I do the same thing, however I'm afraid my answer won't be satisfactory, as for various reasons I went with a completely custom Initramfs.
Instead of GnuPG
, which is an extra binary that has to be included in the Initramfs (and in case of GnuPG-2
, a rather complex one), I simply used what's already there. And that's obviously dm-crypt/LUKS
.
So suppose you have a keyfile
. Preferably one with random data.
# dd if=/dev/urandom of=keyfile count=1
1+0 records in
1+0 records out
512 bytes (512 B) copied, 0.000189802 s, 2.7 MB/s
Add encryption for it with LUKS (feel free to add your cipher settings of choice).
# truncate -s 2M keyfile.luks
# cryptsetup luksFormat keyfile --header keyfile.luks
WARNING!
========
This will overwrite data on keyfile.luks irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase: bananas
Verify passphrase: bananas
Now you have a keyfile (512 byte) and a keyfile.luks (2MB, which cryptsetup for some reason needs to write the 192k LUKS header). Since the Initramfs will be compressed anyway, that is not too bad (still smaller than GnuPG
).
Now you can decrypt the keyfile:
# cryptsetup luksOpen keyfile --header keyfile.luks lukskey
Enter passphrase for keyfile: bananas
And you have 512 byte of random data in /dev/mapper/lukskey
. (You may write to it if you want to change it, so we could have initialized the file with zeroes earlier.)
# blockdev --getsize64 /dev/mapper/lukskey
512
In Initramfs init
you could then proceed to open the real LUKS volume with it (assuming you added the key first).
cryptsetup --key-file=/dev/mapper/lukskey luksOpen /dev/yourdisk luksyourdisk
cryptsetup luksClose lukskey # clean up
This approach makes GnuPG entirely superfluous, plus you get all LUKS advantages, such as multiple passphrases for the key, cipher of your choice, et cetera. Not to mention a nice (mostly regular) password prompt with multiple retries.
Best Answer
Here are some suggestions.
When you wait few minutes, you should be shown
initramfs
/BusyBox console screen. Using the command-line, you should check the syntax of your kernel arguments by typing the following command:Especially check (as suggested by BusyBox):
root
, whether it points to the right device.rootdelay
is set, maybe you need to increase the system wait?If above won't help, consider the following commands:
cryptsetup --debug luksOpen /dev/XXX mapper-name
to decrypt manually (see this how-to).Note: To make sure you're using the right device, run
dumpe2fs /dev/XXX
(e.g.sda1
ornvme0n1p3
) ininitramfs
/BusyBox console, then make sure it reports ascrypto_LUKS
.Note: If
luksOpen
fails, try the older syntax:cryptsetup --debug luksOpen /dev/XXX ubuntu
.cryptsetup --debug luksDump /dev/XXX
to dump LUKS header information from the device.Note: In case of corruption of on-disk metadata, use
cryptsetup repair <device>
command.On Please unlock disk XXX_crypt screen, note your device name and using above
luksDump
method, confirm that Ubuntu asks you to decrypt the right device as the order (disk number) potentially can change (BIOS boot changes?). In that case, Ubuntu likely will use the last known device (cached,/etc/lvm/[backup|archive]/
?) location when it won't be able to connect tolvmetad
service.For example, I was asked to type a passphrase for
nvme1n1p3_crypt
(Windows NTFS partition) instead ofnvme0n1p3
(crypto_LUKS
partition).Further suggested commands:
Run
lvm lvs
orlvm vgscan
and check for any errors (it identifies each disk with a UUID).See also: Ubuntu won't boot because of lvmetad & Failed to connect to lvmetad - Stuck on boot.
cat /proc/modules
to check for missing modules (load it bymodprobe
).When finish, type
reboot
to restart.If you did an upgrade recently, test your previous kernel (hold Shift during boot, and select Advanced options), and select the version which you'd like to test.
Other related resources:
lvm2
bug in Ubuntu 18.04: lvm2-activation-generator crashed with SIGSEGV.Similar older bug: error unlocking / decrypting LUKS volume at boot.
UEFI Introduction & How do I install Ubuntu alongside a pre-installed Windows with UEFI?