Fix/Setup grub + LUKS (fix grub/bootloader)

Did you just accidentally trash grub or manually install Debian using debootstrap? If so, this is how to get your system booting again by getting it to the stage where grub can be setup so you can rescue the system/finish the install.

Boot environment to setup grub (adjust as needed)

These instructions start from a cold boot. If you already have the target system mounted you can skip steps but double check same settings used. This applies especially if you have been playing with gparted or tying to fix/reinstall Windows as this can cause partitions to be renumbered. Confirm with blkid.

Prepare chroot

Boot from the Debian 12 Live USB, connect to Internet, open a terminal:

sudo -s

# required for grub
modprobe efivarfs

# MUST match /etc/crypttab
cryptsetup luksOpen /dev/sda5 rootfs
export ROOTFS=/target
mkdir $ROOTFS

# adjust as needed /dev/vg/root is lv="root" inside vg="vg"
mount /dev/vg/root $ROOTFS

# /dev/sda5 is a small unecrypted boot partition
mount /dev/sda4 $ROOTFS/boot

# mount EFI partition from existing install
mount /dev/sda1 ${ROOTFS}/boot/efi

# mount partitions for chroot
mount --bind /dev ${ROOTFS}/dev
mount -t devpts /dev/pts ${ROOTFS}/dev/pts
mount -t proc proc ${ROOTFS}/proc
mount -t sysfs sysfs ${ROOTFS}/sys
mount -t tmpfs tmpfs ${ROOTFS}/tmp
mount --bind /sys/firmware/efi/efivars ${ROOTFS}/sys/firmware/efi/efivars

Enter chroot

Now we can make the grub changes we need along with any other wanted OS changes:

chroot ${ROOTFS} /bin/bash

General grub settings

vi /etc/default/grub

Some choice settings. Look at the noted info page in this file for explanations:

  • Support for Windows dual boot and Linux automatic menu entries
    • Uncomment GRUB_DISABLE_OS_PROBER=false
  • Disable graphical terminal/boot text mode for lots of debug messages (this still boots to a framebuffer terminal, if anyone knows how to use a pure text console please comment)
    • Uncomment GRUB_TERMINAL=console
  • Tell grub which LUKS disk to pass through to Linux kernel
    • uuid:label - obtain from blkid
    • GRUB_CMDLINE_LINUX="cryptdevice=UUID=deadbeef-dead-beef-dead-beefdeadbeef:rootfs root=/dev/vg/root ro"
  • Show the grub menu on boot
  • Not needed options. These might have been required in the past but if your not getting a LUKS prompt or LVM isnt detected you probably need to install the required packages, rebuild initramfs and remove these (harmless but confusing) settings:
    • GRUB_PRELOAD_MODULES="luks cryptodisk lvm ext2"


Make sure /etc/crypttab is present and correct. You have to make/edit this file by hand if its not already there or needs updating. It should look something like:

rootfs UUID=deadbeef-dead-beef-dead-beefdeadbeef none luks,discard

The label (rootfs in this example) MUST match the label in GRUB_CMDLINE_LINUX AND must match what you used with cryptsetup luksOpen for grub to install properly.

Enable Secure Boot

Follow the instructions from this command carefully and see notes on Debian WIKI:

mokutil --enable-validation

LUKS password/LVM on boot

You must install the packages:

# VITAL! this is what makes LINUX via initramfs (NOT GRUB!!!) ask the password for LUKS
apt install -y cryptsetup-initramfs lvm2

Rebuild initramfs

If you have added/changed kernel modules/important packages or want to rebuild initramfs because you feel like it:

update-initramfs -u


Make sure os-prober installed if configured in /etc/default/grub:

apt install os-prober


Ensure filesystems still align with what blkid and lvscan/lvdisplay say to use:

vi /etc/fstab


Nvidia drivers on Debian/Ubuntu, then return to this guide.

Install grub

Finally, you can munge the grub settings into /boot and install the bootloader into EFI:


This should output something like:

Installing for x86_64-efi platform.
Installation finished. No error reported.

If you see errors, dont reboot yet. Google the errors/warnings and see whats going on to avoid having to do the steps in this guide again.

Smoke test

Reboot system through the Live USB power menu, remove media and reboot. If your lucky you should see the familiar grub menu screen in glorious text mode followed by Linux kernel boot messages. This should lead to a text prompt to unlock the LUKS volume. Sometimes this message can be obscured by fresh kernel messages so try just typing the password carefully and hitting return.

From here, the system should boot all the way through to the OS and you should be able to login!

Fixing Windows Bootloader if EFI was wiped

If you wiped EFI and still want to be able to boot windows, you will need to reinstall the Windows Bootloader after Debian 12 is booting OK using a Windows install USB.

Something along these lines should do it:

After fixing Windows, you will need to return to these instructions to fix grub.

Further Reading

Post comment