Auto-decrypt disk on startup? (retrieving password remotely?) [duplicate]

filesystem encryption luks

I recently installed Ubuntu 12.10 and it requires a passphrase to boot up (I installed it with an encrypted file system).

Do I have to reinstall to change to a standard unencrypted file system?


Solution 1:

If Ubuntu asks for an encryption passphrase during boot (i.e. on the text console before the login screen is displayed), this indicates that a full disk encryption method was used. (There's more than one way to do this, but I'll keep the answer general.) The encryption is handled by an extra software layer between the file system and the physical hard drive, not the file system itself.

There is no simple method or tool to undo this. With some knowledge about how Linux systems work, it can be done. You'd have to move the whole file system (or all files) to another partition (with enough free space) or external HDD. Then, remove the encrypted container, and recreate the file system without encryption. Finally, make sure that the new file system is properly recognized by the boot loader and mount -a before rebooting.

If possible, it's best to avoid this time consuming and error-prone procedure. Just do a fresh install. For a new users, this is the quickest and safest option.

PS: Chances are that you can change the encryption passphrase, possibly to an empty string. Then decrypting only requires to press Enter. Maybe you can go further and supress to (now useless) passphrase prompt. However, this does not disable the encryption. The data would still be encrypted although the encryption would be useless since the key can be trivially guessed.

Solution 2:

Below it's my solution that worked. Bear in mind that I am not Linux specialist, so it may be not the best solution. Could not find better one anyway.

Migrating FDE installation to unencrypted partition

NOTE: Whenever I say, I mean

/dev/sda1 - boot partition
/dev/sda5 - encrypted partition
/dev/sda3 - clean non-encrypted EXT4 partition
/dev/sda2 - my newly created swap partition

Copying data from encrypted root filesystem

Boot from a live CD. I've used Ubuntu 13.10 32bit desktop ISO.

Mount your partition:

sudo cryptsetup luksOpen /dev/sda5 crypt1

Copy your source data to destination partition and save dd PID to pid variable:

sudo dd if=/dev/ubuntu-vg/root of=/dev/sda3 bs=1M & pid=$!

This will ping each second dd process with USR1 signal and dd results status:

while sudo kill -USR $pid; do sleep 1; done

Alternative to monitoring DD

If you don't like above 'while method', you can use watch. Open different terminal window and get the PID:

pgrep -l '^dd$' | awk '{ print $1 }'

Replace with your process ID:

watch kill -USR1 <pid>

You should see output in your dd terminal each 2s.

Configuring the new root filesystem and partitions

When it's done you can mount your non-encrpyted partition to see if it's OK:

sudo mount /dev/sda3 /mnt

After that unmount your partition:

sudo umount /dev/sda3

Release crypt partition:

sudo cryptsetup luksClose /dev/sda5

Run gparted. Delete your LUKS partition (both extended and logical). Resize your /dev/sda3 and move left. Create swap partition.

Note: Moving your /dev/sda3 left may take long. For me it took 30min on 120GB partition and SSD drive. If you have 500GB+ HDD be prepared for few hours waiting. You may want to create swap before your partition instead of moving your /dev/sda3.

Create a new swap filesystem on your swap partition:

sudo mkswap /dev/sda2

and store somewhere the UUID.

Get your root partition UUID:

sudo blkid /dev/sda3

Edit fstab:

sudo nano /etc/fstab

Delete or comment out overlayfs and tmpfs lines.

Add line replacing with blkid result:

UUID=<uuid_root> /  ext4 errors=remount-ro 0 1
UUID=<uuid_swap> none swap sw 0 0

Remove file:

rm /etc/crypttab

Update your initramfs to avoid errors like "cryptsetup: evms_activate is not available":

sudo -i
mount /dev/sda3 /mnt
mount -t proc none /mnt/proc
mount -o bind /sys /mnt/sys
mount -o bind /dev /mnt/dev
mount /dev/sda1 /mnt/boot
chroot /mnt /bin/bash
apt-get remove --purge cryptsetup
update-initramfs -u -k all

Final notes and troubleshooting

It worked for me, however there is chance that doing above step by step may not work for you. Before I've figured out the update-initramfs method I was reinstalling kernel few times also was modifying grub. However it should not be a case for you. Remember that above instructions may delete your data, so be careful and make BACKUP, BEFORE proceeding that.

Just in case you have kernel troubles (chrooted and /boot mounted): 

uname -r
sudo apt-get install --reinstall linux-image-3.X.Y-ZZ-generic

Of course replace linux-image-3.X.Y-ZZ with your kernel date from uname.

or GRUB (outside chroot):

sudo add-apt-repository ppa:yannubuntu/boot-repair && sudo apt-get update
sudo apt-get install -y boot-repair && (boot-repair &)

More details: https://help.ubuntu.com/community/Boot-Repair

Good luck

Solution 3:

In case it is OK to keep the encryption, but to switch off the passphrase prompt, a much simpler approach is to just set a trivial password like "password" and then save that trivial password in the initramfs in cleartext. Disable the LUKS encryption password.

Essentially, add a hook script which in turn adds a "keyscript" to the initramfs. Usually these scripts are used to get the password via Bletooth, from a USB stick etc., but in this case, just make it print the trivial password.

Solution 4:

It is actually possible to decrypt the partition in place without much effort. For example, see the instructions here, which are generally just as valid for Ubuntu as for Arch. In my case, I had a LUKS1 device, which apparently makes things easier. All I had to do was this:

  1. Boot into a live environment using a USB stick. I used Ubuntu 18.04.
  2. Run sudo cryptsetup-reencrypt --decrypt <device_path>.

That was it. For a 250 GB SSD, it took 20 minutes. I didn't have to do anything special to /etc/fstab, grub, or initramfs. I commented out the relevant (only) line in /etc/crypttab, but I don't even think that was necessary.

That said, I had a second machine with a 500 GB SSD, and after about 3 hours, it still claimed it was going to be another 90 minutes and the rate was only getting slower, so I gave up and just reflashed the drive.

Before doing anything, though, I recommend backing up the (decrypted) partition. Using dd as described in another answer is great. I did it while the partition was mounted before I rebooted into the live USB environment. This came in handy for the partition I ended up reflashing, as I was able to remount the backup and copy over anything I cared strongly about.

Related

Acceptable Hashes by shadow
How to make my newly created secondary partition accessible?
How can I install the package iftop?
Changing default index page with .htaccess
Atho 10 WiFi not working properly
You can modify user data with chfn (e.g. phone, room) but how can you just display that organisational data?
ubuntu gnome Fails to install grub-efi to /target/
Unable to install Internet Explorer 11
Run custom shell scripts on key press
How can I change my password? [closed]
software center crashes all the time [duplicate]
Rename multiple files sequentially and starting by the same prefix