How to reset password on an encrypted fs

encryptionfilesystemslivecdpassword

I've got a laptop which I haven't used since the last summer vacation: I did put Debian 7 on it and used Debian's feature to fully encrypt the disk, besides a tiny bootloader (or a tiny partition) I guess (not too sure which encryption this is nor how to find out).

I do know the password of the encrypted filesystem so the system boots, but I'm stuck the login prompt: I did forgot my password(s).

Seen that I know the password of the encrypted filesystem, I take it I can boot from a Live CD (or even maybe from the Debian install CD?) and somehow "mount" the encrypted partition.

If that's the case, can someone explain me how to do this? (knowing that I've never mounted an encrypted partition / filesystem manually)

Best Answer

Full disk encryption is usually done using the dm-crypt Device Mapper target, with a nested LVM (Logical Volume Manager) inside. So to reset your password you'll have to

Unlock/open the crypto container; this is done using cryptsetup
Activate the logical volumes; vgchange is used for this.

Usually you won't need to care about this. Just let the initrd provided by your distribution do the job but tell it not to start /sbin/init but something else — a shell would be good. Simply append init=/bin/sh to your kernel's command line in your boot loader (with GRUB you could press E with the appropriate boot entry selected to edit the entry).

Then your kernel should boot up normally, booting into the initrd which should ask for your passphrase and set up your file-systems but instead of booting the system up drop you into a shell. There you'll have to

remount / read-write: mount -o rw,remount /
reset your password using passwd <user> (since you're root you won't get prompted for the old one)
remount / read-only: mount -o ro,remount / (skipping this might confuse your init scripts)
Start the regular init with exec /sbin/init (or simply reboot -f).

If this does not work, you'll have to take the approach with greater effort and do it from "outside", a.k.a. booting a Live CD. Usually this should be possible by using the Debian install CD — the tools should be installed, since the installer somehow has to set up encryption which uses the same schema:

Boot a Live CD
Open the encrypted partition by issueing
```
# cryptsetup luksOpen /dev/<partition> some_name
```
where <partition> should be your encrypted partitions name (sda2, probably). some_name is just… some name. This will prompt you for the disk's encryption passphrase and create a block device called /dev/mapper/some_name.
Activate the logical volumes. This should usually work by issueing
```
# vgscan
# vgchange -ay
```
This will create block device files for every logical volume found in the LVM in /dev/mapper/.
Mount the volume containing your / file system:
```
# mount /dev/mapper/<vgname>-<lvname> /mnt
```
where <vgname> and <lvname> are the names of the volume group and the logical volume. This depends on the way distributions set it up, but just have a look into /dev/mapper/, normally names are self-explanatory.
Change your password with passwd <user> accordingly.

Related Solutions

Encrypted disk filesystem compatibilities

/boot is not encrypted (the BIOS would have no way to decrypt it...). It could be ext4, but there really isn't any need for it to be. It usually doesn't get written to. The BIOS reads GRUB from the MBR, then GRUB reads the rest of itself, the kernel, and the initramfs from /boot. The initramfs prompts you for the passphrase. (Assumably, its using cryptsetup and LUKS headers.).

The encryption is performed at a layer below the filesystem. You're using something called dm-crypt (that's the low-level in-kernel backend that cryptsetup uses), where "dm" means "Device Mapper". You appear to also be using LVM, which is also implemented by the kernel Device Mapper layer. Basically, you have a storage stack that looks something like this:

1. /dev/sda2              (guessing it's 2, could be any partition other than 1)
2. /dev/mapper/sda2_crypt (dm-crypt layer; used as a PV for VG archon)
3. LVM (volume group archon)
4. /dev/mapper/archon-root (logical volume in group archon)
5. ext4

You can find all this out with the dmsetup command. E.g., dmsetup ls will tell you the Device Mapper devices in list. dmsetup info will give some details, and dmsetup table will give technical details of the translation the mapping layer is doing.

The way it works is that the dm-crypt layer (#2, above) "maps" the data by performing crypto. So anything written to /dev/mapper/sda2_crypt is encrypted before being passed to /dev/sda2 (the actual hard disk). Anything coming from /dev/sda2 is decrypted before being passed out of /dev/mapper/sda2_crypt.

So any upper layers use that encryption, transparently. The upper layer you have using it first is LVM. You're using LVM to carve up the disk into multiple logical volumes. You've got (at least) one, called root, used for the root filesystem. It's a plain block device, so you can use it just like any other—you can put any filesystem you'd like there, or even raw data. The data gets passed down, so it will be encrypted.

Things to learn about (check manpages, etc.):

/etc/crypttab
LVM (some important commands: lvs, pvs, lvcreate, lvextend)
cryptsetup

Debian – Dropbear terminates before LUKS password prompt on Debian Jessie

After days of trying and testing, the solution (or the problem) is very simple: be sure to have your / mount point inside your encrypted volumes - if not, the init-bottom script is called right after the init-premount scripts (because the / doesn't need to be decrypted).

Best Answer

Related Solutions

Encrypted disk filesystem compatibilities

Debian – Dropbear terminates before LUKS password prompt on Debian Jessie

Related Question