I had first installed i386 system with encrypted /home and swap. Then I
decided to install also amd64 build -- reusing both encrypted
partitions. Although I checked out smth like 'delete data' in the
encryption setup menu, which I treated as 'preserve/don"t touch', it
did reinitialize them and I had to recreate filesystems on top.

So I think 'Delete data' must be named 'Wipe out data', and another item
in the menu should be 'Reuse' or 'Keep existing encrypted volume'

Thanks in advance!

reassign 451535 partman-crypto
severity 451535 wishlist
thanks
the procedure documented on [1] just before starting the partitioner.

Well, almost.
I did have one strange issue with that procedure though: after crypto and
LVM had been activated, partman did not recognize the existing file systems
on the logical volumes even though they could be mounted. And even though
the partman log _does_ indicate that the partition was recognized.

However, I completely agree that it should be possible to do this in a
simpler way. Reassigning your suggestion to the appropriate component.

Maybe we should have a general option "Detect existing encrypted and/or
logical volumes" on the partman main screen.

Cheers,
FJP

[1] http://wiki.debian.org/DebianInstaller/Rescue/Crypto

clone 451535 -1
reassign -1 partman-lvm
severity -1 normal
thanks

This seems to be an issue in init.d/50lvm from partman-lvm. That script will
basically always create a new loop label on a logical volume and create a
single partition. This is not really necessary if the LV already has a
partition and prevents existing partitions from being detected.

Cloning to partman-lvm for this issue.

package:partman-lvm
version: 70
This also affects Ubuntu 10.10 with partman-lvm version 70.

Here's a first pass at this.  What do people think?

The one thing I don't think I've got right yet is writing out
/etc/crypttab at the end of installation.  This needs a bit more work to
write out the correct files in the partman device directory without
causing partman to reinitialise the encrypted volume.

  * Add an "Activate existing encrypted volumes" option to the
    partman-crypto main menu.  If selected, this searches for existing
    volumes, and for each one prompts for its passphrase and attempts to
    open it; it then returns directly to the partitioning menu
    (closes: #529343, LP: #420080).

=== modified file 'choose_partition/crypto/do_option'
--- choose_partition/crypto/do_option	2009-11-10 14:20:25 +0000
+++ choose_partition/crypto/do_option	2011-09-07 14:18:17 +0000
@@ -12,6 +12,113 @@

 . /lib/partman/lib/crypto-base.sh

+find_encrypted_partitions () {
+	local ret dev num id size type fs path name
+
+	ret=1
+	for dev in $DEVICES/*; do
+		[ -d "$dev" ] || continue
+		cd "$dev"
+
+		open_dialog PARTITIONS
+		while { read_line num id size type fs path name; [ "$id" ]; }; do
+			[ "$ret" = 1 ] || continue
+			[ "$fs" != free ] || continue
+			if cryptsetup isLuks "$path" 2>/dev/null; then
+				ret=0
+			fi
+		done
+		close_dialog
+
+		if [ "$ret" = 0 ]; then
+			return 0
+		fi
+	done
+
+	return 1
+}
+
+get_passphrase () {
+	db_set partman-crypto/passphrase-existing ""
+	db_fset partman-crypto/passphrase-existing seen false
+	db_subst partman-crypto/passphrase-existing DEVICE "$1"
+	db_input critical partman-crypto/passphrase-existing
+
+	db_go || return 1
+
+	db_get partman-crypto/passphrase-existing || RET=''
+	echo -n "$RET"
+}
+
+do_cryptsetup () {
+	local id path cryptdev pass
+
+	id="$1"
+	path="$2"
+	cipher="$(cryptsetup luksDump "$path" |
+		  sed -n '/^Cipher name:/s/.*[[:space:]]//p')"
+	if [ "$cipher" ]; then
+		crypto_load_modules dm-crypt "$cipher"
+	fi
+
+	cryptdev="${path##*/}_crypt"
+	if ! cryptsetup status "$cryptdev" >/dev/null 2>&1; then
+		while :; do
+			pass="$(get_passphrase "$path")" || return 1
+			if [ -z "$pass" ]; then
+				return 1
+			fi
+			echo -n "$pass" | log-output -t partman-crypto \
+				cryptsetup -d - luksOpen "$path" "$cryptdev" \
+				&& break
+		done
+
+		echo "$cryptdev" >"$id/crypt_active"
+		db_subst partman-crypto/text/in_use DEV "${cryptdev##*/}"
+		db_metaget partman-crypto/text/in_use description
+		partman_lock_unit "$(mapdevfs "$path")" "$RET"
+	fi
+}
+
+do_activate () {
+	local dev partitions num id size type fs path name part
+
+	for dev in $DEVICES/*; do
+		[ -d "$dev" ] || continue
+		cd "$dev"
+
+		partitions=
+		open_dialog PARTITIONS
+		while { read_line num id size type fs path name; [ "$id" ]; }; do
+			[ "$fs" != free ] || continue
+			partitions="$partitions $id,$path"
+		done
+		close_dialog
+
+		for part in $partitions; do
+			id="${part%%,*}"
+			path="${part#*,}"
+
+			if cryptsetup isLuks "$path" 2>/dev/null; then
+				do_cryptsetup "$id" "$path" || continue
+			fi
+		done
+	done
+
+	# Encrypted devices as configured by d-i usually contain LVM PVs
+	export LVM_SUPPRESS_FD_WARNINGS=1
+	log-output -t partman-crypto pvscan
+	log-output -t partman-crypto vgscan
+	log-output -t partman-crypto vgchange -a y
+
+	# Tell partman to detect filesystems again.
+	rm -f /var/lib/partman/filesystems_detected
+
+	stop_parted_server
+	restart_partman
+	exit 0
+}
+
 do_create () {
 	local parts line pv output vg pathmap
 	parts=""
@@ -89,10 +196,25 @@ confirm_changes partman-crypto || exit 0
 commit_changes partman-crypto/commit_failed || exit $?

 while :; do
+	CHOICES=
+	DESCRIPTIONS=
+	add_choice () {
+		CHOICES="${CHOICES:+$CHOICES, }$1"
+		db_metaget "partman-crypto/mainmenu/$1" description
+		DESCRIPTIONS="${DESCRIPTIONS:+$DESCRIPTIONS, }$RET"
+	}
+	if find_encrypted_partitions; then
+		add_choice activate
+	fi
+	add_choice create
+	add_choice finish
+	db_subst partman-crypto/mainmenu CHOICES "$CHOICES"
+	db_subst partman-crypto/mainmenu DESCRIPTIONS "$DESCRIPTIONS"
 	db_input critical partman-crypto/mainmenu
 	db_go || exit 10
 	db_get partman-crypto/mainmenu
 	case $RET in
+	    activate)	do_activate ;; # does not return
 	    create)	do_create ;;
 	    finish)	break ;;
 	    *)

=== modified file 'debian/partman-crypto.templates'
--- debian/partman-crypto.templates	2009-12-05 22:29:36 +0000
+++ debian/partman-crypto.templates	2011-09-06 23:21:59 +0000
@@ -364,6 +364,14 @@ _Description: Use weak passphrase?
  You entered a passphrase that consists of less than ${MINIMUM} characters,
  which is considered too weak. You should choose a stronger passphrase.

+Template: partman-crypto/passphrase-existing
+Type: password
+# :sl3:
+_Description: Passphrase for ${DEVICE}:
+ Please enter the passphrase for the encrypted volume ${DEVICE}.
+ .
+ If you don't enter anything, the volume will not be activated.
+
 Template: partman-crypto/entropy
 Type: entropy
 # :sl3:
@@ -430,15 +438,35 @@ _Description: Proceed to install crypto

 Template: partman-crypto/mainmenu
 Type: select
-Choices-C: create, finish
+Choices-C: ${CHOICES}
+Choices: ${DESCRIPTIONS}
+# :sl3:
+_Description: Encryption configuration actions
+ This menu allows you to configure encrypted volumes.
+
+Template: partman-crypto/mainmenu/activate
+Type: text
 # Note to translators : Please keep your translations of the choices
 # below a 65 columns limit (which means 65 characters
 # in single-byte languages)
 # :sl3:
-__Choices: Create encrypted volumes, Finish
+_Description: Activate existing encrypted volumes
+
+Template: partman-crypto/mainmenu/create
+Type: text
+# Note to translators : Please keep your translations of the choices
+# below a 65 columns limit (which means 65 characters
+# in single-byte languages)
 # :sl3:
-_Description: Encryption configuration actions
- This menu allows you to configure encrypted volumes.
+_Description: Create encrypted volumes
+
+Template: partman-crypto/mainmenu/finish
+Type: text
+# Note to translators : Please keep your translations of the choices
+# below a 65 columns limit (which means 65 characters
+# in single-byte languages)
+# :sl3:
+_Description: Finish

 Template: partman-crypto/create/partitions
 Type: multiselect

I meant to send my previous version to the first of the merged bug set,
#451535.  I'll send further mails only there rather than to #529343 as
well.

Well.  Yes.  That turned out to be the second 90% of the work!  After
trying a few alternatives, I ended up with a new 'crypto_keep' method
and then tried to let init.d/crypto do as much of the work as possible,
while still being careful to avoid reinitialising the contents of
encrypted volumes.

In the process, I also decided that it was better to always have the
Activate option present, without trying to detect existing volumes
first.  That way, we can actively warn people that this method only
works with LUKS where we have a useful encrypted volume header and that
they should back up their data before attempting an installation, rather
than having them get confused into destroying their data as before.

I'm fairly happy with this now, and am inclined to commit it if there
are no objections.  The one problem I've found is that the check for an
unencrypted /boot doesn't work properly when activating existing
LVM-on-crypto volumes, but I think that's actually a pre-existing bug so
I'm not going to let that block this change.

  * Add an "Activate existing encrypted volumes" option to the
    partman-crypto main menu.  If selected, this searches for existing
    volumes, and for each one prompts for its passphrase and attempts to
    open it; it then returns directly to the partitioning menu (closes:
    #451535, LP: #420080).

=== modified file 'check.d/crypto_check_mountpoints'
--- check.d/crypto_check_mountpoints	2008-03-14 19:25:59 +0000
+++ check.d/crypto_check_mountpoints	2011-09-08 19:20:22 +0000
@@ -43,7 +43,7 @@ for dev in $DEVICES/*; do
 		[ -f $realdevdir/method ] || continue
 		method=$(cat $realdevdir/method)
 		type=$(cat $realdevdir/crypto_type)
-		[ $method = crypto ] || continue
+		[ $method = crypto ] || [ $method = crypto_keep ] || continue

 		# Check 1 - Is cryptoroot possible?
 		if [ "$mnt" = / ]; then

=== modified file 'choose_partition/crypto/do_option'
--- choose_partition/crypto/do_option	2009-11-10 14:20:25 +0000
+++ choose_partition/crypto/do_option	2011-09-09 11:30:35 +0000
@@ -12,6 +12,118 @@

 . /lib/partman/lib/crypto-base.sh

+get_passphrase () {
+	db_set partman-crypto/activate/passphrase-existing ""
+	db_fset partman-crypto/activate/passphrase-existing seen false
+	db_subst partman-crypto/activate/passphrase-existing DEVICE "$1"
+	db_input critical partman-crypto/activate/passphrase-existing
+
+	db_go || return 1
+
+	db_get partman-crypto/activate/passphrase-existing || RET=''
+	echo -n "$RET"
+}
+
+do_cryptsetup () {
+	local dev num id size path
+	local dump cipher keysize ivalgorithm keytype keyhash
+	local cryptdev pass
+
+	dev=$1
+	num=$2
+	id=$3
+	size=$4
+	path=$5
+
+	dump="$(cryptsetup luksDump "$path")"
+	cipher="$(echo "$dump" | sed -n '/^Cipher name:/s/.*[[:space:]]//p')"
+	if [ "$cipher" ]; then
+		crypto_load_udebs "cdebconf-$DEBIAN_FRONTEND-entropy" \
+				  partman-crypto-dm
+		crypto_check_required_tools dm-crypt
+		crypto_load_modules dm-crypt "$cipher"
+	fi
+	keysize="$(echo "$dump" | sed -n '/^MK bits:/s/.*[[:space:]]//p')"
+	ivalgorithm="$(echo "$dump" | sed -n '/^Cipher mode:/s/.*[[:space:]]//p')"
+	keytype=passphrase
+	keyhash="$(echo "$dump" | sed -n '/^Hash spec:/s/.*[[:space:]]//p')"
+
+	cryptdev="${path##*/}_crypt"
+	if ! cryptsetup status "$cryptdev" >/dev/null 2>&1; then
+		while :; do
+			pass="$(get_passphrase "$path")" || return 1
+			if [ -z "$pass" ]; then
+				return 1
+			fi
+			echo -n "$pass" | log-output -t partman-crypto \
+				cryptsetup -d - luksOpen "$path" "$cryptdev" \
+				&& break
+		done
+
+		cryptdev="/dev/mapper/$cryptdev"
+		echo dm-crypt > $id/crypto_type
+		echo "$keysize" > $id/keysize
+		echo "$ivalgorithm" > $id/ivalgorithm
+		echo "$keytype" > $id/keytype
+		echo "$keyhash" > $id/keyhash
+		echo cipher > $id/cipher
+		echo crypto_keep > $id/method
+		echo "$cryptdev" > $id/crypt_active
+
+		db_subst partman-crypto/text/in_use DEV "${cryptdev##*/}"
+		db_metaget partman-crypto/text/in_use description
+		partman_lock_unit "$(mapdevfs "$path")" "$RET"
+	fi
+}
+
+do_activate () {
+	local found_luks dev partitions num id size type fs path name part
+
+	found_luks=0
+	for dev in $DEVICES/*; do
+		[ -d "$dev" ] || continue
+		cd "$dev"
+
+		partitions=
+		open_dialog PARTITIONS
+		while { read_line num id size type fs path name; [ "$id" ]; }; do
+			[ "$fs" != free ] || continue
+			partitions="$partitions $id,$path"
+		done
+		close_dialog
+
+		for part in $partitions; do
+			id="${part%%,*}"
+			path="${part#*,}"
+
+			if cryptsetup isLuks "$path" 2>/dev/null; then
+				found_luks=1
+				do_cryptsetup "$dev" "$num" "$id" "$size" \
+					"$path" || continue
+			fi
+		done
+	done
+
+	if [ "$found_luks" = 0 ]; then
+		db_input critical partman-crypto/activate/no_luks
+		db_go || true
+		return
+	fi
+
+	# Encrypted devices as configured by d-i usually contain LVM PVs
+	export LVM_SUPPRESS_FD_WARNINGS=1
+	log-output -t partman-crypto pvscan
+	log-output -t partman-crypto vgscan
+	log-output -t partman-crypto vgchange -a y
+
+	# Tell partman to detect filesystems again.
+	rm -f /var/lib/partman/filesystems_detected
+
+	stop_parted_server
+	restart_partman
+	exit 0
+}
+
 do_create () {
 	local parts line pv output vg pathmap
 	parts=""
@@ -93,6 +231,7 @@ while :; do
 	db_go || exit 10
 	db_get partman-crypto/mainmenu
 	case $RET in
+	    activate)	do_activate ;; # exits if any volumes were activated
 	    create)	do_create ;;
 	    finish)	break ;;
 	    *)

=== modified file 'debian/control'
--- debian/control	2011-05-03 16:05:09 +0000
+++ debian/control	2011-09-09 12:06:37 +0000
@@ -12,7 +12,7 @@ Vcs-Bzr: http://bazaar.launchpad.net/~ub
 Package: partman-crypto
 XC-Package-Type: udeb
 Architecture: any
-Depends: partman-base (>= 134), cdebconf-udeb (>= 0.133), di-utils (>= 1.68), ${shlibs:Depends}, ${misc:Depends}
+Depends: partman-base (>= 134), partman-lvm (>= 62), cdebconf-udeb (>= 0.133), di-utils (>= 1.68), ${shlibs:Depends}, ${misc:Depends}
 Description: Add to partman support for block device encryption

 Package: partman-crypto-dm

=== modified file 'debian/partman-crypto.templates'
--- debian/partman-crypto.templates	2009-12-05 22:29:36 +0000
+++ debian/partman-crypto.templates	2011-09-08 11:16:40 +0000
@@ -430,12 +430,12 @@ _Description: Proceed to install crypto

 Template: partman-crypto/mainmenu
 Type: select
-Choices-C: create, finish
+Choices-C: activate, create, finish
 # Note to translators : Please keep your translations of the choices
 # below a 65 columns limit (which means 65 characters
 # in single-byte languages)
 # :sl3:
-__Choices: Create encrypted volumes, Finish
+__Choices: Activate existing encrypted volumes, Create encrypted volumes, Finish
 # :sl3:
 _Description: Encryption configuration actions
  This menu allows you to configure encrypted volumes.
@@ -454,3 +454,20 @@ Type: error
 # :sl3:
 _Description: No devices selected
  No devices were selected for encryption.
+
+Template: partman-crypto/activate/no_luks
+Type: error
+# :sl3:
+_Description: No LUKS devices found
+ This partitioning program can only activate existing encrypted volumes that
+ use the LUKS format (dm-crypt with a passphrase). No such volumes were
+ found. If you have encrypted volumes using other formats, you may need to
+ back up your data before continuing with installation.
+
+Template: partman-crypto/activate/passphrase-existing
+Type: password
+# :sl3:
+_Description: Passphrase for ${DEVICE}:
+ Please enter the passphrase for the encrypted volume ${DEVICE}.
+ .
+ If you don't enter anything, the volume will not be activated.

=== modified file 'finish.d/crypto_aptinstall'
--- finish.d/crypto_aptinstall	2008-03-20 21:06:33 +0000
+++ finish.d/crypto_aptinstall	2011-09-07 22:17:00 +0000
@@ -39,7 +39,7 @@ for dev in $DEVICES/*; do
 		[ -f $id/crypto_type ] || continue

 		method=$(cat $id/method)
-		[ $method = crypto ] || continue
+		[ $method = crypto ] || [ $method = crypto_keep ] || continue

 		type=$(cat $id/crypto_type)
 		case $type in

=== modified file 'init.d/crypto'
--- init.d/crypto	2010-05-27 09:44:55 +0000
+++ init.d/crypto	2011-09-09 12:36:17 +0000
@@ -4,6 +4,17 @@
 # setup in choose_partition/crypto/do_option.

 . /lib/partman/lib/base.sh
+. /lib/partman/lib/lvm-base.sh
+
+# Avoid warnings from lvm2 tools about open file descriptors
+export LVM_SUPPRESS_FD_WARNINGS=1
+
+if [ -x /sbin/vgdisplay ]; then
+	vgroups=$(/sbin/vgdisplay 2>/dev/null | grep '^[ ]*VG Name' | \
+		sed -e 's/.*[[:space:]]\(.*\)$/\1/' | sort)
+else
+	vgroups=''
+fi

 dev_to_devdir () {
 	echo $DEVICES/$(echo $1 | tr / =)
@@ -72,7 +83,7 @@ create_partition () {
 }

 create_cryptdisk () {
-	local dev id num size path cryptdev cipher
+	local dev id num size path cryptdev cipher file vg vgs
 	dev=$1
 	id=$2
 	num=$3
@@ -81,6 +92,7 @@ create_cryptdisk () {

 	cipher=$(cat $id/cipher)
 	keytype=$(cat $id/keytype)
+	method=$(cat $id/method)

 	templ="partman-crypto/text/cryptdev_description"
 	db_subst $templ CIPHER $cipher
@@ -128,17 +140,47 @@ create_cryptdisk () {
 	case $filesystem in
 		linux-swap)
 			echo swap > $cryptpart/method
-			>$cryptpart/format
+			if [ "$method" = crypto ]; then
+				>$cryptpart/format
+			else
+				rm -f $cryptpart/format
+			fi
 			;;

 		$default_fs)
-			echo format > $cryptpart/method
-			>$cryptpart/format
-			>$cryptpart/use_filesystem
-			echo $filesystem > $cryptpart/filesystem
+			if [ "$method" = crypto ]; then
+				echo format > $cryptpart/method
+				>$cryptpart/format
+				>$cryptpart/use_filesystem
+				echo $filesystem > $cryptpart/filesystem
+			else
+				echo keep > $cryptpart/method
+				rm -f $cryptpart/format
+			fi
 			;;
 	esac

+	# To avoid ordering problems between init.d/crypto and init.d/lvm,
+	# we need to duplicate a bit of the latter here, in case an existing
+	# crypto device contains an LVM PV.
+	if [ "$method" = crypto_keep ]; then
+		if pvdisplay "$cryptdev" >/dev/null 2>&1; then
+			for file in acting_filesystem filesystem format \
+				    formatable use_filesystem; do
+				rm -f $cryptpart/$file
+			done
+			echo lvm > $cryptpart/method
+			if [ ! -e $cryptpart/locked ]; then
+				vg="$(pv_get_vg "$cryptdev")"
+				for vgs in $vgroups; do
+					if [ "$vg" = "$vgs" ]; then
+						vg_lock_pvs "$vg" "$cryptdev"
+					fi
+				done
+			fi
+		fi
+	fi
+
 	update_partition $cryptdir $cryptid

 	echo $path:$num:$dev/$id > $cryptdir/crypt_realdev
@@ -174,7 +216,7 @@ for dev in /var/lib/partman/devices/*; d
 		[ -f $id/crypt_active ] || continue

 		method=$(cat $id/method)
-		[ $method = crypto ] || continue
+		[ $method = crypto ] || [ $method = crypto_keep ] || continue

 		if ! create_cryptdisk $dev $id $num $size $path; then
 			db_fset partman-crypto/init_failed seen false

=== modified file 'lib/crypto-base.sh'
--- lib/crypto-base.sh	2011-08-26 12:20:00 +0000
+++ lib/crypto-base.sh	2011-09-07 22:27:14 +0000
@@ -82,7 +82,7 @@ crypto_prepare () {
 	if [ "$method" = swap ]; then
 		disable_swap "$dev" "$id"
 	fi
-	if [ "$method" != crypto ]; then
+	if [ "$method" != crypto ] && [ "$method" != crypto_keep ]; then
 		crypto_prepare_method "$id" dm-crypt || return 1
 		rm -f "$id/use_filesystem"
 		rm -f "$id/format"
@@ -820,7 +820,8 @@ crypto_check_setup() {
 			[ -f $id/crypto_type ] || continue

 			method=$(cat $id/method)
-			if [ $method != crypto ]; then
+			if [ $method != crypto ] && \
+			   [ $method != crypto_keep ]; then
 				continue
 			fi
 			type=$(cat $id/crypto_type)

=== modified file 'update.d/crypto_visuals'
--- update.d/crypto_visuals	2007-12-05 20:18:24 +0000
+++ update.d/crypto_visuals	2011-09-07 22:16:23 +0000
@@ -37,8 +37,9 @@ cryptdev_shortname ()
 	esac
 }

This bug just ate my LVM2 volume group.

Thanks for nothing.

What a stupidly named set of options.

Whoever wrote that code needs to be shot.

Thank christ I took a backup of the most important data (including my
kids first words) or I'd be really buggered now.

Also of note:  "Undo changes to partition tables" does NOT restore the
disks to their previous unmolested states.

This is NOT intuitive OR sane behaviour.

Hi,

I tried yesterday and today 5 or more  times to install wheezy on my
laptop with crypted lvm full disk: I could just not boot  the system
which hangs on: passphrase never recognised .

This laptop run "squeeze lvm crypted" witout problem as my other laptops
do (amd64 on this, and i386 on the others).

I tried different flavors of install disks:

net install, iso-1, dayly etc ... amd64 and i386 :(:(

I got never past the passphrase asking (and yes, I checked carefully my
passphrase).

There is also something strange with the firmware (network recognition):
I had to answer "no", but the firmwares were on a separate usb-stick:
with no as a answer, everything went ok.

best regards

Eric

Streit Eric <Ericounet26200@gmail.com> (13/09/2012):

Keymap issues? Try typing it as if you had a qwerty keyboard?

Mraw,
KiBi.

This bug still reproduces in Jessie. Any plans to fix it?

I totally empathise with Ian's frustration. I myself spent eight hours
trying to circumvent this 'bug', to put it mildly. I tried to follow a
half-dozen contradictory, inaccurate and incomplete walkthroughs with
no success, so I'm giving up and starting from scratch.

The walkthrough at
http://wiki.debian.org/DebianInstaller/Rescue/Crypto does not exist.

As this bug hasn't been addressed in 8 years, it may be worth giving
up on it. If so, there should at least be bold warnings to anybody
tempted to set up encrypted volumes that they will not be reusable if
one needs to reinstall Debian unless they have highly advanced
knowledge of hand-writing configuration files from rescue CDs. This
would, at least, stop hundreds of aggregate human hours from being
wasted.

Bump. This is a most annoying bug and it's been around for way too long.

Colin Watson suggested around 2011/09/09 that he had a workable fix.
Is it still true? Why wasn't it committed in the end? How can we move
forward with this?

Cheers,
Quentin

BUMP again. This is really annoying bug which disallow installing Debian
on pre-formatted disks/partitions. Any progress? Was Colin Watson
proposed patch accepted? Or what is current state of it?

severity: critical

I would like to say this bug still persist on Debian Stretch.

I suggest this bug to be marked as 'critical', since this could lead to
data loss.

The debian installer doesn't recognize a previous encrypted volume (Tested
with netinstall.iso). The critical is that even with workaround to
recognize the partitions on encrypted volume the installer only advances on
formating these partitions causing data-loss.

This is a long time bug and I think this could be fixed in time for Stretch
release. I don't know if the Ubuntu installer is the same but this bug
doesn't exists on Ubuntu.

How to achieve the bug:

Step 1:
On "Partition disk" go to "Configure encrypted volumes"
https://www.dropbox.com/s/xvsa2d6l4k925oz/step1.png

Step 2:
Select "Create encrypted volume". This will make anna install the necessary
packages to work with encryption.
P.s.: on Ubuntu, this step shows an option to setup an existing encrypted
volume.
https://www.dropbox.com/s/hii5g0uvewb3djq/step2.png

Step 3:
Go back.
https://www.dropbox.com/s/ckzb2r4pgirufum/step3.png

Step 4:
Do NOT save changes to disk.
https://www.dropbox.com/s/1s5r2h8x1rfi419/step4.png

Step 5:
Go back. Open a shell. Open luks volume. Activate volume group. Exit.
https://www.dropbox.com/s/658k4bqe5vzdpf1/step5.png

Step 6:
Detect disks. LVM partitions are now seen.
https://www.dropbox.com/s/6fdxpoqmef4htz6/step6.png

Step 7 (This is the critical bug):
Choosing any LVM partition and selecting to use as the previous format
system leads to "re-format" the partition. This step should ask if you want
to keep the existing file system. This could lead to /home data loss.
On Ubuntu you can choose to not format the partition at this stage.
https://www.dropbox.com/s/qmjiuv1enicg49b/step7.png

I hope this help to solve this annoying problem. Today its impossible to
install Debian on an already encrypted system without data loss.

Cheers,

Kolmar Kafran.
iQEcBAEBCAAGBQJZGg0ZAAoJEKrvtn5Zdulsjt4H/1Jvn4HQBqIs1mvFCCiOfGZ5
eF4/BcofxebKICqInrsqeAJSnje1iOQMvpzMKit5tysLpBF3tV01bjVzrt78m874
NwiSqwzEhFHssPJxEztmOnH2GukdRS3D/w0U1CmnG/cxF5pbDq2ufcA9a+1kJ+/L
KyebYmP7qLuDYkY0k5ZBzfdPcblkje8voSGEr02AbHxDj6N2Aq6klHSluu/thSSo
+2z5QQq6vE379S0XOETvri2Z9k9rfwOr8jFyI75NhpytWW9++6mmiy56I/RmrmA6
sCUarD3JCMyqOcTZdxcG3Vu/xRjZt+tFd3+MEGE+/79T9Z6hPOhR+0pfZuZIzfE=
=qzKR
-----END PGP SIGNATURE-----

Kolmar Kafran

http://kafran.net
http://twitter.com/doutorchefe


ü Por favor, considere a proteção ao meio ambiente antes de imprimir esse
e-mail.

[...]

It is in the nature of an installer that it is capable of overwriting
existing data.  Based on your instructions, I think the installer
already makes it quite clear what's going to happen.

Ben.

The documentation defines that:

Since it is not possible to advance with the installation without
formating the partition, based on the severity levels definition, I
think this should be marked as critical.

Att,

Kolmar Kafran.

You always have the option to do nothing.

Ben.

Dear Maintainer,

   * What led up to the situation?

Trying to do a fresh Buster installation using "Expert install" on an
old computer with encrypted LVM volumes, with the aim of not
formatting the volumes. I was using ISO image
debian-10.0.0-amd64-DVD-1.iso on a MicroSD card.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

The encrypted partition was not recognized initially at all, however,
the embedded LVM volumes were recognised after manually opening the LUKS
wrapper (along the lines in Message #90).

NB. A boot into Rescue mode recognizes and opens the encrypted volume
correctly.

   * What was the outcome of this action?

The installer does not recognize the existing filesystems on LVM
volumes (unlike the Rescue mode). Proceeding with installation results
in formatting of the selected volumes and data loss.

This may be mitigated by selecting only a root volume at installation
stage and manually reconfiguring the other filesystems later.

   * What outcome did you expect instead?

The existing filesystems should be recognized and formatting should be
optional, just as it is with pre-existing native disk volumes.
[Does this work with unencrypted LVM?]

This bug has persisted for a long time and it bites long-term Debian
users who are upgrading their systems, causing loss of time and
data. This makes upgrade a challenge and encourages to keep obsolete
systems in operation.

On Sat, 2019-09-07 at 13:48 +0300, M Santala wrote:
[...]

What makes you think the installer is intended to be used for upgrades?

Ben.

Not for upgrading an existing OS installation but it should be usable
for a fresh OS install while preserving user data. That is an important
goal in having a separate /home partition.

I do realise that in such a scenario the configuration files in user's
home directories may need some manual attention.

There's another use case here too, in cases where I want to use my own LUKS
parameters - that the installer doesn't expose. Perhaps I want
--type=luks1, maybe I want a different --iter-time, etc. Actually, if the
installer (in expert mode) let us pass arbitrary arguments for cryptsetup
this would close up this use case.

Without knowing about this bug report and Colin's patch yet, I worked on
a different approach and just opened a draft MR:

<https://salsa.debian.org/installer-team/partman-crypto/-/merge_requests/11>

Some of the commits are mostly "cosmetic" but I believe it can improve
user experience.

Feedback and comments welcome.

Does anyone object to merging #660191 and #907955 with #451535 and others ?

<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=451535>
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=#660191>
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907955>

Hi,

Am 18. Januar 2026 12:38:30 MEZ schrieb Pascal Hambourg <pascal@plouf.fr.eu.org>:

No, feel free to do so.


Holger