Cannot boot after recover from crypto_keyfile.bin

Hi,

First of all, I’m sorry, I’m a KDE Neon user, not a Manjaro Linux user. A lot of Google search results pointed me to this forum. I read and learned a lot here the last 3 days! I’m 99% sure my problem is applicable to Manjaro Linux or any Linux distribution. I hope somebody can help me.

I’m sorry again, but seems I cannot have permission. I try to explain the best I can.

After a fresh installation of KDE neon with the default installer (calamares), with a full disk encryption I made a mistake: I removed the slot of crypto_keyfile.bin in luks.

Partition setup on calamares:

image791×543 55 KB

After install, the system ask me for the passphrase at boot:

All works well:

I can boot and log in.

Here the initial dump of my disk at this point:

# dump after fresh install:
# cryptsetup luksDump /dev/sda1
LUKS header information for /dev/sda1

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        512
MK digest:      6d 3c 68 a4 da 55 1e 26 78 be 2b 8b d1 72 94 a5 b6 94 be 8f
MK salt:        58 19 79 77 e7 3a 81 0e fb 6a a7 c0 d8 ae 62 44
                79 4f 7f aa 59 70 ca 29 e9 b9 23 89 88 af 29 a0
MK iterations:  55258
UUID:           c13ff99a-57b7-4da0-bc1d-15aecce10660

Key Slot 0: ENABLED
        Iterations:             1008246
        Salt:                   a3 28 10 f5 49 38 3b bd 74 29 48 28 6c bd 2e 5e
                                42 e5 41 c2 31 ad f8 30 36 04 49 6f 31 9e ad 43
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: ENABLED
        Iterations:             881156
        Salt:                   3b d3 2b a0 c4 93 75 4e fd 54 ca f8 12 23 15 3f
                                cf ce 99 1f a8 1e ab 6c d8 81 86 33 70 51 16 9c
        Key material offset:    512
        AF stripes:             4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

some relavant info:

# cat /etc/crypttab
# /etc/crypttab: mappings for encrypted partitions.
# <name>               <device>                         <password> <options>
luks-c13ff99a-57b7-4da0-bc1d-15aecce10660 UUID=c13ff99a-57b7-4da0-bc1d-15aecce10660     /crypto_keyfile.bin luks,discard



# cat /etc/cryptsetup-initramfs/conf-hook
KEYFILE_PATTERN=/crypto_keyfile.bin



# grub.cfg
menuentry 'Neon GNU/Linux' --class neon --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-db38bf32-cd67-433b-8098-0720751466dd' {
        recordfail
        load_video
        gfxmode $linux_gfx_mode
        insmod gzio
        if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
        insmod part_msdos
        insmod cryptodisk
        insmod luks
        insmod gcry_rijndael
        insmod gcry_rijndael
        insmod gcry_sha256
        insmod ext2
        cryptomount -u c13ff99a57b74da0bc1d15aecce10660
        set root='cryptouuid/c13ff99a57b74da0bc1d15aecce10660'
        if [ x$feature_platform_search_hint = xy ]; then
          search --no-floppy --fs-uuid --set=root --hint='cryptouuid/c13ff99a57b74da0bc1d15aecce10660'  db38bf32-cd67-433b-8098-0720751466dd
        else
          search --no-floppy --fs-uuid --set=root db38bf32-cd67-433b-8098-0720751466dd
        fi
        linux   /boot/vmlinuz-5.15.0-58-generic root=UUID=db38bf32-cd67-433b-8098-0720751466dd ro  quiet splash $vt_handoff
        initrd  /boot/initrd.img-5.15.0-58-generic
}

and now, my mistake: I tried to change the key of slot 1 instead of slot 0 (I want to change iter-time).

# cryptsetup luksChangeKey /dev/sda1 -S 1 -i 30
Enter passphrase to be changed:
No key available with this passphrase.

# cryptsetup luksKillSlot /dev/sda1 1
Enter any remaining passphrase:

# cryptsetup luksAddKey /dev/sda1 -S 1 -i 30
Enter any existing passphrase:
Enter new passphrase for key slot: # nothing entered, just enter
Verify passphrase: # nothing entered, just enter

dumps during last steps …

# dump after kill slot 1
# cryptsetup luksDump /dev/sda1
LUKS header information for /dev/sda1

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        512
MK digest:      6d 3c 68 a4 da 55 1e 26 78 be 2b 8b d1 72 94 a5 b6 94 be 8f
MK salt:        58 19 79 77 e7 3a 81 0e fb 6a a7 c0 d8 ae 62 44
                79 4f 7f aa 59 70 ca 29 e9 b9 23 89 88 af 29 a0
MK iterations:  55258
UUID:           c13ff99a-57b7-4da0-bc1d-15aecce10660

Key Slot 0: ENABLED
        Iterations:             1008246
        Salt:                   a3 28 10 f5 49 38 3b bd 74 29 48 28 6c bd 2e 5e
                                42 e5 41 c2 31 ad f8 30 36 04 49 6f 31 9e ad 43
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED


# dump after add key
# cryptsetup luksDump /dev/sda1
LUKS header information for /dev/sda1

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        512
MK digest:      6d 3c 68 a4 da 55 1e 26 78 be 2b 8b d1 72 94 a5 b6 94 be 8f
MK salt:        58 19 79 77 e7 3a 81 0e fb 6a a7 c0 d8 ae 62 44
                79 4f 7f aa 59 70 ca 29 e9 b9 23 89 88 af 29 a0
MK iterations:  55258
UUID:           c13ff99a-57b7-4da0-bc1d-15aecce10660

Key Slot 0: ENABLED
        Iterations:             1008246
        Salt:                   a3 28 10 f5 49 38 3b bd 74 29 48 28 6c bd 2e 5e
                                42 e5 41 c2 31 ad f8 30 36 04 49 6f 31 9e ad 43
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: ENABLED
        Iterations:             16115
        Salt:                   98 d6 c6 d2 c0 59 41 6b 64 cf d8 c4 d6 93 ef 85
                                f5 97 f7 29 f2 4f f7 03 c0 7c 16 d9 a5 54 27 99
        Key material offset:    512
        AF stripes:             4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

After reboot, I can see this error:

image775×283 13.4 KB

Now I’m on busybox and I try to restore in this way:

cryptsetup luksOpen /dev/sda1 try1
mount /dev/mapper/try1 /try1
cryptsetup luksChangeKey /dev/sda1 --key-slot 1 /try/crypto_file.bin

A new luksDump:

image653×530 6.09 KB

After reboot, the system not boots (cannot edit entries, boot, nothing):

What I’m missing? Where I’m misundertood? Where is my error.

Thank’s in adavance!

What is the keyfile needed for?
What does it decrypt?

How did you get these outputs?
From a live system?

With real complete full disk encryption, Grub does the decryption.
The password you give to it must be one that matches / can open any one of the keyslots.

from what I see:
you changed the passphrase for slot 1 - which supposedly is the slot the keyfile opened
Now it just has got a password - or no password. Can’t see that from your post.
Then you killed slot 1 completely
and set it up again and added a password to it.

I guess we need to know the disk layout
lsblk -f
and
/etc/fstab

I don’t even know whether KDE Neon is similar to Arch/Manjaro.

… what is the key file’s function?

I just checked the website - KDE Neon is based upon Ubuntu LTS.

Perhaps it is better to ask for support in Ubuntu fora.

But I’ll try as long as the thread stays open here.

… I guess /etc/crypttab could be also interesting, to see which partitions are decrypted by keyfile. ATTENTION: if you post /etc/cryttab make sure to mask passwords if there were any saved in it.

In my setup / can be open by passphrase through grub and /home gets decrypted via keyfile through /etc/crypttab. Perhaps @mserra setup looks the same.

it’s there - but this is Ubuntu LTS (KDE Neon is packages on top of it)
The structure of what does what and what is where is a bit different in Ubuntu.

Oha … dammit I overseen it.

Thank’s to all for your replies.

I’m not sure. I’m a novice in a LUKS world. Perhaps this topic on this forum can help? /t/why-does-the-installer-add-a-paswordless-key-to-luks-encrypted-partition/76551/21 (is one of more topic I was read the last days)

I get these inputs from busybox, before try luksChangeKey. After luksChangeKey the system becomes unsusable, unbootable.

Now I booted from a live USB to give you the lsblk and fstab information.

I’m agree. For that I can’t uderstand whats happening.

Here is where I’m getting lost

here you got the disk layout (really simple):

# lsblk -f
sda                                                                                  
└─sda1
     crypto 1                    c13ff99a-57b7-4da0-bc1d-15aecce10660 
# cat /etc/fstab
# <file system>             <mount point>  <type>  <options>  <dump>  <pass>
/dev/mapper/luks-c13ff99a-57b7-4da0-bc1d-15aecce10660 /              ext4    defaults,noatime 0 1

I’m not sure.

If I can upload images or links I can make the question more consistent

You seem to be trying to unlock an encrypted partition using a keyfile that exists inside said locked partition. Obviously that won’t work.

I’d say:
the keyfile isn’t even needed. red herring, so to say …
you just need to have a password set to be able to open the container

use an easy one - one that you can type on an english layout keyboard
no z or y or any other non english characters

Yes, yes, I can open the disk from a Live System (Desktop folder is on my encrypted and unbootable disk)…

# mkdir /try1
# cryptsetup -v luksOpen /dev/sda1 try1
Enter passphrase for /dev/sda1: 
Key slot 0 unlocked.
Command successful.
# mount /dev/mapper/try1 /try1/
# ls /try1/home/marc/
Desktop

My password is really easy (4 numbers). I’m just testing/learning. I’m 100% is not a password error.

# cryptsetup -v luksDump /dev/sda1 
LUKS header information for /dev/sda1
 
Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        512
MK digest:      6d 3c 68 a4 da 55 1e 26 78 be 2b 8b d1 72 94 a5 b6 94 be 8f 
MK salt:        58 19 79 77 e7 3a 81 0e fb 6a a7 c0 d8 ae 62 44 
                79 4f 7f aa 59 70 ca 29 e9 b9 23 89 88 af 29 a0 
MK iterations:  55258
UUID:           c13ff99a-57b7-4da0-bc1d-15aecce10660
 
Key Slot 0: ENABLED
        Iterations:             1008246
        Salt:                   a3 28 10 f5 49 38 3b bd 74 29 48 28 6c bd 2e 5e 
                                42 e5 41 c2 31 ad f8 30 36 04 49 6f 31 9e ad 43 
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: ENABLED
        Iterations:             1010188
        Salt:                   93 9d 71 1d ad fd 9b 75 6b 69 24 66 7d 69 ce fc 
                                8e dc 39 66 25 42 63 76 71 93 68 91 81 c8 ba b0 
        Key material offset:    512
        AF stripes:             4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
Command successful.

I’m not sure about that. But if I clear the slot 1 (with luksKillSlot) and only have slot 0 with a correct password, the behavior is the same: cannot boot

Because you’ve configured it to use the keyfile. The crypttab configuration is wrong.

I think this should do it, but I’m not sure, it’s been a while since I messed with this stuff and all my encrypted partitions use a keyfile.

luks-c13ff99a-57b7-4da0-bc1d-15aecce10660 UUID=c13ff99a-57b7-4da0-bc1d-15aecce10660 - luks,discard

or better yet

# crypttab
root UUID=c13ff99a-57b7-4da0-bc1d-15aecce10660 - luks,discard

# fstab
/dev/mapper/root / ext4 defaults,noatime 0 1

https://wiki.archlinux.org/title/Dm-crypt/System_configuration#crypttab

Thank’s for answer, but no luck! the system crashes again.

Here fstab and crypttab …

/dev/mapper/luks-c13ff99a-57b7-4da0-bc1d-15aecce10660 /              ext4    defaults,noatime 0 1
 
luks-c13ff99a-57b7-4da0-bc1d-15aecce10660 UUID=c13ff99a-57b7-4da0-bc1d-15aecce10660     - luks,discard

Try providing us with some information.

Did you get a password prompt?
Was there an error message?
What was the error message?

cat /etc/default/grub

You may need to update-grub.

!
I just installed KDE Neon in a VM
encrypted - as yours
I intentionally chose a password that would be producing the wrong output if not typed on an english keyboard.
I have german layout - and the password was: qwertz
but when I type that at the grub prompt, it gets rejected
… because the z and the y characters are interchanged
I have t o type: qwerty
to have grub to see: qwertz

anyway - I have it now installed - and can kind of see what you might see - and perhaps assist you that way …

You wanted to change … what?
the amount of iterations in the decryption process (I guess)
to make Grub decrypting and opening the container faster - and thus improving boot time.
correct?
… but thereby weakening the security - but you know that …

the Grub boot loader only knows the english keyboard layout
you will struggle when you have another - to type the password that you chose

Did you get a password prompt?

No.

Was there an error message?

No error message displayed. Simple stucks on grub menu.

# cat /etc/default/grub
# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.
# For full documentation of the options in this file, see:
#   info -f grub -n 'Simple configuration'
 
GRUB_DEFAULT=0
GRUB_TIMEOUT_STYLE=hidden
GRUB_TIMEOUT=0
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX=""
 
# Uncomment to enable BadRAM filtering, modify to suit your needs
# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
 
# Uncomment to disable graphical terminal (grub-pc only)
#GRUB_TERMINAL=console
 
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
#GRUB_GFXMODE=640x480
 
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
#GRUB_DISABLE_LINUX_UUID=true
 
# Uncomment to disable generation of recovery mode menu entries
#GRUB_DISABLE_RECOVERY="true"
 
# Uncomment to get a beep at grub start
#GRUB_INIT_TUNE="480 440 1"

anyway - I have it now installed - and can kind of see what you might see - and perhaps assist you that way …

Oh, great! Danke!

You wanted to change … what?
the amount of iterations in the decryption process (I guess)
to make Grub decrypting and opening the container faster - and thus improving boot time.
correct?

Yes, exactly!

… but thereby weakening the security - but you know that …

Yes, I understand. No problem on that. Just testing/learning.

the Grub boot loader only knows the english keyboard layout
you will struggle when you have another - to type the password that you chose

No problem, I’m using spanish keyboard (I’m from Barcelona) and the password is only numbers (1234 by now!), and I’m sure it’s ok.

Give me a few minutes and I record a video of all process after a fresh install on a virtual machine.

here you can find the video (8 minutes)

before I invest the time to watch what you did:

I’m quite sure, but please confirm:
you wanted to lower the strength of the encryption - so that the encryption through Grub would be faster
right?

as far as I can see now:
the key file is indeed irrelevant

there is just one encrypted container, containing the / filesystem and swap

but this is Ubuntu - and the swap is not in your /etc/fstab
not sure what actually happens here

Yes, and I know how to that correctly now.

But I want to understand how to recover the system in the case of my mistake.