Recover/change encryption password

password encryption password-recovery 16.04
7,139

Backup and Restore Decrypted Partitions: Warning this a bit technical

I'm putting together some scripts that will automate most of this, but if you'd rather not wait, I've tested the steps below. Just be sure you know what you're doing. Don't blindly follow the commands I've written. Some of them may require substitutions specific to your system configuration. Once I've finished the scripts. I'll upload them to GitHub and edit this answer.

Unfortunately, you're not going to be able to recover or change the encryption password. You won't be able to create any new ones either without having one of the existing keys or passphrases. However, since you're logged into the system, you are in luck! Here's an option that technically doesn't require a full reinstallation. You say you're using whole-drive encryption, so I'm going to assume that you have two main partitions on your drive, a boot partition and a LUKS partition (if you're using EFI, you probably have a third partition for that). Then your decrypted LUKS partition is probably using LVM for any and all other decrypted partitions.
Your lsblk output probably looks something like this: 

NAME                    MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
sr0                      11:0    1 1024M  0 rom   
sda                       8:0    0   16G  0 disk  
├─sda2                    8:2    0  488M  0 part  /boot
├─sda3                    8:3    0   15G  0 part  
│ └─sda3_crypt          253:0    0   15G  0 crypt 
│   ├─ubuntu--vg-root   253:1    0 11.8G  0 lvm   /
│   └─ubuntu--vg-swap_1 253:2    0  3.3G  0 lvm   [SWAP]
└─sda1                    8:1    0  512M  0 part  /boot/efi

The only part of interest here is the sda disk.

How to make it happen, in general

Basically, the bit of the system that is encrypted is sda3, and it's encrypted with LUKS. The LUKS partition when unlocked contains an LVM physical volume, sda3_crypt, that hosts a single volume group named ubuntu--vg. This volume group then contains two LVM logical volumes, ubuntu--vg-root and ubuntu--vg-swap_1. If we can backup the LVM physical volume, sda3_crypt, then we can blow away the old LUKS partition on sda3, create a new one, and dump the LVM physical volume back on the new LUKS partition. There is one catch, though! All of the boot files in your boot partition, sda2 still reference the old LUKS partition that you destroyed. You need to update your /etc/crypttab file to point to the new LUKS partition that you created and rebuild your initram disks. Only after that is finished should you reboot your system.

Continue reading the next section for the actual steps to make this happen.

The Actual Step-by-Step Process

  1. You're going to need a drive that you can afford to wipe, or at least a drive that has a partion of equal or greater size to that of sda3. The contents of said drive or partition will be completely wiped in this process. I'm going to do this example using the whole drive.
  2. Run lsusb with your drive attached, and locate your external disk, sdb in my case. 
    sdb                       8:16   0   16G  0 disk  
└─sdb1                    8:17   0   16G  0 part  /media/test/external-drive
sr0                      11:0    1 1024M  0 rom   
sda                       8:0    0   16G  0 disk  
├─sda2                    8:2    0  488M  0 part  /boot
├─sda3                    8:3    0   15G  0 part  
│ └─sda3_crypt          253:0    0   15G  0 crypt 
│   ├─ubuntu--vg-root   253:1    0 11.8G  0 lvm   /
│   └─ubuntu--vg-swap_1 253:2    0  3.3G  0 lvm   [SWAP]
└─sda1                    8:1    0  512M  0 part  /boot/efi
  3. Unmount your external drive because we're going to be overwriting the content that's there. Replace /media/test/external-drive with the actual path to your drive in the following command.
    sudo umount /media/test/external-drive
  4. You need to clone the existing, decrypted LVM physical volume to your external device. In the following command, replace sdX with the device of your external hard drive. In my case, I would write ... of=/dev/sdb.... Also replace sda3_crypt with the name of your LUKS partition. This is going to take a good long while. It took me 35 mins in a test with just a 16GB LUKS partition.
    sudo dd if=/dev/mapper/sda3_crypt of=/dev/sdX bs=4M status=progress
  5. From here on out, be aware than any changes you make on your system may not be present when you restore. In fact, it's probably better that you don't use your computer while it does it's backup.
  6. Once the backup has finished, reboot the computer using a live Ubuntu USB and select the option to try Ubuntu without installing.
  7. Once the system is up, open a terminal and drop to root.
    sudo -i
  8. In this terminal, create a new LUKS partition on over the old one. In my example the LUKS partition is on sda3. Substitute the correct number from your system in place of sdaN in the command below.
    cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sdaN
  9. Follow the prompts and enter a passphrase that you hope never to forget.
  10. Once that's done, you need to unlock the LUKS partition. Change the number to match your system in the next command, replacing the numeral 3 with the appropriate number for your device.
    cryptsetup luksOpen /dev/sda3 sda3_crypt
  11. Now your decrypted LUKS partition is open and ready for dumping the LVM physical volume back on (next command). Replace the X in sdX with the device of your external drive. Replace the 3 in sda3_crypt with the appropriate number of your partition. dd if=/dev/sdX of=/dev/mapper/sda3_crypt
  12. Again, you're going to have to wait for a really long time while everything is restored. Go find something else to do while you wait.
  13. When restoration is finished, go ahead and remove the external drive and reboot. We want to make sure there are no LVM conflicts when we bring the system back up to finish updating the boot files on the internal drive. Once rebooted without the external drive, open a terminal and drop to root as in step 7.
  14. Now we need to decrypt the LUKS partition again. In the root terminal, run the following, replacing the numeral 3 with the correct number for your partition. When prompted, enter the password you created that you're never going to forget again.
    cryptsetup /dev/sda3 sda3_crypt
  15. Next lets set some variables to simplify commands in the following steps. Run each of the following. You won't see output because it will be saved to variables
    • vg=$(pvscan | grep PV | tr -s ' ' | cut -f 5 -d ' ') <- save volume group name to $vg
    • export uuid=$(blkid | grep LUKS | grep -oP "\bUUID=\".*?\"" | tr -d '"' | cut -f 2 -d '=') <- save LUKS UUID to $uuid (that's all one line)
  16. There is just one thing left to do, and that is to update the boot files, and to do that we need to mount some things. Run the following commands in the root terminal to mount everything. I'm going to use that partition information from my example. Change your commands accordingly.
    • mount /dev/mapper/${vg/-/--}-root /mnt
    • mount /dev/sda2 /mnt/boot
    • mount /dev/sda1 /mnt/boot/efi <- only do this for UEFI systems
    • mount --bind /dev /mnt/dev
    • mount --bind /run/lvm /mnt/run/lvm
  17. Now we need to chroot into your actual system.
    chroot /mnt
    Make sure that the following commands are run inside this chroot'd terminal!
  18. Now that we're in your system we need to mount a couple more things before we can update the boot files.
    • mount -t proc proc /proc
    • mount -t sysfs sys /sys
    • mount -t devpts devpts /dev/pts
  19. Next we have to update the /etc/crypttab file with the UUID of the new LUKS partition.
    sed -i "s/UUID=\([0-9a-f\-]\+\)/UUID=$uuid/" /etc/crypttab
  20. Finally, we update the boot files.
    update-initramfs -k all -c
    update-grub
Share:
7,139

Related videos on Youtube

Julie K
Author by

Julie K

Updated on September 18, 2022

Comments

  • Julie K
    Julie K over 1 year

    I foolishly changed my whole-drive encryption password last week because I was apparently incapable of reliably typing in the previous password. Unfortunately, my computer has been on since then and I didn't write the new password down anywhere so I have since forgotten it. Not my proudest moment, but I am extremely thankful I realized before it came time to enter the password. I am still logged into the computer so I have access to all my files but as soon as I shut the computer down I will be out of luck. I would like to avoid having to re-install everything if I can.

    So my question is, is there anyway to recover/change my encryption password while I am still logged in as admin?

    • b_laoshi
      b_laoshi about 6 years
      @Arronical, adding a new key requires that you enter an existing key or passphrase, so that's probably not going to work.
    • sudodus
      sudodus about 6 years
      Please backup (save to another drive without encryption) everything that you cannot afford to lose.
    • b_laoshi
      b_laoshi about 6 years
      I have an answer that I've tested and works, but it's long and involved. I am attempting to shorten it and make it simpler to implement. If you could add the output of the following commands to your question, it would help: lsblk, sudo pvscan
  • b_laoshi
    b_laoshi about 6 years
    Blowing the contents of the entire backup disk away is completely unnecessary. You should be able to backup to an image file instead with dd. My scripts that I'm putting together will take this approach instead.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to recover ecryptfs encrypted data using password after a broken upgrade?
Won't boot (drop to busybox) after kernel upgrade (with encrypted disks)
encfs won't decrypt my encrypted folder - password incorrect
Ubuntu 16.04/17.10 Boots to Initramfs
Generate private key encrypted with password using openssl
"Authentication Manipulation Error" when trying to reset my password
How to find my wi-fi password in ubuntu 16.04 LTS
Can't login to Ubuntu GUI with correct password
LUKS hdd encryption: Maximum maximum password length?
mkpasswd -m sha-512 produces incorrect login