0009675: Installer cannot prepare encrypted separate partitions if includes /home - Kali Linux Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0009675	Kali Linux	Kali Package Bug	public	2026-05-10 17:23	2026-05-10 18:33

Reporter	chirrindulari	Assigned To
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	new	Resolution	open

Summary	0009675: Installer cannot prepare encrypted separate partitions if includes /home
Description	Kali version 2023.1 Kernel 6.18.12+kali-amd64 Installer from USB live Hardware: MSI Prestige The disk is a 1TB nvme recognized as nvme0n1 Lets start with the setup that works fine: Part, Len, Name, Used_as, Mount point 1, 500M, efi., EFI, - 2, 1G, boot, ext, /boot 3, 700G, home, ext4, /home 4, 64G, swap, physical for encr, swap 5, rest, syst, physical for encr, ext4, / This setup works as expected. If I try to encrypt /home afterwards, the command "update-initramfs -u -k all" does not make a new partition to be created inside initrd.img-6... in crypttab #unmkinitramfs /boot/initrd.img-$(uname -r) /tmp/initrd-check2 #cat /tmp/initrd-check2/cryptroot/crypttab #only shows two partitions, not three But maybe, I'm doing something wrong. Now, the setup that FAILS. Part, Len, Name, Used_as, Mount point 1, 500M, efi., EFI, - 2, 1G, boot, ext, /boot 3, 700G, home, physical for encr, ext4, / #Note this time /home is encrypted as well 4, 64G, swap, physical for encr, swap 5, rest, syst, physical for encr, ext4, / On the first boot after installing KALI asks for the passphare of the 5th partition ( / ) Then asks for the 4th (swap). Says ..."set up successfully" Then nobody asks for the 3rd passphrase and an emergency console is opened. As several times that happened, I set up the root password just at the end of the installation (chroot /target, passwd, exit), but if no password have been assigned to root, you cannot use the console. Some verifications I've done... 1) /etc/crypttab has the three encrypted partitions. The UUID's are consistent with blkid. 2) blkid has the five partitions as /dev/nvme0n1p1...5 of type crypto_LUKS 3) blkid only shows /dev/mapper/nvme0n1pX, where X is 4 and 5. X=3 does not appear here. -> We don't have /home in the system 4) I've inspected crypttab INSIDE /boot/initrd.img-6.18.12+kali-amd64 and there are ONLY TWO partitions(0000004 and 0000005) #mkdir /tmp/initrd-extract #unmkinitramfs /boot/initrd.img-6.18.12+kali-amd64 /tmp/initrd-extract #cat /tmp/initrd-extract/cryptroot/crypttab #ONLY TWO partitions inside, not #3 5) If I try to rebuild initrd with this command #update-initramfs -v -u -k all \| tee /tmp/update-initramfs.log The test 4) shows that, although /etc/crypttab has 3 entries, only 2 are populated inside initrd. This seems to demonstrate that something causes initrd to ignore the entry for /home coming from /etc/crypttab If someone tells me how to manually fix /tmp/initrd-extract/cryptroot/crypttab and rebuild the initrd file, I can check if it's the root cause.

chirrindulari 2026-05-10 18:33 reporter ~0021657	I've added "initramfs" to the options of the /home partition in /etc/crypttab and now the crypttab INSIDE initrd is RIGHT. It has all the encrypted partitions. One of the changes to be made to the KALI installer is to add "initramfs" to the option for the /home partition. This is due to the fact /usr/share/initramfs-tools/hooks/cryptroot calls the function "generate_initrd_crypttab" and this funciones ignores the partitions not " / ", not swap, not " /usr " or not marked as "initramfs" This is the resume made by claude, which helped me finding the solution: Root cause: The Kali installer creates the /etc/crypttab entry for the encrypted /home partition without the initramfs option. The generate_initrd_crypttab() function in /usr/share/initramfs-tools/hooks/cryptroot deliberately only includes entries for /, /usr, swap, or entries explicitly marked with initramfs. So /home is silently dropped from the initrd's crypttab. Symptom: On first boot, passphrase is requested for / and swap, but never for /home → emergency console opens. Fix (one line): In /etc/crypttab, change the options for the home entry from luks to luks,initramfs, then run: #update-initramfs -u -k all Where the bug truly lies: The Kali installer should automatically add the initramfs option to any encrypted partition that needs to be unlocked at boot time — not just / and swap. /home encrypted separately is a perfectly valid and common setup.

Date Modified	Username	Field	Change
2026-05-10 17:23	chirrindulari	New Issue
2026-05-10 18:33	chirrindulari	Note Added: 0021657