Ubuntu 18.04 - cryptsetup fails to recognize passphrase, unlocking from Live USB works


Here are some suggestions.

  • Switch to the command-line by hitting F1 or Alt-Tab, type the password again, and check for any errors. If you find the error, try searching for it.
  • When you wait few minutes, you should be shown initramfs/BusyBox console screen. Using the command-line, you should check the syntax of your kernel arguments by typing the following command:

    cat /proc/cmdline
    

    Especially check (as suggested by BusyBox):

    • The value of root, whether it points to the right device.
    • If rootdelay is set, maybe you need to increase the system wait?

If above won't help, consider the following commands:

  • cryptsetup --debug luksOpen /dev/XXX mapper-name to decrypt manually (see this how-to).

    Note: To make sure you're using the right device, run dumpe2fs /dev/XXX (e.g. sda1 or nvme0n1p3) in initramfs/BusyBox console, then make sure it reports as crypto_LUKS.

    Note: If luksOpen fails, try the older syntax: cryptsetup --debug luksOpen /dev/XXX ubuntu.

  • cryptsetup --debug luksDump /dev/XXX to dump LUKS header information from the device.

    Note: In case of corruption of on-disk metadata, use cryptsetup repair <device> command.

  • On Please unlock disk XXX_crypt screen, note your device name and using above luksDump method, confirm that Ubuntu asks you to decrypt the right device as the order (disk number) potentially can change (BIOS boot changes?). In that case, Ubuntu likely will use the last known device (cached, /etc/lvm/[backup|archive]/?) location when it won't be able to connect to lvmetad service.

    For example, I was asked to type a passphrase for nvme1n1p3_crypt (Windows NTFS partition) instead of nvme0n1p3 (crypto_LUKS partition).

Further suggested commands:

  • Run lvm lvs or lvm vgscan and check for any errors (it identifies each disk with a UUID).

    See also: Ubuntu won't boot because of lvmetad & Failed to connect to lvmetad - Stuck on boot.

  • cat /proc/modules to check for missing modules (load it by modprobe).

When finish, type reboot to restart.


If you did an upgrade recently, test your previous kernel (hold Shift during boot, and select Advanced options), and select the version which you'd like to test.


Other related resources:

  • How can one unlock a fully encrypted Ubuntu 11.10 system over SSH at boot?
  • Ephemeral error message: "cryptsetup: unknown fstype, bad password or options?"
  • lvm2 bug in Ubuntu 18.04: lvm2-activation-generator crashed with SIGSEGV.

    Similar older bug: error unlocking / decrypting LUKS volume at boot.

  • UEFI Introduction & How do I install Ubuntu alongside a pre-installed Windows with UEFI?