Encrypted Boot Setup: Problem Directing Boot to Encrypted Partition

[H Roark]

Full confession: I don't know if this is an issue with my rEFInd settings or an issue with Fedora. But here goes.

I have an encrypted partition (two actually) that I use for my daily driver install of Fedora. This partition, when decrypted, houses the root (/) directory. The /boot directory is on a separate, smaller unencrypted partition on the same hard drive. Same is true for the EFI partition.

For a few years now, I have used one encrypted partition combo (root/boot) for Fedora and the second combo for when I want to restore a backup. I basically switch between them to ensure I always have a good one to play with.

The process for restoring a tar'd backup of encrypted partition I to encrypted partition II is a little complex because of the separate root partition and the different UUIDs for the boot partition, the root partitions (encrypted wrapper and logical partition inside the wrapper), the EFI partition. All of these need to be "changed" on the untar location to be correct for the destination partitions. In short:

1. On the /root partition: ensure that /etc/crypttab has the correct UUID for the encrypted partition wrapper on the destination partition.
2. One the /root partition: ensure that /etc/fstab has the correct UUIDs for the /boot, /boot/efi, and / partitions. In my setup, these are each a separate partition. And the / partition is the UUID of logical partition inside the encrypted partition.
3. On the /boot partition: ensure that the boot stanzas in refind_linux.conf has the UUID for the / partition (i.e., the logical partition inside the encrypted partition). For example:

"Boot with standard option Encrypted"  "root=UUID=276b8eb5-7106-4227-8f68-bc29b273b49a ro rhgb quiet LANG=en_US.UTF-8 acpi_backlight=vendor radeon.dpm=0"
"Boot to single-user mode"    "root=UUID=276b8eb5-7106-4227-8f68-bc29b273b49a ro rhgb quiet LANG=en_US.UTF-8 single acpi_backlight=vendor radeon.dpm=0"

This has worked for at least a year or so. However, recently, I have not been able to properly restore the backup. Everything appears correct and matches the working partition, but on boot it does not direct to the encryption splash screen and request a password. Instead, it attemps to boot from the logical partition and says it can't be found (likely because it is inside the encrypted partition).

Any ideas what I am doing wrong?

[H Roark]

I don't know what changed, or if this is the best way to accomplish the goal tecnically, but here is what worked:

"Boot with LUKS Denoted" "root=UUID=276b8eb5-7106-4227-8f68-bc29b273b49a boot=/dev/sda1 rd.luks.uuid=6425ac88-544a-4fc2-b43a-3a2de4be2a02 rd.luks.allow-discards ro rd.lvm=0 rd.md=0 rd.dm=0 LANG=en_US.UTF-8 ro rhgb quiet radeon.dpm=0 acpi_backlight=vendor"

The key "new" part is the rd.luks.uuid=..... I belive that directs the initrams to the encrypted partition. At least for Fedora (which appears to be the only distro it works on), this pointer does not appear to require a regeneration of the initramfs using dracut.