Ubuntu – Ubuntu 18.04 – cryptsetup fails to recognize passphrase, unlocking from Live USB works


I recently bought a Ubuntu Edition Dell XPS 13 9370. The machine comes without full disk encryption enabled out of the box, but offers to create a recovery USB drive, when booted from that Ubuntu can be installed with LUKS encryption.

However, after installing my passphrase is never recognized, I always get "cryptsetup failed, bad password or options?"

  • The culprit can't be keyboard layouts, the passphrase abcd does not work either.
  • The encryption itself seems to be configured correctly – when I boot from the live USB system and launch the "Disks" utility I can successfully unlock the drive with my chosen password (again, I tried abcd, so it can't be a layout problem)

Did anybody else see this problem? Any suggestions how to fix it? Thanks!

Best Answer

Here are some suggestions.

  • Switch to the command-line by hitting F1 or Alt-Tab, type the password again, and check for any errors. If you find the error, try searching for it.
  • When you wait few minutes, you should be shown initramfs/BusyBox console screen. Using the command-line, you should check the syntax of your kernel arguments by typing the following command:

    cat /proc/cmdline

    Especially check (as suggested by BusyBox):

    • The value of root, whether it points to the right device.
    • If rootdelay is set, maybe you need to increase the system wait?

If above won't help, consider the following commands:

  • cryptsetup --debug luksOpen /dev/XXX mapper-name to decrypt manually (see this how-to).

    Note: To make sure you're using the right device, run dumpe2fs /dev/XXX (e.g. sda1 or nvme0n1p3) in initramfs/BusyBox console, then make sure it reports as crypto_LUKS.

    Note: If luksOpen fails, try the older syntax: cryptsetup --debug luksOpen /dev/XXX ubuntu.

  • cryptsetup --debug luksDump /dev/XXX to dump LUKS header information from the device.

    Note: In case of corruption of on-disk metadata, use cryptsetup repair <device> command.

  • On Please unlock disk XXX_crypt screen, note your device name and using above luksDump method, confirm that Ubuntu asks you to decrypt the right device as the order (disk number) potentially can change (BIOS boot changes?). In that case, Ubuntu likely will use the last known device (cached, /etc/lvm/[backup|archive]/?) location when it won't be able to connect to lvmetad service.

    For example, I was asked to type a passphrase for nvme1n1p3_crypt (Windows NTFS partition) instead of nvme0n1p3 (crypto_LUKS partition).

Further suggested commands:

When finish, type reboot to restart.

If you did an upgrade recently, test your previous kernel (hold Shift during boot, and select Advanced options), and select the version which you'd like to test.

Other related resources: