Auto-decrypt disk on startup? (retrieving password remotely?) [duplicate]
I recently installed Ubuntu 12.10 and it requires a passphrase to boot up (I installed it with an encrypted file system).
Do I have to reinstall to change to a standard unencrypted file system?
Solution 1:
If Ubuntu asks for an encryption passphrase during boot (i.e. on the text console before the login screen is displayed), this indicates that a full disk encryption method was used. (There's more than one way to do this, but I'll keep the answer general.) The encryption is handled by an extra software layer between the file system and the physical hard drive, not the file system itself.
There is no simple method or tool to undo this. With some knowledge about how Linux systems work, it can be done. You'd have to move the whole file system (or all files) to another partition (with enough free space) or external HDD. Then, remove the encrypted container, and recreate the file system without encryption. Finally, make sure that the new file system is properly recognized by the boot loader and mount -a
before rebooting.
If possible, it's best to avoid this time consuming and error-prone procedure. Just do a fresh install. For a new users, this is the quickest and safest option.
PS: Chances are that you can change the encryption passphrase, possibly to an empty string. Then decrypting only requires to press Enter. Maybe you can go further and supress to (now useless) passphrase prompt. However, this does not disable the encryption. The data would still be encrypted although the encryption would be useless since the key can be trivially guessed.
Solution 2:
Below it's my solution that worked. Bear in mind that I am not Linux specialist, so it may be not the best solution. Could not find better one anyway.
Migrating FDE installation to unencrypted partition
NOTE: Whenever I say, I mean
/dev/sda1 - boot partition
/dev/sda5 - encrypted partition
/dev/sda3 - clean non-encrypted EXT4 partition
/dev/sda2 - my newly created swap partition
Copying data from encrypted root filesystem
Boot from a live CD. I've used Ubuntu 13.10 32bit desktop ISO.
Mount your partition:
sudo cryptsetup luksOpen /dev/sda5 crypt1
Copy your source data to destination partition and save dd PID to pid variable:
sudo dd if=/dev/ubuntu-vg/root of=/dev/sda3 bs=1M & pid=$!
This will ping each second dd process with USR1 signal and dd results status:
while sudo kill -USR $pid; do sleep 1; done
Alternative to monitoring DD
If you don't like above 'while method', you can use watch. Open different terminal window and get the PID:
pgrep -l '^dd$' | awk '{ print $1 }'
Replace with your process ID:
watch kill -USR1 <pid>
You should see output in your dd terminal each 2s.
Configuring the new root filesystem and partitions
When it's done you can mount your non-encrpyted partition to see if it's OK:
sudo mount /dev/sda3 /mnt
After that unmount your partition:
sudo umount /dev/sda3
Release crypt partition:
sudo cryptsetup luksClose /dev/sda5
Run gparted. Delete your LUKS partition (both extended and logical). Resize your /dev/sda3 and move left. Create swap partition.
Note: Moving your /dev/sda3 left may take long. For me it took 30min on 120GB partition and SSD drive. If you have 500GB+ HDD be prepared for few hours waiting. You may want to create swap before your partition instead of moving your /dev/sda3.
Create a new swap filesystem on your swap partition:
sudo mkswap /dev/sda2
and store somewhere the UUID.
Get your root partition UUID:
sudo blkid /dev/sda3
Edit fstab:
sudo nano /etc/fstab
Delete or comment out overlayfs and tmpfs lines.
Add line replacing with blkid result:
UUID=<uuid_root> / ext4 errors=remount-ro 0 1
UUID=<uuid_swap> none swap sw 0 0
Remove file:
rm /etc/crypttab
Update your initramfs to avoid errors like "cryptsetup: evms_activate is not available":
sudo -i
mount /dev/sda3 /mnt
mount -t proc none /mnt/proc
mount -o bind /sys /mnt/sys
mount -o bind /dev /mnt/dev
mount /dev/sda1 /mnt/boot
chroot /mnt /bin/bash
apt-get remove --purge cryptsetup
update-initramfs -u -k all
Final notes and troubleshooting
It worked for me, however there is chance that doing above step by step may not work for you. Before I've figured out the update-initramfs method I was reinstalling kernel few times also was modifying grub. However it should not be a case for you. Remember that above instructions may delete your data, so be careful and make BACKUP, BEFORE proceeding that.
Just in case you have kernel troubles (chrooted and /boot mounted):
uname -r
sudo apt-get install --reinstall linux-image-3.X.Y-ZZ-generic
Of course replace linux-image-3.X.Y-ZZ with your kernel date from uname.
or GRUB (outside chroot):
sudo add-apt-repository ppa:yannubuntu/boot-repair && sudo apt-get update
sudo apt-get install -y boot-repair && (boot-repair &)
More details: https://help.ubuntu.com/community/Boot-Repair
Good luck
Solution 3:
In case it is OK to keep the encryption, but to switch off the passphrase prompt, a much simpler approach is to just set a trivial password like "password" and then save that trivial password in the initramfs in cleartext. Disable the LUKS encryption password.
Essentially, add a hook script which in turn adds a "keyscript" to the initramfs. Usually these scripts are used to get the password via Bletooth, from a USB stick etc., but in this case, just make it print the trivial password.
Solution 4:
It is actually possible to decrypt the partition in place without much effort. For example, see the instructions here, which are generally just as valid for Ubuntu as for Arch. In my case, I had a LUKS1 device, which apparently makes things easier. All I had to do was this:
- Boot into a live environment using a USB stick. I used Ubuntu 18.04.
- Run
sudo cryptsetup-reencrypt --decrypt <device_path>
.
That was it. For a 250 GB SSD, it took 20 minutes. I didn't have to do anything special to /etc/fstab
, grub, or initramfs. I commented out the relevant (only) line in /etc/crypttab
, but I don't even think that was necessary.
That said, I had a second machine with a 500 GB SSD, and after about 3 hours, it still claimed it was going to be another 90 minutes and the rate was only getting slower, so I gave up and just reflashed the drive.
Before doing anything, though, I recommend backing up the (decrypted) partition. Using dd as described in another answer is great. I did it while the partition was mounted before I rebooted into the live USB environment. This came in handy for the partition I ended up reflashing, as I was able to remount the backup and copy over anything I cared strongly about.