On 17/12/2018 00:41, Alessandro Selli wrote:
> On 16/12/18 at 13:28, KatolaZ wrote:
>> automagic disk encryption,
>
>
>   Well, if you cannot install on an encrypted root, encrypting it later
> is a real PITA.
>
>   The present impossibility of installing ASCII on an encrypted root is
> a show-stopper to my laptop installs
The most taxing step in my case was getting the partitioner to do what I wanted.
I could not skip that step and manually partition as I could find no easy way of
then defining the mount points (tips please, if anyone has any).

I then had to generate the key
/etc/keys/luks-key_for_sdX_crypt

and edit

/etc/default/grub
GRUB_ENABLE_CRYPTODISK=y

/etc/crypttab
sdX_crypt UUID=1223456.... /etc/keys/luks-key_for_sdX_crypt luks,initramfs

/etc/cryptsetup-intramfs/conf-hook
KEYFILE_PATTERN=/etc/keys/luks-*


modify /usr/share/initramfs-tools/hooks/cryptroot

# A WARNING is not an ERROR, give me back my FOC 
if printf '%s' "$OPTIONS" | grep -Eq '^(.*,)?rootdev(,.*)?$'; then
        #echo "cryptsetup: WARNING: root target $target uses a key file, skipped" >&2 
        #return 1
        echo "cryptsetup: WARNING: root target $target uses a key file" >&2 
# test whether a) key file is not on root fs
#           or b) root fs is not encrypted
elif [ "$(stat -c %m -- "$key" 2>/dev/null)" != / ] || ! node_or_pv_is_in_crypttab $rootdevs; then
        #echo "cryptsetup: WARNING: $target's key file $key is not on an encrypted root FS, skipped" >&2 
        #return 1
        echo "cryptsetup: WARNING: $target's key file $key is not on an encrypted root FS" >&2 
fi  

then reinstall grub and remake the initrd.

To fix delays during boot\shutdown I had to totally remove /etc/init.d/cryptdisks and all references to it.
Having both cryptdisks-early and cryptdisks caused conflicts due to duplicated actions.
Simply disabling cryptdisks left K0cryptdisks references (BUG) that are then invoked on reboot\shutdown.