Recover/change encryption password
Backup and Restore Decrypted Partitions: Warning this a bit technical
I'm putting together some scripts that will automate most of this, but if you'd rather not wait, I've tested the steps below. Just be sure you know what you're doing. Don't blindly follow the commands I've written. Some of them may require substitutions specific to your system configuration. Once I've finished the scripts. I'll upload them to GitHub and edit this answer.
Unfortunately, you're not going to be able to recover or change the encryption password. You won't be able to create any new ones either without having one of the existing keys or passphrases. However, since you're logged into the system, you are in luck! Here's an option that technically doesn't require a full reinstallation. You say you're using whole-drive encryption, so I'm going to assume that you have two main partitions on your drive, a boot partition and a LUKS partition (if you're using EFI, you probably have a third partition for that). Then your decrypted LUKS partition is probably using LVM for any and all other decrypted partitions.
Your lsblk output probably looks something like this:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sr0 11:0 1 1024M 0 rom sda 8:0 0 16G 0 disk ├─sda2 8:2 0 488M 0 part /boot ├─sda3 8:3 0 15G 0 part │ └─sda3_crypt 253:0 0 15G 0 crypt │ ├─ubuntu--vg-root 253:1 0 11.8G 0 lvm / │ └─ubuntu--vg-swap_1 253:2 0 3.3G 0 lvm [SWAP] └─sda1 8:1 0 512M 0 part /boot/efi
The only part of interest here is the sda
disk.
How to make it happen, in general
Basically, the bit of the system that is encrypted is sda3
, and it's encrypted with LUKS. The LUKS partition when unlocked contains an LVM physical volume, sda3_crypt
, that hosts a single volume group named ubuntu--vg
. This volume group then contains two LVM logical volumes, ubuntu--vg-root
and ubuntu--vg-swap_1
. If we can backup the LVM physical volume, sda3_crypt
, then we can blow away the old LUKS partition on sda3
, create a new one, and dump the LVM physical volume back on the new LUKS partition. There is one catch, though! All of the boot files in your boot partition, sda2
still reference the old LUKS partition that you destroyed. You need to update your /etc/crypttab
file to point to the new LUKS partition that you created and rebuild your initram disks. Only after that is finished should you reboot your system.
Continue reading the next section for the actual steps to make this happen.
The Actual Step-by-Step Process
- You're going to need a drive that you can afford to wipe, or at least a drive that has a partion of equal or greater size to that of sda3. The contents of said drive or partition will be completely wiped in this process. I'm going to do this example using the whole drive.
- Run
lsusb
with your drive attached, and locate your external disk,sdb
in my case.sdb 8:16 0 16G 0 disk └─sdb1 8:17 0 16G 0 part /media/test/external-drive sr0 11:0 1 1024M 0 rom sda 8:0 0 16G 0 disk ├─sda2 8:2 0 488M 0 part /boot ├─sda3 8:3 0 15G 0 part │ └─sda3_crypt 253:0 0 15G 0 crypt │ ├─ubuntu--vg-root 253:1 0 11.8G 0 lvm / │ └─ubuntu--vg-swap_1 253:2 0 3.3G 0 lvm [SWAP] └─sda1 8:1 0 512M 0 part /boot/efi
- Unmount your external drive because we're going to be overwriting the content that's there. Replace
/media/test/external-drive
with the actual path to your drive in the following command.
sudo umount /media/test/external-drive
- You need to clone the existing, decrypted LVM physical volume to your external device. In the following command, replace
sdX
with the device of your external hard drive. In my case, I would write... of=/dev/sdb...
. Also replacesda3_crypt
with the name of your LUKS partition. This is going to take a good long while. It took me 35 mins in a test with just a 16GB LUKS partition.
sudo dd if=/dev/mapper/sda3_crypt of=/dev/sdX bs=4M status=progress
- From here on out, be aware than any changes you make on your system may not be present when you restore. In fact, it's probably better that you don't use your computer while it does it's backup.
- Once the backup has finished, reboot the computer using a live Ubuntu USB and select the option to try Ubuntu without installing.
- Once the system is up, open a terminal and drop to root.
sudo -i
- In this terminal, create a new LUKS partition on over the old one. In my example the LUKS partition is on
sda3
. Substitute the correct number from your system in place ofsdaN
in the command below.
cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sdaN
- Follow the prompts and enter a passphrase that you hope never to forget.
- Once that's done, you need to unlock the LUKS partition. Change the number to match your system in the next command, replacing the numeral
3
with the appropriate number for your device.
cryptsetup luksOpen /dev/sda3 sda3_crypt
- Now your decrypted LUKS partition is open and ready for dumping the LVM physical volume back on (next command). Replace the
X
insdX
with the device of your external drive. Replace the3
insda3_crypt
with the appropriate number of your partition.dd if=/dev/sdX of=/dev/mapper/sda3_crypt
- Again, you're going to have to wait for a really long time while everything is restored. Go find something else to do while you wait.
- When restoration is finished, go ahead and remove the external drive and reboot. We want to make sure there are no LVM conflicts when we bring the system back up to finish updating the boot files on the internal drive. Once rebooted without the external drive, open a terminal and drop to root as in step 7.
- Now we need to decrypt the LUKS partition again. In the root terminal, run the following, replacing the numeral
3
with the correct number for your partition. When prompted, enter the password you created that you're never going to forget again.
cryptsetup /dev/sda3 sda3_crypt
- Next lets set some variables to simplify commands in the following steps. Run each of the following. You won't see output because it will be saved to variables
vg=$(pvscan | grep PV | tr -s ' ' | cut -f 5 -d ' ')
<- save volume group name to $vgexport uuid=$(blkid | grep LUKS | grep -oP "\bUUID=\".*?\"" | tr -d '"' | cut -f 2 -d '=')
<- save LUKS UUID to $uuid (that's all one line)
- There is just one thing left to do, and that is to update the boot files, and to do that we need to mount some things. Run the following commands in the root terminal to mount everything. I'm going to use that partition information from my example. Change your commands accordingly.
mount /dev/mapper/${vg/-/--}-root /mnt
mount /dev/sda2 /mnt/boot
mount /dev/sda1 /mnt/boot/efi
<- only do this for UEFI systemsmount --bind /dev /mnt/dev
mount --bind /run/lvm /mnt/run/lvm
- Now we need to chroot into your actual system.
chroot /mnt
Make sure that the following commands are run inside this chroot'd terminal! - Now that we're in your system we need to mount a couple more things before we can update the boot files.
mount -t proc proc /proc
mount -t sysfs sys /sys
mount -t devpts devpts /dev/pts
- Next we have to update the
/etc/crypttab
file with the UUID of the new LUKS partition.
sed -i "s/UUID=\([0-9a-f\-]\+\)/UUID=$uuid/" /etc/crypttab
- Finally, we update the boot files.
update-initramfs -k all -c
update-grub
Related videos on Youtube
Julie K
Updated on September 18, 2022Comments
-
Julie K over 1 year
I foolishly changed my whole-drive encryption password last week because I was apparently incapable of reliably typing in the previous password. Unfortunately, my computer has been on since then and I didn't write the new password down anywhere so I have since forgotten it. Not my proudest moment, but I am extremely thankful I realized before it came time to enter the password. I am still logged into the computer so I have access to all my files but as soon as I shut the computer down I will be out of luck. I would like to avoid having to re-install everything if I can.
So my question is, is there anyway to recover/change my encryption password while I am still logged in as admin?
-
b_laoshi about 6 years@Arronical, adding a new key requires that you enter an existing key or passphrase, so that's probably not going to work.
-
sudodus about 6 yearsPlease backup (save to another drive without encryption) everything that you cannot afford to lose.
-
b_laoshi about 6 yearsI have an answer that I've tested and works, but it's long and involved. I am attempting to shorten it and make it simpler to implement. If you could add the output of the following commands to your question, it would help:
lsblk
,sudo pvscan
-
-
b_laoshi about 6 yearsBlowing the contents of the entire backup disk away is completely unnecessary. You should be able to backup to an image file instead with dd. My scripts that I'm putting together will take this approach instead.