Restore GRUB on a LVM on LUKS setup

I spent some time trying to figure out why reinstalling GRUB always lead me to Waiting for encrypted source device and ultimately dropping me into a cryptsetup shell where I didn’t have any mapped device nor any /dev/sdaX. Here a list of steps to make sure everything is in place.

Basic reinstall

Suppose you have to install/restore GRUB on a partition table like this one:

$ lsblk

NAME                     MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda                        8:0    0 178.9G  0 disk  
├─sda1                     8:1    0   243M  0 part  /boot
├─sda2                     8:2    0     1K  0 part  
└─sda5                     8:5    0 178.6G  0 part  
  └─cryptroot            254:0    0 178.6G  0 crypt 
    ├─israfel--vg-swap_1 254:1    0  11.5G  0 lvm   [SWAP]
    └─israfel--vg-root   254:2    0 167.1G  0 lvm   /

Where you have LVM on top of the encrypted partition. The LVM is setup inside one big encrypted block device.

First, boot a live Linux environment and open up a shell.

Open the LUKS container:

sudo cryptsetup luksOpen /dev/sda5 cryptroot 

Activate the LVM volumes:

sudo vgscan
sudo vgchange -ay

Now, mount /root and /boot. Make sure you mount the “mapped” partitions that are now available.

sudo mount /dev/mapper/israfel--vg-root /mnt
sudo mount /dev/sda1 /mnt/boot

Now, we can chroot back into the system:

sudo chroot /mnt

Make sure you have a valid kernel installed. You can also clean up all the installed kernels and reinstall one.

Install GRUB with:

# Legacy
grub-install /dev/sda
# UEFI
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=debian

Now, make sure /etc/fstab contains the valid UUIDs for the partitions. You can get this information with blkid and lsblk.

# <file system> <mount point>   <type>  <options>       <dump>  <pass>

UUID=49d7e311-4abb-46c0-989b-74291d8e675a  /       btrfs    defaults    0   1

# Boot partition (ext2, can be ext4 for better support)
UUID=0d43542b-b836-4967-a758-916d72feaff8  /boot   ext2     defaults    0   2

# Swap volume (LVM swap)
UUID=ea7d397e-5779-44b5-ad83-f9d4e4d7c957  none    swap     sw          0   0

Check also /etc/cryptsetup:

cryptroot UUID=7d2b7fdc-481d-4106-b31b-a5486c13e8a6 none luks,discard

which should contain the UUID of the LUKS superblock (not what’s inside).

At this point, a simple

update-initramfs -c -k all

and update-grub should suffice. Try to restart and see if everything is in order.

Further troubleshooting

In my case, this was not enough and I couldn’t manage to have the passphrase prompt come up. The boot was simply continuining until cryptsetup gave up waiting for an encrypted device. After countless reboots into the live to check /etc/fstab and /etc/crypttab I gave up and replaced initramfs-tools with dracut:

apt install dracut

Note

DNS resolving may not work inside chroot. From outside chroot, run:

sudo cp /etc/resolv.conf /mnt/etc/resolv.conf

then, to be sure, add those lines in /etc/dracut.conf:

add_dracutmodules+=" crypt lvm btrfs "
hostonly="yes"
kernel_cmdline+=" rd.luks=1 rd.lvm=1 rd.btrfs=1 "

Make also sure that your linux line in the GRUB configuration (/boot/grub/grub.cfg) looks like this

linux	/vmlinuz-6.12.22-amd64 root=/dev/mapper/israfel--vg-root ro cryptdevice=UUID=7d2b7fdc-481d-4106-b31b-a5486c13e8a6:cryptroot root=/dev/mapper/israfel--vg-root quiet

Now, let’s regenerate the initramfs with dracut:

dracut --regenerate-all --force

Finally, it worked.

References

See:

• https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system
• https://www.youtube.com/watch?v=KQjRnuwb7is