Long time Debian user just upgraded a system (Thinkpad X230 with Coreboot) to Debian 10 and have a question about full-disk encryption (FDE).

In past Debian versions, up to 9.9, the prompt to decrypt the disk would appear after selecting a kernel at GRUB. Now, I get a prompt seemingly still in BIOS that looks totally different:

> Attempting to decrypt master key

> Enter passphrase for hd0,msdos1

After providing the correct passphrase, the kernel loads and system boots as expected. If not, I get dropped to a `grub rescue` prompt which is not very useful (“help” is not a valid command, neither is “reboot”). Just curious what changed or I may have done to invoke this different FDE prompt. Thanks!

  • You didn’t setup an unencrypted boot partition, so GRUB is the one doing the prompting (to load its files) rather than the kernel. Or at least that’s what I suspect is happening.