Join Log in
Score:0
blueSTAR avatar Ubuntu

LUKS full disk encryption fails from boot but live-CD is able to unlock partition - Kubuntu 22.04.1 LTS

cn flag
blueSTAR

When trying to boot with Kubuntu I can't get the root to decrypt. That is an old installation that worked for months. I can't remember what was updated before it stopped working. I've verified that it is not due to keyboard layout, because from initramfs using echo -n "test1" | cryptsetup open /dev/nvme0n1p3 nvme0n1p3_crypt it is also not working. Using that command from Live-CD or dolphin works so there it decrypts.

After trying different things like chroot and creating a new initramfs and grub-update, apt update and reinstalling things like cryptsetup and others I gave up.

I ordered a new nvme drive which I put into the PC. After installing Kubuntu 22.04.1 LTS with encrypted harddrive on the newly installed device I get the same error message as before when trying to unlock the newly installed Kubuntu after the first reboot.

I'm at a loss. Could it be hardware-specific? I Use an AMD Ryzen 5 5600X and MSI B550-A PRO.

edit: additional info from the cryptsetup command rin under initramfs:

# cryptsetup 2.4.3 processing "cryptsetup open /dev/nvme0n1p3 nvme0n1p3_crypt --debug --verbose"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/nvme0n1p3.
# Trying to open and read device /dev/nvme0n1p3 with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device /dev/nvme0n1p3.
# Crypto backend (OpenSSL 3.0.2 15 Mar 2022 [default]) initialized in cryptsetup library version 2.4.3.
# Detected kernel Linux 5.15.0-43-generic x86_64.
# Loading LUKS2 header (repair disabled).
# Acquiring read lock for device /dev/nvme0n1p3.
# Opening lock resource file /run/cryptsetup/L_259:3
# Verifying lock handle for /dev/nvme0n1p3.
# Device /dev/nvme0n1p3 READ lock taken.
# Trying to read primary LUKS2 header at offset 0x0.
# Opening locked device /dev/nvme0n1p3
# Verifying locked device handle (bdev)
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:6369a9195ce5cecf8565547247efdee1d348591e7fda341591d1e67d8bdc24f9 (on-disk)
# Checksum:6369a9195ce5cecf8565547247efdee1d348591e7fda341591d1e67d8bdc24f9 (in-memory)
# Trying to read secondary LUKS2 header at offset 0x4000.
# Reusing open ro fd on device /dev/nvme0n1p3
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:a0619dc4d56b8426ba9a3ad7da84b62cf99295b7c0d88a40eba1f9c588c14731 (on-disk)
# Checksum:a0619dc4d56b8426ba9a3ad7da84b62cf99295b7c0d88a40eba1f9c588c14731 (in-memory)
# Device size 997874204672, offset 16777216.
# Device /dev/nvme0n1p3 READ lock released.
# PBKDF argon2id, time_ms 2000 (iterations 0), max_memory_kb 1048576, parallel_threads 4.
# Activating volume nvme0n1p3_crypt using token (any type) -1.
# dm version   [ opencount flush ]   [16384] (*1)
# dm versions   [ opencount flush ]   [16384] (*1)
# Detected dm-ioctl version 4.45.0.
# Detected dm-crypt version 1.23.0.
# Device-mapper backend running with UDEV support enabled.
# dm status nvme0n1p3_crypt  [ opencount noflush ]   [16384] (*1)
No usable token is available.
# Interactive passphrase entry requested.
# Activating volume nvme0n1p3_crypt [keyslot -1] using passphrase.
# dm versions   [ opencount flush ]   [16384] (*1)
# dm status nvme0n1p3_crypt  [ opencount noflush ]   [16384] (*1)
# Keyslot 0 priority 1 != 2 (required), skipped.
# Keyslot 1 priority 1 != 2 (required), skipped.
# Trying to open LUKS2 keyslot 0.
# Running keyslot key derivation.
# Reading keyslot area [0x8000].
# Acquiring read lock for device /dev/nvme0n1p3.
# Opening lock resource file /run/cryptsetup/L_259:3
# Verifying lock handle for /dev/nvme0n1p3.
# Device /dev/nvme0n1p3 READ lock taken.
# Reusing open ro fd on device /dev/nvme0n1p3
# Device /dev/nvme0n1p3 READ lock released.
# Verifying key from keyslot 0, digest 0.
# Digest 0 (pbkdf2) verify failed with -1.
# Trying to open LUKS2 keyslot 1.
# Running keyslot key derivation.
# Reading keyslot area [0x47000].
# Acquiring read lock for device /dev/nvme0n1p3.
# Opening lock resource file /run/cryptsetup/L_259:3
# Verifying lock handle for /dev/nvme0n1p3.
# Device /dev/nvme0n1p3 READ lock taken.
# Reusing open ro fd on device /dev/nvme0n1p3
# Device /dev/nvme0n1p3 READ lock released.
# Verifying key from keyslot 1, digest 0.
# Digest 0 (pbkdf2) verify failed with -1.
# Interactive passphrase entry requested.
# Activating volume nvme0n1p3_crypt [keyslot -1] using passphrase.
# dm versions   [ opencount flush ]   [16384] (*1)
# dm status nvme0n1p3_crypt  [ opencount noflush ]   [16384] (*1)
# Keyslot 0 priority 1 != 2 (required), skipped.
# Keyslot 1 priority 1 != 2 (required), skipped.
# Trying to open LUKS2 keyslot 0.
# Running keyslot key derivation.
# Reading keyslot area [0x8000].
# Acquiring read lock for device /dev/nvme0n1p3.
# Opening lock resource file /run/cryptsetup/L_259:3
# Verifying lock handle for /dev/nvme0n1p3.
# Device /dev/nvme0n1p3 READ lock taken.
# Reusing open ro fd on device /dev/nvme0n1p3
# Device /dev/nvme0n1p3 READ lock released.
# Verifying key from keyslot 0, digest 0.
# Digest 0 (pbkdf2) verify failed with -1.
# Trying to open LUKS2 keyslot 1.
# Running keyslot key derivation.
# Reading keyslot area [0x47000].
# Acquiring read lock for device /dev/nvme0n1p3.
# Opening lock resource file /run/cryptsetup/L_259:3
# Verifying lock handle for /dev/nvme0n1p3.
# Device /dev/nvme0n1p3 READ lock taken.
# Reusing open ro fd on device /dev/nvme0n1p3
# Device /dev/nvme0n1p3 READ lock released.
# Verifying key from keyslot 1, digest 0.
# Digest 0 (pbkdf2) verify failed with -1.
# Interactive passphrase entry requested.
# Activating volume nvme0n1p3_crypt [keyslot -1] using passphrase.
# dm versions   [ opencount flush ]   [16384] (*1)
# dm status nvme0n1p3_crypt  [ opencount noflush ]   [16384] (*1)
# Keyslot 0 priority 1 != 2 (required), skipped.
# Keyslot 1 priority 1 != 2 (required), skipped.
# Trying to open LUKS2 keyslot 0.
# Running keyslot key derivation.
# Reading keyslot area [0x8000].
# Acquiring read lock for device /dev/nvme0n1p3.
# Opening lock resource file /run/cryptsetup/L_259:3
# Verifying lock handle for /dev/nvme0n1p3.
# Device /dev/nvme0n1p3 READ lock taken.
# Reusing open ro fd on device /dev/nvme0n1p3
# Device /dev/nvme0n1p3 READ lock released.
# Verifying key from keyslot 0, digest 0.
# Digest 0 (pbkdf2) verify failed with -1.
# Trying to open LUKS2 keyslot 1.
# Running keyslot key derivation.
# Reading keyslot area [0x47000].
# Acquiring read lock for device /dev/nvme0n1p3.
# Opening lock resource file /run/cryptsetup/L_259:3
# Verifying lock handle for /dev/nvme0n1p3.
# Device /dev/nvme0n1p3 READ lock taken.
# Reusing open ro fd on device /dev/nvme0n1p3
# Device /dev/nvme0n1p3 READ lock released.
# Verifying key from keyslot 1, digest 0.
# Digest 0 (pbkdf2) verify failed with -1.
# Releasing crypt device /dev/nvme0n1p3 context.
# Releasing device-mapper backend.
# Closing read only fd for /dev/nvme0n1p3.
# Unlocking memory.
Command failed with code -2 (no permission or bad passphrase).

output from cat /proc/modules

nls_iso8859_1 16384 1 - Live 0xffffffffc0146000
uas 28672 0 - Live 0xffffffffc018e000
usb_storage 77824 2 uas, Live 0xffffffffc01b6000
dm_crypt 53248 0 - Live 0xffffffffc01a8000
hid_generic 16384 0 - Live 0xffffffffc0210000
iommu_v2 24576 0 - Live 0xffffffffc03ab000
gpu_sched 45056 0 - Live 0xffffffffc02b3000
i2c_algo_bit 16384 0 - Live 0xffffffffc0297000
drm_ttm_helper 16384 0 - Live 0xffffffffc0292000
ttm 86016 1 drm_ttm_helper, Live 0xffffffffc027c000
usbhid 65536 0 - Live 0xffffffffc0197000
drm_kms_helper 307200 0 - Live 0xffffffffc0478000
hid 147456 2 hid_generic,usbhid, Live 0xffffffffc0169000
syscopyarea 16384 1 drm_kms_helper, Live 0xffffffffc0162000
sysfillrect 20480 1 drm_kms_helper, Live 0xffffffffc015a000
sysimgblt 16384 1 drm_kms_helper, Live 0xffffffffc0153000
fb_sys_fops 16384 1 drm_kms_helper, Live 0xffffffffc014c000
cec 61440 1 drm_kms_helper, Live 0xffffffffc0136000
crct10dif_pclmul 16384 1 - Live 0xffffffffc020b000
crc32_pclmul 16384 0 - Live 0xffffffffc026d000
ghash_clmulni_intel 16384 0 - Live 0xffffffffc012e000
rc_core 65536 1 cec, Live 0xffffffffc08cb000
aesni_intel 376832 0 - Live 0xffffffffc040d000
crypto_simd 16384 1 aesni_intel, Live 0xffffffffc0206000
cryptd 24576 2 ghash_clmulni_intel,crypto_simd, Live 0xffffffffc0275000
r8169 98304 0 - Live 0xffffffffc03e3000
drm 606208 4 gpu_sched,drm_ttm_helper,ttm,drm_kms_helper, Live 0xffffffffc02f4000
nvme 45056 0 - Live 0xffffffffc02e1000
i2c_piix4 28672 0 - Live 0xffffffffc02d5000
ahci 45056 0 - Live 0xffffffffc02c1000
gpio_amdpt 20480 0 - Live 0xffffffffc02ad000
xhci_pci 24576 0 - Live 0xffffffffc02a2000
nvme_core 126976 1 nvme, Live 0xffffffffc0248000
realtek 32768 0 - Live 0xffffffffc023b000
libahci 45056 1 ahci, Live 0xffffffffc022a000
xhci_pci_renesas 20480 1 xhci_pci, Live 0xffffffffc0222000
wmi 32768 0 - Live 0xffffffffc01f8000
gpio_generic 20480 1 gpio_amdpt, Live 0xffffffffc0128000
320
0 + 5
ar flag
user68186
The fact that you can open the LUKs partition from a Live USB tells me it is not hardware (the SSD or the CPU) specific. What is the exact error you get? [Add the information to your qeustion](https://askubuntu.com/posts/1454265/edit). Can you try booting from the previous kernel?
1
Reply
blueSTAR avatar
cn flag
blueSTAR
You are right. It must be the difference between the "normal environment" after boot and the one during startup. So I added the output from cryptsetup and the modules to my question. But what still puzzles me is that this happens with a fresh install, aren't there more people affected if it is not some weird hardware dependent combination for me.
0
Reply
blueSTAR avatar
cn flag
blueSTAR
and yes, the addition to my question was made with trying an older kernel. Did not work as seen in the output.
0
Reply
blueSTAR avatar
cn flag
blueSTAR
Found a bug report, this is maybe my problem too: https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1986623
1
Reply
blueSTAR avatar
cn flag
blueSTAR
Unfortunately the older kernel does not work. My test from above (see output) was witjh the kernel 5.15.0-43 mentioned by the bug comment you linked to. He mentioned that this kernel worked for him. That makes me think it is not the kernel that is causing the bug.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.