Can't access luks-encrypted system partition anymore

**slabo** · July 24th, 2008

Newbie-Alert: Please point out any mistakes i'm making.

On booting, the system doesn't accept my password for unlocking the encrypted system partition anymore.

Setup: Ubuntu Hardy Heron, set up on 07/16, last updated (working) via synaptic on 07/20 (?). /dev/sda3 is an encrypted partition, which hosts a logical volume, which in turn hosts volume groups for / and swap. /boot is unencrypted. I encrypted via the alternate installer CD. This setup had worked fine until yesterday.

What happened? I'm not sure. I can't access the partition since last evening. At noon, i updated via synaptic, i think it concerned gvfs. (One problem is that i'm not certain that this update ran through.) The update-process seems to have left /boot untouched.

All in all, the system acts like my password is wrong, but i'm confident it is correct. I'm trying to access with the help of a Xubuntu-live-CD (7.10).

Output of sudo cryptsetup luksDump /dev/sda3: http://pastebin.com/m2be5ccf Looks okay to me.

Only thread i've found so far that looks similar. (Link) Does anybody have an idea why that suddenly just worked again?

- How can i find out, what was installed in yesterdays update via synaptic?
- If /boot was unaltered and the partition header of the encrypted partition looks okay, what in the world could be causing trouble?
- Any hints/ideas for further diagnosis?

**hyper_ch** · July 24th, 2008

can you manually unlock it from the Desktop CD?

On a side note, why did you encrypt a logical volume and not the partitions within it individually?

**slabo** · July 24th, 2008

I tried to unlock it with sudo cryptsetup luksOpen /dev/sda5 cryptdisc. It prompts me for my password, but doesn't accept it. Mount outputs: "mount: unknown filesystem type 'crypto_LUKS'"

I encrypted / and swap together so that i only have to enter one password. I found some howtos which suggested that.

**hyper_ch** · July 24th, 2008

up there you said it's /dev/sda3 which is encrypted then you say it's /dev/sda5....

**slabo** · July 24th, 2008

Oops, sorry. It is /dev/sda3. /dev/sda5 is my /boot. (But actually trying to open that with luksOpen also prompts me for a password, i just found out. Anyway, luksDump recognises sda3 as a luks-partition.)

**tact** · July 24th, 2008

Hi slabo

- First up - boot from desktop liveCD and make sure you have an internet connection.
- Now you have to install some stuff thats not there in the liveCD. Pull up a terminal (Applications>Accessories>Terminal)
- type "sudo su"
- type "apt-get install lvm2 cryptsetup
- type "mkdir /media/test"
- type "modprobe dm-crypt"
- type "cryptsetup luksOpen /dev/sda5 test"
(enter password... are you set up on sda3 or sda5? change as needed)
(you should get a command successful message... continue

- type "vgchange -ay"
(this will reveal your volume group name)
- type "mount /dev/("volume group name")/home /media/test
- type "nautilus /media/test"
(and now your encrypted /home should open in a window.)

If all that works... manually mounting the partition... then its not the encrypted header or partition thats got a problem. So close it all up...
- close nautilus
- type "umount /media/test"
- type "cryptsetup luksClose /dev/sda5

Unmount it all and

**John Wiersba** · February 3rd, 2009

Hyper_ch, I use an encrypted lvm on my laptop because I only need to manage one passphrase -- once I've decrypted my lvm partition, I can have everything open automatically. I get no advantage from separately encrypting each partition within the lvm.

**F W Adams** · February 21st, 2009

tact, your post #6, slabo, any help, totally confused.

I set up a completely new encrypted system ( except for boot ). It works booting from the hard drive, just enter the password and off we go.

Then I wanted to boot from the desktop CD so I could make some changes. This is what I get. The encrypted partition is sda2, sdb is not in use yet.

Code:

To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

ubuntu@ubuntu:~$ sudo su
root@ubuntu:/home/ubuntu# fdisk -l

Disk /dev/sda: 80.0 GB, 80026361856 bytes
255 heads, 63 sectors/track, 9729 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x4c3674ee

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          18      144553+  83  Linux
/dev/sda2              19        9729    78003607+  83  Linux

Disk /dev/sdb: 300.0 GB, 300090728448 bytes
255 heads, 63 sectors/track, 36483 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x78ec3f2d

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *           1          24      192748+  83  Linux
/dev/sdb2              25        2456    19535040   83  Linux
/dev/sdb3            2457        3672     9767520   83  Linux
/dev/sdb4            3673       15830    97659135   83  Linux
root@ubuntu:/home/ubuntu# apt-get install lvm2 cryptsetup
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  cryptsetup lvm2
0 upgraded, 2 newly installed, 0 to remove and 1 not upgraded.
Need to get 414kB of archives.
After this operation, 1331kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com hardy/main cryptsetup 2:1.0.5-2ubuntu12 [88.7kB]
Get:2 http://archive.ubuntu.com hardy/main lvm2 2.02.26-1ubuntu9 [325kB]
Fetched 414kB in 3s (118kB/s)
Selecting previously deselected package cryptsetup.
(Reading database ... 98542 files and directories currently installed.)
Unpacking cryptsetup (from .../cryptsetup_2%3a1.0.5-2ubuntu12_i386.deb) ...
Selecting previously deselected package lvm2.
Unpacking lvm2 (from .../lvm2_2.02.26-1ubuntu9_i386.deb) ...
Setting up cryptsetup (2:1.0.5-2ubuntu12) ...
update-initramfs is disabled since running on a live CD

Setting up lvm2 (2.02.26-1ubuntu9) ...
Backing up any LVM2 metadata that may exist...done.
update-initramfs is disabled since running on a live CD

root@ubuntu:/home/ubuntu# mkdir /media/test
root@ubuntu:/home/ubuntu# modprobe dm-crypt
root@ubuntu:/home/ubuntu# cryptsetup luksOpen /dev/sda2 test
Enter LUKS passphrase: 
Enter LUKS passphrase: 
Enter LUKS passphrase: 
Command failed: No key available with this passphrase.

root@ubuntu:/home/ubuntu#

I've tried this several times, if I do a normal boot, not from the CD, then the above code works. My fingers are well used to keying in the password so I don't think it's finger trouble.

Any suggestions?

**John Wiersba** · February 23rd, 2009

Have you tried sudo modprobe dm-mod ?

Here's my cheatsheet for off-the-live-cd LUKS/LVM decryption:

# RESCUE ENCRYPTED PARTITION

# download and copy cryptsetup and lvm2 .deb files to /boot/rescue
# apt-get -d install cryptsetup lvm2
# see package files in /var/cache/apt/archives

# /dev/sda1 is my /boot. /dev/sda2 is my crypto partition, containing
# volume group vg1 with logical partitions lvswap, lvroot, lvdata

# need packages cryptsetup (encrypted partition tools) and lvm2 (logical
# volume manager); install from internet (apt-get) or from local .deb files

# either use direct package installation (I pre-downloaded into /boot/rescue)...
sudo mkdir /media/boot
sudo mount /dev/sda1 /media/boot
sudo dpkg -i /media/boot/rescue/cryptsetup*.deb /media/boot/rescue/lvm2*.deb

# or use network-based package download/installation
sudo apt-get install cryptsetup lvm2

# insert kernel modules that we will need
sudo modprobe dm-crypt
sudo modprobe dm-mod

# unlock the sda2 partition and call it MYTAG
sudo cryptsetup luksOpen /dev/sda2 MYTAG
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.

# now that we have unlocked the encryption, deal with the lvm

sudo vgscan # scan for all volume groups
Reading all physical volumes. This may take a while...
Found volume group "vg1" using metadata type lvm2

# make the vg1 volume group active; if you don't give it a volume group as
# an argument it'll make them all active
sudo vgchange -ay [vg1]

sudo lvscan # list logical volumes and their /dev path
ACTIVE '/dev/vg1/lvswap' [2.00 GB] inherit
ACTIVE '/dev/vg1/lvroot' [10.00 GB] inherit
ACTIVE '/dev/vg1/lvdata' [60.00 GB] inherit

# mount a logical volume; don't do this if you need to run fsck on it
sudo mkdir /media/root
sudo mount /dev/vg1/lvroot /media/root

# to reverse the process and unmount everything, do the following

sudo umount /media/root

# the following command will issue a somewhat confusing message
sudo vgchange -an [vg1]
0 logical volume(s) in volume group "vg1" now active

sudo cryptsetup luksClose MYTAG

**F W Adams** · February 23rd, 2009

Hi John,

I solved my #30 problem. As expected I felt a bit ridiculous.

Symtoms:
Boot up as normal, enter the password and get in.
Boot up from CD, not able to get access.

Solution:
There was an "@" sign in the password, and I am in the UK. These two things together caused the problem. It seems that on the main system this was fine, I'm not sure at what stage the kb was set up as a uk one. Anyway it was never a problem.

Booting from the CD at no stage is the kb changed to uk ( of course ). When I typed the @ it came out as ", I couldn't see it on the screen so didn't realise. This means I was always entering the wrong password even when hitting the right keys. Big relief now, I can get to change things from the CD now.

Your list looks useful, I'll take a copy, thanks.