19.2.2026 linux, debian

Initramfs: mount encrypted partitions non-interactively

Scenario
- Preliminaries
- Solution

Scenario

During installation of Debian stable I opted to encrypt everything.

This includes GRUB asking for a password to unlock itself & the / partition during early boot.

Then I get asked again to unlock that same / partition (Debian simply does it this way), and also the encrypted swap partiton.

I want to enter only one password in the beginning.

Preliminaries

For this is a specific example:

A Debian system using the default initramfs-tools for building the initramfs.
Encrypted swap is already working, with a keyfile specified in /etc/crypttab
Encrypted root (/) is already working, with none specified in /etc/crypttab, i.e. interactive passphrase entry
Whenever you use update-initramfs -u you see a warning: swap uses a key file.

Solution

I Moved all my keyfiles to a central location, e.g. /keys.
I Created a new one with e.g. dd if=/dev/random bs=64 count=64 of=/keys/root.key.
I Added a keyfile to the crypto_LUKS partition containing the root partition (find it with blkid): cryptsetup luksAddKey /dev/sdXY /keys/root.key.
I Edited /etc/crypttab to reflect the changes, e.g.:

root    UUID=nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn   /keys/root.key     luks,initramfs
swap    UUID=nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn   /keys/swap.key     luks,initramfs

Lastly I edited /etc/cryptsetup-initramfs/conf-hook to contain a (uncommented) line like this:

#
# KEYFILE_PATTERN: ...
#
# The value of this variable is interpreted as a shell pattern.
# Matching key files from the crypttab(5) are included in the initramfs
# image.  The associated devices can then be unlocked without manual
# intervention.  (For instance if /etc/crypttab lists two key files
# /etc/keys/{root,swap}.key, you can set KEYFILE_PATTERN="/etc/keys/*.key"
# to add them to the initrd.)
#
# If KEYFILE_PATTERN if null or unset (default) then no key file is
# copied to the initramfs image.
#
# Note that the glob(7) is not expanded for crypttab(5) entries with a
# 'keyscript=' option.  In that case, the field is not treated as a file
# name but given as argument to the keyscript.
#
# WARNING:
# * If the initramfs image is to include private key material, you'll
#   want to create it with a restrictive umask in order to keep
#   non-privileged users at bay.  For instance, set UMASK=0077 in
#   /etc/initramfs-tools/initramfs.conf
# * If you use cryptsetup-suspend, private key material inside the
#   initramfs will be in memory during suspend period, defeating the
#   purpose of cryptsetup-suspend.
#

KEYFILE_PATTERN="/root/keys/*.key"

And rebuild your initramfs:

update-initramfs -u