# Kernel panic after moving from initramfs to grub cryptodisk.

## sedros

Hi,

My problem started a few days ago when I decided to update my kernel to 4.9.5. When I tried to update grub it informed me that I need to enable GRUB_ENABLE_CRYPTODISK=y to make it decrypt my encrypted drive so I decided that disabling initramfs would simplify my configuration and decided to go for it. I did some tests on VirtualBox and it worked well so I continued with my physical box. When I boot my PC using kernel without initramfs I get kernel panic (not syncing (0,0) type). Funny thing is that if I use exactly the same kernel only with old initramfs enabled it boots normally - I do that using grub command line to boot the system.

I use an SSD drive with gpt and a bios_grub partition as sda1, old /boot as /dev/sda2 (unencrypted), and rootfs as /dev/sda3 (this one is encrypted and no I want to use this as a boot partition).

Did you have a similar issue and would be able to help me with this?

----------

## Roman_Gruber

 *Quote:*   

> disabling initramfs

 

nope

-- 

think as a computer, step by step.

AFAIK luks needs an initramfs. there may be some fancy features of your bootloader, but I stick to the easiest way, and proven way.

You do not need to recreate the initramfs, you can just reuse it. My initramfs is as old as my purchase of this notebook. My installation was moved to this hardware (this gentoo installation is very very old). My kernel is up to date. My microcode is the previous release (I do not think that really matters!)

--

 *Quote:*   

> Funny thing is that if I use exactly the same kernel only with old initramfs enabled it boots normally 

 

does what it should do.

I do the same for a long time period

--

 *Quote:*   

> and rootfs as /dev/sda3 (this one is encrypted and no I want to use this as a boot partition). 

 

I recommend that you start reading about how a box boots, how luks works, about init, about kernel mechanics, abuot bootloaders. that should give you enough insights

----------

## frostschutz

If you allow grub to decrypt your luks partition, that merely means giving grub access to encrypted boot partition with encrypted bootloader config, kernels, and initramfs.

It does not mean the device will magically appear unencrypted to the kernel. Once grub loaded the kernel, grub is gone and all it knew about decryption is gone with it as well... 

The same is true for filesystems, just because grub can load stuff from an XFS partition, does not mean your kernel will magically be able too if you do not enable the appropriate kernel option.

Thus you still need initramfs, cryptsetup, to give the kernel some means to get the passphrase. If the initramfs is encrypted anyway you could bake the key directly into it so you won't have to enter it twice.

IMHO there is not much point to encrypting /boot - by itself it does not improve security, unless you can also prevent tampering with the bootloader. Which secure boot doesn't really do.

----------

## sedros

Thank you for help, guys. It seems that I had wrong flags on my partitions so grub asked my to enable GRUB_ENABLE_CRYPTODISK=y before issuing grub-install /dev/sda. That led me to a wrong conclusion that initramfs is not longer required. Thanks!

----------

## Roman_Gruber

You do not need to update your bootloader. I still use my bootloader from sysrescuecd, an earlier beta version

You may need to reinstall grub when you swap discs, but thats an uefi limitation (i have to deal with that regularly)

You do not need to update your iniramfs usually ...

I manipulate the boot entries by hand. I handle the boot partitoin myself also, e.g removing older files, updating newer files and such

----------

