[Bug 1979159] Re: Cannot unlock encrypted root after upgrading to 22.04

Benjamin Drung 1979159 at bugs.launchpad.net
Fri Jul 29 15:14:42 UTC 2022 

Output on Ubuntu 22.04 (from a Ubuntu 21.10 install and upgrade):

$ sudo cryptsetup luksDump /dev/nvme0n1p1 | grep -Ev $'^\t* *(UUID|Salt|Digest:|[ 0-9a-f]+$)' 
LUKS header information
Version:       	2
Epoch:         	3
Metadata area: 	16384 [bytes]
Keyslots area: 	16744448 [bytes]
Label:         	(no label)
Subsystem:     	(no subsystem)
Flags:       	(no flags)

Data segments:
  0: crypt
	offset: 16777216 [bytes]
	length: (whole device)
	cipher: aes-xts-plain64
	sector: 512 [bytes]

Keyslots:
  0: luks2
	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      argon2i
	Time cost:  9
	Memory:     1048576
	Threads:    4
	AF stripes: 4000
	AF hash:    sha256
	Area offset:32768 [bytes]
	Area length:258048 [bytes]
	Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
	Hash:       sha256
	Iterations: 336082

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1979159

Title:
  Cannot unlock encrypted root after upgrading to 22.04

Status in cryptsetup package in Ubuntu:
  Confirmed
Status in cryptsetup source package in Jammy:
  Confirmed
Status in cryptsetup source package in Kinetic:
  Confirmed

Bug description:
  After upgrading to Ubuntu 22.04 with an encrypted root filesystem, the
  root drive can no longer be unlocked at the "Please unlock disk
  <diskname>" prompt on boot.

  The encrypted root disk can be unlocked fine from the liveCD, but not
  from the initramfs environment on boot.

  The issue is caused by support for various luks encryption protocols
  now being missing from the initramfs environment due to changes
  introduced in OpenSSL 3.0 and Ubuntu pre-release testing not including
  a test-case of upgrading older Ubuntu versions with an encrypted root
  to the new version.

  The issue can be worked-around by:
  1.  Booting from the 22.04 liveCD.
  2.  chrooting into the target system's root.
         See https://help.ubuntu.com/community/ManualFullSystemEncryption/Troubleshooting
  3.  Creating a file /etc/initramfs-tools/hooks/custom-add-openssl-compat.conf containing:
  ---
  . /usr/share/initramfs-tools/hook-functions
  copy_exec /usr/lib/x86_64-linux-gnu/ossl-modules/legacy.so /usr/lib/x86_64-linux-gnu/ossl-modules/
  ---
  4.  Mark the file as executable: chmod +x /etc/initramfs-tools/hooks/custom-add-openssl-compat.conf
  5.  Regenerating the initramfs.  ie. update-initramfs -k all -u

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1979159/+subscriptions

More information about the foundations-bugs mailing list