/boot
is not encrypted (the BIOS would have no way to decrypt it...). It could be ext4, but there really isn't any need for it to be. It usually doesn't get written to. The BIOS reads GRUB from the MBR, then GRUB reads the rest of itself, the kernel, and the initramfs from /boot. The initramfs prompts you for the passphrase. (Assumably, its using cryptsetup
and LUKS headers.).
The encryption is performed at a layer below the filesystem. You're using something called dm-crypt (that's the low-level in-kernel backend that cryptsetup uses), where "dm" means "Device Mapper". You appear to also be using LVM, which is also implemented by the kernel Device Mapper layer. Basically, you have a storage stack that looks something like this:
1. /dev/sda2 (guessing it's 2, could be any partition other than 1)
2. /dev/mapper/sda2_crypt (dm-crypt layer; used as a PV for VG archon)
3. LVM (volume group archon)
4. /dev/mapper/archon-root (logical volume in group archon)
5. ext4
You can find all this out with the dmsetup
command. E.g., dmsetup ls
will tell you the Device Mapper devices in list. dmsetup info
will give some details, and dmsetup table
will give technical details of the translation the mapping layer is doing.
The way it works is that the dm-crypt layer (#2, above) "maps" the data by performing crypto. So anything written to /dev/mapper/sda2_crypt is encrypted before being passed to /dev/sda2 (the actual hard disk). Anything coming from /dev/sda2 is decrypted before being passed out of /dev/mapper/sda2_crypt.
So any upper layers use that encryption, transparently. The upper layer you have using it first is LVM. You're using LVM to carve up the disk into multiple logical volumes. You've got (at least) one, called root, used for the root filesystem. It's a plain block device, so you can use it just like any other—you can put any filesystem you'd like there, or even raw data. The data gets passed down, so it will be encrypted.
Things to learn about (check manpages, etc.):
/etc/crypttab
- LVM (some important commands:
lvs
, pvs
, lvcreate
, lvextend
)
cryptsetup
After days of trying and testing, the solution (or the problem) is very simple: be sure to have your /
mount point inside your encrypted volumes - if not, the init-bottom
script is called right after the init-premount
scripts (because the /
doesn't need to be decrypted).
Best Answer
Full disk encryption is usually done using the
dm-crypt
Device Mapper target, with a nested LVM (Logical Volume Manager) inside. So to reset your password you'll have tocryptsetup
vgchange
is used for this.Usually you won't need to care about this. Just let the
initrd
provided by your distribution do the job but tell it not to start/sbin/init
but something else — a shell would be good. Simply appendinit=/bin/sh
to your kernel's command line in your boot loader (with GRUB you could press E with the appropriate boot entry selected to edit the entry).Then your kernel should boot up normally, booting into the
initrd
which should ask for your passphrase and set up your file-systems but instead of booting the system up drop you into a shell. There you'll have to/
read-write:mount -o rw,remount /
passwd <user>
(since you'reroot
you won't get prompted for the old one)/
read-only:mount -o ro,remount /
(skipping this might confuse your init scripts)exec /sbin/init
(or simplyreboot -f
).If this does not work, you'll have to take the approach with greater effort and do it from "outside", a.k.a. booting a Live CD. Usually this should be possible by using the Debian install CD — the tools should be installed, since the installer somehow has to set up encryption which uses the same schema:
Boot a Live CD
Open the encrypted partition by issueing
where
<partition>
should be your encrypted partitions name (sda2
, probably).some_name
is just… some name. This will prompt you for the disk's encryption passphrase and create a block device called/dev/mapper/some_name
.Activate the logical volumes. This should usually work by issueing
This will create block device files for every logical volume found in the LVM in
/dev/mapper/
.Mount the volume containing your
/
file system:where
<vgname>
and<lvname>
are the names of the volume group and the logical volume. This depends on the way distributions set it up, but just have a look into/dev/mapper/
, normally names are self-explanatory.Change your password with
passwd <user>
accordingly.