/apt/sources.list
$ chroot /mnt/debian_target apt update
$ chroot /mnt/debian_target apt install linux-image-amd64 bash-completion grub-pc cryptsetup locales
$ chroot /mnt/debian_target dpkg-reconfigure locales
$ chroot /mnt/debian_target adduser bleeAt this point I had to remove all drives that the target should not try to boot. The grub-install command creates a boot hook for all installations it finds even if unmounted. Cables of irrelevant drives must physically be detached before the next step.
Code:$ chroot /mnt/debian_target grub-install /dev/sdb
$ chroot /mnt/debian_target update-initramfs -u -t -k all
$ chroot /mnt/debian_target update-grub
$ mount --make-rslave /mnt/debian_target
$ umount -R /mnt/debian_targetIf I understand correctly, the initrd has served its purpose after using the first password to mount "/". Mounting /home (crypt5) and /var (crypt6) is the job of the kernel, correct?
/mnt/debian_target/etc/crypttab:
Code:crypt4 UUID="abc-dead-beef" none luks,discard
crypt5 UUID="xyz-dead-beef" /etc/luks_p5.key luks,discard,noearly
crypt6 UUID="123-dead-beef" /etc/luks_p6.key luks,discard,noearlyI added "noearly" hoping that delaying the mounting would help, but it made no difference. This is cryptroot/crypttab from within the initrd-*.img:
Code:crypt4 UUID=abc-dead-beef none luks,discardApparently that implies crypt5 & crypt6 are not mounted as part of the initrd process. And notice that the text asking for a password to crypt5 is phrased differently than crypt4.