- In an other Ubuntu machine, use "Startup Disk Creator" to create a bootable Ubuntu 18.04 USB drive
- Plug in this USB drive in a USB port of the computer that boots to BusyBox
When the live USB Ubuntu is ready, connect to Internet (WiFi or wired)
Open a terminal
ubuntu@ubuntu:~$ sudo su
Find the encrypted block device.
root@ubuntu:~# blkid|grep LUKS
/dev/nvme0n1p3: UUID="4b206e76-1531-48ae-95be-ae0ed7a244c1" TYPE="crypto_LUKS" PARTUUID="21db499d-b87b-41c6-864f-04d1531cb083"
Decrypt the device
root@ubuntu:~# cryptsetup open UUID="4b206e76-1531-48ae-95be-ae0ed7a244c1" nvme0n1p3_crypt
Enter passphrase for /dev/disk/by-uuid/4b206e76-1531-48ae-95be-ae0ed7a244c1:
List mapped devices. control
is a file used to send command to the device mapper. nvme0n1p3_crypt
is the decrypted device. ubuntu--vg-root
is a LVM logical volume in the LVM ubuntu-vg
volume group.
root@ubuntu:~# ls /dev/mapper/*
/dev/mapper/control /dev/mapper/ubuntu--vg-root /dev/mapper/nvme0n1p3_crypt
Create mount point. This is where we will mount the / of our system that won't boot.
root@ubuntu:~# mkdir -p /mnt/ubuntu-root
Mount root logical volume
root@ubuntu:~# mount /dev/mapper/ubuntu--vg-root /mnt/ubuntu-root/
Mount pseudo file systems
root@ubuntu:~# mount -o bind /sys /mnt/ubuntu-root/sys
root@ubuntu:~# mount -o bind /proc /mnt/ubuntu-root/proc
root@ubuntu:~# mount -o bind /dev /mnt/ubuntu-root/dev
Copy DNS information
root@ubuntu:~# cp /etc/resolv.conf /mnt/ubuntu-root/etc/
Change root
root@ubuntu:~# chroot /mnt/ubuntu-root/
Mount /boot
, which contains the initramfs file. This partition is unencrypted.
root@ubuntu:/# mount /boot/
Install binwalk (to see the content of the init ram file system)
root@ubuntu:~# apt update
root@ubuntu:~# apt install binwalk
Find offset of gzipped initramfs content
root@ubuntu:~# binwalk /boot/initrd.img-4.15.0-36-generic | grep gzip
1605632 0x188000 gzip compressed data, from Unix, last modified: 2018-10-18 13:00:32
The problem is that the initramfs file system does not contain cryptsetup.
So, that is why there is no LUKS password prompt.
root@ubuntu:/# cd /root/
root@ubuntu:~# mkdir initramfs-4.15.0-36-generic
root@ubuntu:~# cd initramfs-4.15.0-36-generic
root@ubuntu:~/initramfs-4.15.0-36-generic# dd if=/boot/initrd.img-4.15.0-36-generic bs=1605632 skip=1 | gunzip | cpio -i
root@ubuntu:~/initramfs-4.15.0-36-generic# ls sbin/cryptsetup
ls: cannot access 'sbin/cryptsetup': No such file or directory
To decrypt root at boot, the initramfs needs to contain:
sbin/cryptsetup
lib/modules/4.15.0-36-generic/kernel/drivers/md/dm-crypt.ko
Add the initramfs
option in /etc/crypttab
root@ubuntu:/# cat /etc/crypttab
nvme0n1p3_crypt UUID=4b206e76-1531-48ae-95be-ae0ed7a244c1 none luks,discard,initramfs
Add CRYPTSETUP=y
in /etc/cryptsetup-initramfs/conf-hook
Run update-initramfs
:
root@ubuntu:~# update-initramfs -k 4.15.0-36-generic -c -v &> update-initramfs-4.15.0-36-generic.cryptsetup.log
Now, we have cryptsetup
in initramfs and the Linux kernel module dm-crypt.ko
too:
root@ubuntu:~# grep /sbin/cryptsetup update-initramfs-4.15.0-36-generic.cryptsetup.log
Adding binary /sbin/cryptsetup
root@ubuntu:~# grep dm-crypt.ko update-initramfs-4.15.0-36-generic.cryptsetup.log
Adding module /lib/modules/4.15.0-36-generic/kernel/drivers/md/dm-crypt.ko
Now, run update-initramfs, without -c (new) and without -v (verbose):
root@ubuntu:~# update-initramfs -k 4.15.0-36-generic -u
Verify that the initramfs is actually correct
root@ubuntu:~# binwalk /boot/initrd.img-4.15.0-36-generic | grep gzip
1605632 0x188000 gzip compressed data, from Unix, last modified: 2018-10-18 14:26:29
root@ubuntu:~# dd if=/boot/initrd.img-4.15.0-36-generic bs=1605632 skip=1 2> /dev/null | gunzip | cpio -t 2> /dev/null |grep sbin/crypt
sbin/cryptsetup
root@ubuntu:~# dd if=/boot/initrd.img-4.15.0-36-generic bs=1605632 skip=1 2> /dev/null | gunzip | cpio -t 2> /dev/null |grep dm-crypt.ko
lib/modules/4.15.0-36-generic/kernel/drivers/md/dm-crypt.ko
Now, reboot.
Best Answer
Boot from a live USB stick or DVD and run:
Important! --> replace
/dev/sda1
with your Ubuntu partition.Youo can locate the correct partition with the command
lsblk
which will provide you with output similar to what you see below your Ubuntu partition is the one shown at mountpoint/
: