Ubuntu 18.04 on kernel 4.15.0-34-generic boots to BusyBox
The problem is that /sbin/cryptsetup
is not in initramfs file /boot/initrd.img-4.15.0-36-generic
.
You need to add CRYPTSETUP=y
in /etc/cryptsetup-initramfs/conf-hook
.
You also need to add the initramfs
option in /etc/crypttab
.
Then, you have to run update-initramfs
, which solves this problem.
Detailed solution:
- In an other Ubuntu machine, use "Startup Disk Creator" to create a bootable Ubuntu 18.04 USB drive
- Plug in this USB drive in a USB port of the computer that boots to BusyBox
When the live USB Ubuntu is ready, connect to Internet (WiFi or wired)
-
Open a terminal
ubuntu@ubuntu:~$ sudo su
-
Find the encrypted block device.
root@ubuntu:~# blkid|grep LUKS /dev/nvme0n1p3: UUID="4b206e76-1531-48ae-95be-ae0ed7a244c1" TYPE="crypto_LUKS" PARTUUID="21db499d-b87b-41c6-864f-04d1531cb083"
-
Decrypt the device
root@ubuntu:~# cryptsetup open UUID="4b206e76-1531-48ae-95be-ae0ed7a244c1" nvme0n1p3_crypt Enter passphrase for /dev/disk/by-uuid/4b206e76-1531-48ae-95be-ae0ed7a244c1:
-
List mapped devices.
control
is a file used to send command to the device mapper.nvme0n1p3_crypt
is the decrypted device.ubuntu--vg-root
is a LVM logical volume in the LVMubuntu-vg
volume group.root@ubuntu:~# ls /dev/mapper/* /dev/mapper/control /dev/mapper/ubuntu--vg-root /dev/mapper/nvme0n1p3_crypt
-
Create mount point. This is where we will mount the / of our system that won't boot.
root@ubuntu:~# mkdir -p /mnt/ubuntu-root
-
Mount root logical volume
root@ubuntu:~# mount /dev/mapper/ubuntu--vg-root /mnt/ubuntu-root/
-
Mount pseudo file systems
root@ubuntu:~# mount -o bind /sys /mnt/ubuntu-root/sys root@ubuntu:~# mount -o bind /proc /mnt/ubuntu-root/proc root@ubuntu:~# mount -o bind /dev /mnt/ubuntu-root/dev
-
Copy DNS information
root@ubuntu:~# cp /etc/resolv.conf /mnt/ubuntu-root/etc/
-
Change root
root@ubuntu:~# chroot /mnt/ubuntu-root/
-
Mount
/boot
, which contains the initramfs file. This partition is unencrypted.root@ubuntu:/# mount /boot/
-
Install binwalk (to see the content of the init ram file system)
root@ubuntu:~# apt update root@ubuntu:~# apt install binwalk
-
Find offset of gzipped initramfs content
root@ubuntu:~# binwalk /boot/initrd.img-4.15.0-36-generic | grep gzip 1605632 0x188000 gzip compressed data, from Unix, last modified: 2018-10-18 13:00:32
-
The problem is that the initramfs file system does not contain cryptsetup. So, that is why there is no LUKS password prompt.
root@ubuntu:/# cd /root/ root@ubuntu:~# mkdir initramfs-4.15.0-36-generic root@ubuntu:~# cd initramfs-4.15.0-36-generic root@ubuntu:~/initramfs-4.15.0-36-generic# dd if=/boot/initrd.img-4.15.0-36-generic bs=1605632 skip=1 | gunzip | cpio -i root@ubuntu:~/initramfs-4.15.0-36-generic# ls sbin/cryptsetup ls: cannot access 'sbin/cryptsetup': No such file or directory
-
To decrypt root at boot, the initramfs needs to contain:
sbin/cryptsetup lib/modules/4.15.0-36-generic/kernel/drivers/md/dm-crypt.ko
-
Add the
initramfs
option in/etc/crypttab
root@ubuntu:/# cat /etc/crypttab nvme0n1p3_crypt UUID=4b206e76-1531-48ae-95be-ae0ed7a244c1 none luks,discard,initramfs
Add
CRYPTSETUP=y
in/etc/cryptsetup-initramfs/conf-hook
-
Run
update-initramfs
:root@ubuntu:~# update-initramfs -k 4.15.0-36-generic -c -v &> update-initramfs-4.15.0-36-generic.cryptsetup.log
-
Now, we have
cryptsetup
in initramfs and the Linux kernel moduledm-crypt.ko
too:root@ubuntu:~# grep /sbin/cryptsetup update-initramfs-4.15.0-36-generic.cryptsetup.log Adding binary /sbin/cryptsetup root@ubuntu:~# grep dm-crypt.ko update-initramfs-4.15.0-36-generic.cryptsetup.log Adding module /lib/modules/4.15.0-36-generic/kernel/drivers/md/dm-crypt.ko
-
Now, run update-initramfs, without -c (new) and without -v (verbose):
root@ubuntu:~# update-initramfs -k 4.15.0-36-generic -u
-
Verify that the initramfs is actually correct
root@ubuntu:~# binwalk /boot/initrd.img-4.15.0-36-generic | grep gzip 1605632 0x188000 gzip compressed data, from Unix, last modified: 2018-10-18 14:26:29 root@ubuntu:~# dd if=/boot/initrd.img-4.15.0-36-generic bs=1605632 skip=1 2> /dev/null | gunzip | cpio -t 2> /dev/null |grep sbin/crypt sbin/cryptsetup root@ubuntu:~# dd if=/boot/initrd.img-4.15.0-36-generic bs=1605632 skip=1 2> /dev/null | gunzip | cpio -t 2> /dev/null |grep dm-crypt.ko lib/modules/4.15.0-36-generic/kernel/drivers/md/dm-crypt.ko
Now, reboot.