- Package:
- partman-crypto
- Source:
- partman-crypto
- Submitter:
- Yaroslav Halchenko
- Date:
- 2026-01-18 22:53:03 UTC
- Severity:
- important
I had first installed i386 system with encrypted /home and swap. Then I decided to install also amd64 build -- reusing both encrypted partitions. Although I checked out smth like 'delete data' in the encryption setup menu, which I treated as 'preserve/don"t touch', it did reinitialize them and I had to recreate filesystems on top. So I think 'Delete data' must be named 'Wipe out data', and another item in the menu should be 'Reuse' or 'Keep existing encrypted volume' Thanks in advance!
reassign 451535 partman-crypto severity 451535 wishlist thanks the procedure documented on [1] just before starting the partitioner. Well, almost. I did have one strange issue with that procedure though: after crypto and LVM had been activated, partman did not recognize the existing file systems on the logical volumes even though they could be mounted. And even though the partman log _does_ indicate that the partition was recognized. However, I completely agree that it should be possible to do this in a simpler way. Reassigning your suggestion to the appropriate component. Maybe we should have a general option "Detect existing encrypted and/or logical volumes" on the partman main screen. Cheers, FJP [1] http://wiki.debian.org/DebianInstaller/Rescue/Crypto
clone 451535 -1 reassign -1 partman-lvm severity -1 normal thanks This seems to be an issue in init.d/50lvm from partman-lvm. That script will basically always create a new loop label on a logical volume and create a single partition. This is not really necessary if the LV already has a partition and prevents existing partitions from being detected. Cloning to partman-lvm for this issue.
package:partman-lvm version: 70 This also affects Ubuntu 10.10 with partman-lvm version 70.
Here's a first pass at this. What do people think?
The one thing I don't think I've got right yet is writing out
/etc/crypttab at the end of installation. This needs a bit more work to
write out the correct files in the partman device directory without
causing partman to reinitialise the encrypted volume.
* Add an "Activate existing encrypted volumes" option to the
partman-crypto main menu. If selected, this searches for existing
volumes, and for each one prompts for its passphrase and attempts to
open it; it then returns directly to the partitioning menu
(closes: #529343, LP: #420080).
=== modified file 'choose_partition/crypto/do_option'
--- choose_partition/crypto/do_option 2009-11-10 14:20:25 +0000
+++ choose_partition/crypto/do_option 2011-09-07 14:18:17 +0000
@@ -12,6 +12,113 @@
. /lib/partman/lib/crypto-base.sh
+find_encrypted_partitions () {
+ local ret dev num id size type fs path name
+
+ ret=1
+ for dev in $DEVICES/*; do
+ [ -d "$dev" ] || continue
+ cd "$dev"
+
+ open_dialog PARTITIONS
+ while { read_line num id size type fs path name; [ "$id" ]; }; do
+ [ "$ret" = 1 ] || continue
+ [ "$fs" != free ] || continue
+ if cryptsetup isLuks "$path" 2>/dev/null; then
+ ret=0
+ fi
+ done
+ close_dialog
+
+ if [ "$ret" = 0 ]; then
+ return 0
+ fi
+ done
+
+ return 1
+}
+
+get_passphrase () {
+ db_set partman-crypto/passphrase-existing ""
+ db_fset partman-crypto/passphrase-existing seen false
+ db_subst partman-crypto/passphrase-existing DEVICE "$1"
+ db_input critical partman-crypto/passphrase-existing
+
+ db_go || return 1
+
+ db_get partman-crypto/passphrase-existing || RET=''
+ echo -n "$RET"
+}
+
+do_cryptsetup () {
+ local id path cryptdev pass
+
+ id="$1"
+ path="$2"
+ cipher="$(cryptsetup luksDump "$path" |
+ sed -n '/^Cipher name:/s/.*[[:space:]]//p')"
+ if [ "$cipher" ]; then
+ crypto_load_modules dm-crypt "$cipher"
+ fi
+
+ cryptdev="${path##*/}_crypt"
+ if ! cryptsetup status "$cryptdev" >/dev/null 2>&1; then
+ while :; do
+ pass="$(get_passphrase "$path")" || return 1
+ if [ -z "$pass" ]; then
+ return 1
+ fi
+ echo -n "$pass" | log-output -t partman-crypto \
+ cryptsetup -d - luksOpen "$path" "$cryptdev" \
+ && break
+ done
+
+ echo "$cryptdev" >"$id/crypt_active"
+ db_subst partman-crypto/text/in_use DEV "${cryptdev##*/}"
+ db_metaget partman-crypto/text/in_use description
+ partman_lock_unit "$(mapdevfs "$path")" "$RET"
+ fi
+}
+
+do_activate () {
+ local dev partitions num id size type fs path name part
+
+ for dev in $DEVICES/*; do
+ [ -d "$dev" ] || continue
+ cd "$dev"
+
+ partitions=
+ open_dialog PARTITIONS
+ while { read_line num id size type fs path name; [ "$id" ]; }; do
+ [ "$fs" != free ] || continue
+ partitions="$partitions $id,$path"
+ done
+ close_dialog
+
+ for part in $partitions; do
+ id="${part%%,*}"
+ path="${part#*,}"
+
+ if cryptsetup isLuks "$path" 2>/dev/null; then
+ do_cryptsetup "$id" "$path" || continue
+ fi
+ done
+ done
+
+ # Encrypted devices as configured by d-i usually contain LVM PVs
+ export LVM_SUPPRESS_FD_WARNINGS=1
+ log-output -t partman-crypto pvscan
+ log-output -t partman-crypto vgscan
+ log-output -t partman-crypto vgchange -a y
+
+ # Tell partman to detect filesystems again.
+ rm -f /var/lib/partman/filesystems_detected
+
+ stop_parted_server
+ restart_partman
+ exit 0
+}
+
do_create () {
local parts line pv output vg pathmap
parts=""
@@ -89,10 +196,25 @@ confirm_changes partman-crypto || exit 0
commit_changes partman-crypto/commit_failed || exit $?
while :; do
+ CHOICES=
+ DESCRIPTIONS=
+ add_choice () {
+ CHOICES="${CHOICES:+$CHOICES, }$1"
+ db_metaget "partman-crypto/mainmenu/$1" description
+ DESCRIPTIONS="${DESCRIPTIONS:+$DESCRIPTIONS, }$RET"
+ }
+ if find_encrypted_partitions; then
+ add_choice activate
+ fi
+ add_choice create
+ add_choice finish
+ db_subst partman-crypto/mainmenu CHOICES "$CHOICES"
+ db_subst partman-crypto/mainmenu DESCRIPTIONS "$DESCRIPTIONS"
db_input critical partman-crypto/mainmenu
db_go || exit 10
db_get partman-crypto/mainmenu
case $RET in
+ activate) do_activate ;; # does not return
create) do_create ;;
finish) break ;;
*)
=== modified file 'debian/partman-crypto.templates'
--- debian/partman-crypto.templates 2009-12-05 22:29:36 +0000
+++ debian/partman-crypto.templates 2011-09-06 23:21:59 +0000
@@ -364,6 +364,14 @@ _Description: Use weak passphrase?
You entered a passphrase that consists of less than ${MINIMUM} characters,
which is considered too weak. You should choose a stronger passphrase.
+Template: partman-crypto/passphrase-existing
+Type: password
+# :sl3:
+_Description: Passphrase for ${DEVICE}:
+ Please enter the passphrase for the encrypted volume ${DEVICE}.
+ .
+ If you don't enter anything, the volume will not be activated.
+
Template: partman-crypto/entropy
Type: entropy
# :sl3:
@@ -430,15 +438,35 @@ _Description: Proceed to install crypto
Template: partman-crypto/mainmenu
Type: select
-Choices-C: create, finish
+Choices-C: ${CHOICES}
+Choices: ${DESCRIPTIONS}
+# :sl3:
+_Description: Encryption configuration actions
+ This menu allows you to configure encrypted volumes.
+
+Template: partman-crypto/mainmenu/activate
+Type: text
# Note to translators : Please keep your translations of the choices
# below a 65 columns limit (which means 65 characters
# in single-byte languages)
# :sl3:
-__Choices: Create encrypted volumes, Finish
+_Description: Activate existing encrypted volumes
+
+Template: partman-crypto/mainmenu/create
+Type: text
+# Note to translators : Please keep your translations of the choices
+# below a 65 columns limit (which means 65 characters
+# in single-byte languages)
# :sl3:
-_Description: Encryption configuration actions
- This menu allows you to configure encrypted volumes.
+_Description: Create encrypted volumes
+
+Template: partman-crypto/mainmenu/finish
+Type: text
+# Note to translators : Please keep your translations of the choices
+# below a 65 columns limit (which means 65 characters
+# in single-byte languages)
+# :sl3:
+_Description: Finish
Template: partman-crypto/create/partitions
Type: multiselect
I meant to send my previous version to the first of the merged bug set,
#451535. I'll send further mails only there rather than to #529343 as
well.
Well. Yes. That turned out to be the second 90% of the work! After
trying a few alternatives, I ended up with a new 'crypto_keep' method
and then tried to let init.d/crypto do as much of the work as possible,
while still being careful to avoid reinitialising the contents of
encrypted volumes.
In the process, I also decided that it was better to always have the
Activate option present, without trying to detect existing volumes
first. That way, we can actively warn people that this method only
works with LUKS where we have a useful encrypted volume header and that
they should back up their data before attempting an installation, rather
than having them get confused into destroying their data as before.
I'm fairly happy with this now, and am inclined to commit it if there
are no objections. The one problem I've found is that the check for an
unencrypted /boot doesn't work properly when activating existing
LVM-on-crypto volumes, but I think that's actually a pre-existing bug so
I'm not going to let that block this change.
* Add an "Activate existing encrypted volumes" option to the
partman-crypto main menu. If selected, this searches for existing
volumes, and for each one prompts for its passphrase and attempts to
open it; it then returns directly to the partitioning menu (closes:
#451535, LP: #420080).
=== modified file 'check.d/crypto_check_mountpoints'
--- check.d/crypto_check_mountpoints 2008-03-14 19:25:59 +0000
+++ check.d/crypto_check_mountpoints 2011-09-08 19:20:22 +0000
@@ -43,7 +43,7 @@ for dev in $DEVICES/*; do
[ -f $realdevdir/method ] || continue
method=$(cat $realdevdir/method)
type=$(cat $realdevdir/crypto_type)
- [ $method = crypto ] || continue
+ [ $method = crypto ] || [ $method = crypto_keep ] || continue
# Check 1 - Is cryptoroot possible?
if [ "$mnt" = / ]; then
=== modified file 'choose_partition/crypto/do_option'
--- choose_partition/crypto/do_option 2009-11-10 14:20:25 +0000
+++ choose_partition/crypto/do_option 2011-09-09 11:30:35 +0000
@@ -12,6 +12,118 @@
. /lib/partman/lib/crypto-base.sh
+get_passphrase () {
+ db_set partman-crypto/activate/passphrase-existing ""
+ db_fset partman-crypto/activate/passphrase-existing seen false
+ db_subst partman-crypto/activate/passphrase-existing DEVICE "$1"
+ db_input critical partman-crypto/activate/passphrase-existing
+
+ db_go || return 1
+
+ db_get partman-crypto/activate/passphrase-existing || RET=''
+ echo -n "$RET"
+}
+
+do_cryptsetup () {
+ local dev num id size path
+ local dump cipher keysize ivalgorithm keytype keyhash
+ local cryptdev pass
+
+ dev=$1
+ num=$2
+ id=$3
+ size=$4
+ path=$5
+
+ dump="$(cryptsetup luksDump "$path")"
+ cipher="$(echo "$dump" | sed -n '/^Cipher name:/s/.*[[:space:]]//p')"
+ if [ "$cipher" ]; then
+ crypto_load_udebs "cdebconf-$DEBIAN_FRONTEND-entropy" \
+ partman-crypto-dm
+ crypto_check_required_tools dm-crypt
+ crypto_load_modules dm-crypt "$cipher"
+ fi
+ keysize="$(echo "$dump" | sed -n '/^MK bits:/s/.*[[:space:]]//p')"
+ ivalgorithm="$(echo "$dump" | sed -n '/^Cipher mode:/s/.*[[:space:]]//p')"
+ keytype=passphrase
+ keyhash="$(echo "$dump" | sed -n '/^Hash spec:/s/.*[[:space:]]//p')"
+
+ cryptdev="${path##*/}_crypt"
+ if ! cryptsetup status "$cryptdev" >/dev/null 2>&1; then
+ while :; do
+ pass="$(get_passphrase "$path")" || return 1
+ if [ -z "$pass" ]; then
+ return 1
+ fi
+ echo -n "$pass" | log-output -t partman-crypto \
+ cryptsetup -d - luksOpen "$path" "$cryptdev" \
+ && break
+ done
+
+ cryptdev="/dev/mapper/$cryptdev"
+ echo dm-crypt > $id/crypto_type
+ echo "$keysize" > $id/keysize
+ echo "$ivalgorithm" > $id/ivalgorithm
+ echo "$keytype" > $id/keytype
+ echo "$keyhash" > $id/keyhash
+ echo cipher > $id/cipher
+ echo crypto_keep > $id/method
+ echo "$cryptdev" > $id/crypt_active
+
+ db_subst partman-crypto/text/in_use DEV "${cryptdev##*/}"
+ db_metaget partman-crypto/text/in_use description
+ partman_lock_unit "$(mapdevfs "$path")" "$RET"
+ fi
+}
+
+do_activate () {
+ local found_luks dev partitions num id size type fs path name part
+
+ found_luks=0
+ for dev in $DEVICES/*; do
+ [ -d "$dev" ] || continue
+ cd "$dev"
+
+ partitions=
+ open_dialog PARTITIONS
+ while { read_line num id size type fs path name; [ "$id" ]; }; do
+ [ "$fs" != free ] || continue
+ partitions="$partitions $id,$path"
+ done
+ close_dialog
+
+ for part in $partitions; do
+ id="${part%%,*}"
+ path="${part#*,}"
+
+ if cryptsetup isLuks "$path" 2>/dev/null; then
+ found_luks=1
+ do_cryptsetup "$dev" "$num" "$id" "$size" \
+ "$path" || continue
+ fi
+ done
+ done
+
+ if [ "$found_luks" = 0 ]; then
+ db_input critical partman-crypto/activate/no_luks
+ db_go || true
+ return
+ fi
+
+ # Encrypted devices as configured by d-i usually contain LVM PVs
+ export LVM_SUPPRESS_FD_WARNINGS=1
+ log-output -t partman-crypto pvscan
+ log-output -t partman-crypto vgscan
+ log-output -t partman-crypto vgchange -a y
+
+ # Tell partman to detect filesystems again.
+ rm -f /var/lib/partman/filesystems_detected
+
+ stop_parted_server
+ restart_partman
+ exit 0
+}
+
do_create () {
local parts line pv output vg pathmap
parts=""
@@ -93,6 +231,7 @@ while :; do
db_go || exit 10
db_get partman-crypto/mainmenu
case $RET in
+ activate) do_activate ;; # exits if any volumes were activated
create) do_create ;;
finish) break ;;
*)
=== modified file 'debian/control'
--- debian/control 2011-05-03 16:05:09 +0000
+++ debian/control 2011-09-09 12:06:37 +0000
@@ -12,7 +12,7 @@ Vcs-Bzr: http://bazaar.launchpad.net/~ub
Package: partman-crypto
XC-Package-Type: udeb
Architecture: any
-Depends: partman-base (>= 134), cdebconf-udeb (>= 0.133), di-utils (>= 1.68), ${shlibs:Depends}, ${misc:Depends}
+Depends: partman-base (>= 134), partman-lvm (>= 62), cdebconf-udeb (>= 0.133), di-utils (>= 1.68), ${shlibs:Depends}, ${misc:Depends}
Description: Add to partman support for block device encryption
Package: partman-crypto-dm
=== modified file 'debian/partman-crypto.templates'
--- debian/partman-crypto.templates 2009-12-05 22:29:36 +0000
+++ debian/partman-crypto.templates 2011-09-08 11:16:40 +0000
@@ -430,12 +430,12 @@ _Description: Proceed to install crypto
Template: partman-crypto/mainmenu
Type: select
-Choices-C: create, finish
+Choices-C: activate, create, finish
# Note to translators : Please keep your translations of the choices
# below a 65 columns limit (which means 65 characters
# in single-byte languages)
# :sl3:
-__Choices: Create encrypted volumes, Finish
+__Choices: Activate existing encrypted volumes, Create encrypted volumes, Finish
# :sl3:
_Description: Encryption configuration actions
This menu allows you to configure encrypted volumes.
@@ -454,3 +454,20 @@ Type: error
# :sl3:
_Description: No devices selected
No devices were selected for encryption.
+
+Template: partman-crypto/activate/no_luks
+Type: error
+# :sl3:
+_Description: No LUKS devices found
+ This partitioning program can only activate existing encrypted volumes that
+ use the LUKS format (dm-crypt with a passphrase). No such volumes were
+ found. If you have encrypted volumes using other formats, you may need to
+ back up your data before continuing with installation.
+
+Template: partman-crypto/activate/passphrase-existing
+Type: password
+# :sl3:
+_Description: Passphrase for ${DEVICE}:
+ Please enter the passphrase for the encrypted volume ${DEVICE}.
+ .
+ If you don't enter anything, the volume will not be activated.
=== modified file 'finish.d/crypto_aptinstall'
--- finish.d/crypto_aptinstall 2008-03-20 21:06:33 +0000
+++ finish.d/crypto_aptinstall 2011-09-07 22:17:00 +0000
@@ -39,7 +39,7 @@ for dev in $DEVICES/*; do
[ -f $id/crypto_type ] || continue
method=$(cat $id/method)
- [ $method = crypto ] || continue
+ [ $method = crypto ] || [ $method = crypto_keep ] || continue
type=$(cat $id/crypto_type)
case $type in
=== modified file 'init.d/crypto'
--- init.d/crypto 2010-05-27 09:44:55 +0000
+++ init.d/crypto 2011-09-09 12:36:17 +0000
@@ -4,6 +4,17 @@
# setup in choose_partition/crypto/do_option.
. /lib/partman/lib/base.sh
+. /lib/partman/lib/lvm-base.sh
+
+# Avoid warnings from lvm2 tools about open file descriptors
+export LVM_SUPPRESS_FD_WARNINGS=1
+
+if [ -x /sbin/vgdisplay ]; then
+ vgroups=$(/sbin/vgdisplay 2>/dev/null | grep '^[ ]*VG Name' | \
+ sed -e 's/.*[[:space:]]\(.*\)$/\1/' | sort)
+else
+ vgroups=''
+fi
dev_to_devdir () {
echo $DEVICES/$(echo $1 | tr / =)
@@ -72,7 +83,7 @@ create_partition () {
}
create_cryptdisk () {
- local dev id num size path cryptdev cipher
+ local dev id num size path cryptdev cipher file vg vgs
dev=$1
id=$2
num=$3
@@ -81,6 +92,7 @@ create_cryptdisk () {
cipher=$(cat $id/cipher)
keytype=$(cat $id/keytype)
+ method=$(cat $id/method)
templ="partman-crypto/text/cryptdev_description"
db_subst $templ CIPHER $cipher
@@ -128,17 +140,47 @@ create_cryptdisk () {
case $filesystem in
linux-swap)
echo swap > $cryptpart/method
- >$cryptpart/format
+ if [ "$method" = crypto ]; then
+ >$cryptpart/format
+ else
+ rm -f $cryptpart/format
+ fi
;;
$default_fs)
- echo format > $cryptpart/method
- >$cryptpart/format
- >$cryptpart/use_filesystem
- echo $filesystem > $cryptpart/filesystem
+ if [ "$method" = crypto ]; then
+ echo format > $cryptpart/method
+ >$cryptpart/format
+ >$cryptpart/use_filesystem
+ echo $filesystem > $cryptpart/filesystem
+ else
+ echo keep > $cryptpart/method
+ rm -f $cryptpart/format
+ fi
;;
esac
+ # To avoid ordering problems between init.d/crypto and init.d/lvm,
+ # we need to duplicate a bit of the latter here, in case an existing
+ # crypto device contains an LVM PV.
+ if [ "$method" = crypto_keep ]; then
+ if pvdisplay "$cryptdev" >/dev/null 2>&1; then
+ for file in acting_filesystem filesystem format \
+ formatable use_filesystem; do
+ rm -f $cryptpart/$file
+ done
+ echo lvm > $cryptpart/method
+ if [ ! -e $cryptpart/locked ]; then
+ vg="$(pv_get_vg "$cryptdev")"
+ for vgs in $vgroups; do
+ if [ "$vg" = "$vgs" ]; then
+ vg_lock_pvs "$vg" "$cryptdev"
+ fi
+ done
+ fi
+ fi
+ fi
+
update_partition $cryptdir $cryptid
echo $path:$num:$dev/$id > $cryptdir/crypt_realdev
@@ -174,7 +216,7 @@ for dev in /var/lib/partman/devices/*; d
[ -f $id/crypt_active ] || continue
method=$(cat $id/method)
- [ $method = crypto ] || continue
+ [ $method = crypto ] || [ $method = crypto_keep ] || continue
if ! create_cryptdisk $dev $id $num $size $path; then
db_fset partman-crypto/init_failed seen false
=== modified file 'lib/crypto-base.sh'
--- lib/crypto-base.sh 2011-08-26 12:20:00 +0000
+++ lib/crypto-base.sh 2011-09-07 22:27:14 +0000
@@ -82,7 +82,7 @@ crypto_prepare () {
if [ "$method" = swap ]; then
disable_swap "$dev" "$id"
fi
- if [ "$method" != crypto ]; then
+ if [ "$method" != crypto ] && [ "$method" != crypto_keep ]; then
crypto_prepare_method "$id" dm-crypt || return 1
rm -f "$id/use_filesystem"
rm -f "$id/format"
@@ -820,7 +820,8 @@ crypto_check_setup() {
[ -f $id/crypto_type ] || continue
method=$(cat $id/method)
- if [ $method != crypto ]; then
+ if [ $method != crypto ] && \
+ [ $method != crypto_keep ]; then
continue
fi
type=$(cat $id/crypto_type)
=== modified file 'update.d/crypto_visuals'
--- update.d/crypto_visuals 2007-12-05 20:18:24 +0000
+++ update.d/crypto_visuals 2011-09-07 22:16:23 +0000
@@ -37,8 +37,9 @@ cryptdev_shortname ()
esac
}
This bug just ate my LVM2 volume group. Thanks for nothing. What a stupidly named set of options. Whoever wrote that code needs to be shot. Thank christ I took a backup of the most important data (including my kids first words) or I'd be really buggered now. Also of note: "Undo changes to partition tables" does NOT restore the disks to their previous unmolested states. This is NOT intuitive OR sane behaviour.
Hi, I tried yesterday and today 5 or more times to install wheezy on my laptop with crypted lvm full disk: I could just not boot the system which hangs on: passphrase never recognised . This laptop run "squeeze lvm crypted" witout problem as my other laptops do (amd64 on this, and i386 on the others). I tried different flavors of install disks: net install, iso-1, dayly etc ... amd64 and i386 :(:( I got never past the passphrase asking (and yes, I checked carefully my passphrase). There is also something strange with the firmware (network recognition): I had to answer "no", but the firmwares were on a separate usb-stick: with no as a answer, everything went ok. best regards Eric
Streit Eric <Ericounet26200@gmail.com> (13/09/2012): Keymap issues? Try typing it as if you had a qwerty keyboard? Mraw, KiBi.
This bug still reproduces in Jessie. Any plans to fix it?
I totally empathise with Ian's frustration. I myself spent eight hours trying to circumvent this 'bug', to put it mildly. I tried to follow a half-dozen contradictory, inaccurate and incomplete walkthroughs with no success, so I'm giving up and starting from scratch. The walkthrough at http://wiki.debian.org/DebianInstaller/Rescue/Crypto does not exist. As this bug hasn't been addressed in 8 years, it may be worth giving up on it. If so, there should at least be bold warnings to anybody tempted to set up encrypted volumes that they will not be reusable if one needs to reinstall Debian unless they have highly advanced knowledge of hand-writing configuration files from rescue CDs. This would, at least, stop hundreds of aggregate human hours from being wasted.
Bump. This is a most annoying bug and it's been around for way too long. Colin Watson suggested around 2011/09/09 that he had a workable fix. Is it still true? Why wasn't it committed in the end? How can we move forward with this? Cheers, Quentin
BUMP again. This is really annoying bug which disallow installing Debian on pre-formatted disks/partitions. Any progress? Was Colin Watson proposed patch accepted? Or what is current state of it?
severity: critical I would like to say this bug still persist on Debian Stretch. I suggest this bug to be marked as 'critical', since this could lead to data loss. The debian installer doesn't recognize a previous encrypted volume (Tested with netinstall.iso). The critical is that even with workaround to recognize the partitions on encrypted volume the installer only advances on formating these partitions causing data-loss. This is a long time bug and I think this could be fixed in time for Stretch release. I don't know if the Ubuntu installer is the same but this bug doesn't exists on Ubuntu. How to achieve the bug: Step 1: On "Partition disk" go to "Configure encrypted volumes" https://www.dropbox.com/s/xvsa2d6l4k925oz/step1.png Step 2: Select "Create encrypted volume". This will make anna install the necessary packages to work with encryption. P.s.: on Ubuntu, this step shows an option to setup an existing encrypted volume. https://www.dropbox.com/s/hii5g0uvewb3djq/step2.png Step 3: Go back. https://www.dropbox.com/s/ckzb2r4pgirufum/step3.png Step 4: Do NOT save changes to disk. https://www.dropbox.com/s/1s5r2h8x1rfi419/step4.png Step 5: Go back. Open a shell. Open luks volume. Activate volume group. Exit. https://www.dropbox.com/s/658k4bqe5vzdpf1/step5.png Step 6: Detect disks. LVM partitions are now seen. https://www.dropbox.com/s/6fdxpoqmef4htz6/step6.png Step 7 (This is the critical bug): Choosing any LVM partition and selecting to use as the previous format system leads to "re-format" the partition. This step should ask if you want to keep the existing file system. This could lead to /home data loss. On Ubuntu you can choose to not format the partition at this stage. https://www.dropbox.com/s/qmjiuv1enicg49b/step7.png I hope this help to solve this annoying problem. Today its impossible to install Debian on an already encrypted system without data loss. Cheers, Kolmar Kafran. iQEcBAEBCAAGBQJZGg0ZAAoJEKrvtn5Zdulsjt4H/1Jvn4HQBqIs1mvFCCiOfGZ5 eF4/BcofxebKICqInrsqeAJSnje1iOQMvpzMKit5tysLpBF3tV01bjVzrt78m874 NwiSqwzEhFHssPJxEztmOnH2GukdRS3D/w0U1CmnG/cxF5pbDq2ufcA9a+1kJ+/L KyebYmP7qLuDYkY0k5ZBzfdPcblkje8voSGEr02AbHxDj6N2Aq6klHSluu/thSSo +2z5QQq6vE379S0XOETvri2Z9k9rfwOr8jFyI75NhpytWW9++6mmiy56I/RmrmA6 sCUarD3JCMyqOcTZdxcG3Vu/xRjZt+tFd3+MEGE+/79T9Z6hPOhR+0pfZuZIzfE= =qzKR -----END PGP SIGNATURE----- Kolmar Kafran http://kafran.net http://twitter.com/doutorchefe ü Por favor, considere a proteção ao meio ambiente antes de imprimir esse e-mail.
[...] It is in the nature of an installer that it is capable of overwriting existing data. Based on your instructions, I think the installer already makes it quite clear what's going to happen. Ben.
The documentation defines that: Since it is not possible to advance with the installation without formating the partition, based on the severity levels definition, I think this should be marked as critical. Att, Kolmar Kafran.
You always have the option to do nothing. Ben.
Dear Maintainer,
* What led up to the situation?
Trying to do a fresh Buster installation using "Expert install" on an
old computer with encrypted LVM volumes, with the aim of not
formatting the volumes. I was using ISO image
debian-10.0.0-amd64-DVD-1.iso on a MicroSD card.
* What exactly did you do (or not do) that was effective (or
ineffective)?
The encrypted partition was not recognized initially at all, however,
the embedded LVM volumes were recognised after manually opening the LUKS
wrapper (along the lines in Message #90).
NB. A boot into Rescue mode recognizes and opens the encrypted volume
correctly.
* What was the outcome of this action?
The installer does not recognize the existing filesystems on LVM
volumes (unlike the Rescue mode). Proceeding with installation results
in formatting of the selected volumes and data loss.
This may be mitigated by selecting only a root volume at installation
stage and manually reconfiguring the other filesystems later.
* What outcome did you expect instead?
The existing filesystems should be recognized and formatting should be
optional, just as it is with pre-existing native disk volumes.
[Does this work with unencrypted LVM?]
This bug has persisted for a long time and it bites long-term Debian
users who are upgrading their systems, causing loss of time and
data. This makes upgrade a challenge and encourages to keep obsolete
systems in operation.
On Sat, 2019-09-07 at 13:48 +0300, M Santala wrote: [...] What makes you think the installer is intended to be used for upgrades? Ben.
Not for upgrading an existing OS installation but it should be usable for a fresh OS install while preserving user data. That is an important goal in having a separate /home partition. I do realise that in such a scenario the configuration files in user's home directories may need some manual attention.
There's another use case here too, in cases where I want to use my own LUKS parameters - that the installer doesn't expose. Perhaps I want --type=luks1, maybe I want a different --iter-time, etc. Actually, if the installer (in expert mode) let us pass arbitrary arguments for cryptsetup this would close up this use case.
Without knowing about this bug report and Colin's patch yet, I worked on a different approach and just opened a draft MR: <https://salsa.debian.org/installer-team/partman-crypto/-/merge_requests/11> Some of the commits are mostly "cosmetic" but I believe it can improve user experience. Feedback and comments welcome.
Does anyone object to merging #660191 and #907955 with #451535 and others ? <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=451535> <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=#660191> <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907955>
Hi, Am 18. Januar 2026 12:38:30 MEZ schrieb Pascal Hambourg <pascal@plouf.fr.eu.org>: No, feel free to do so. Holger