Disabling LUKS encryption without backing up and restoring the whole partition

The problem: When installing Ubuntu, Debian or another flavour of Linux you chose to encrypt the hard disk, but now you want to get rid of the password prompt while booting. How do you do this without backing up, reformatting and restoring the entire partition?

The short answer first: There is no way to completely disable LUKS encryption - for that reason, many people in forums etc. recommend to back up the data, recreate partitions (or re-install the system) and then to restore the data.

However, it is possible to disable the password prompt while keeping the encryption in place. This effectively makes the encryption useless because we store the decryption password on the machine in clear text. Still, it is a much easier route than a full backup and restore. Furthermore, you can re-enable encryption easily again at a later time. The extra overhead of de/encrypting data on the drive is negligible these days.

The approach is as follows: Add a trivial password to the LUKS password slots, then instruct the boot process to create the password by printing it from a script during boot.

This is made slightly more complex by the fact that the script with the password must be added to the initramfs, the regular filesystem is not enough. Furthermore, what I only found out after many tries and a lot of headscratching is that empty pass phrases are not allowed in LUKS. This means that specifying /dev/null as the password file (or using /bin/true as the script) does not work. Finally, the setup "helpfully" disallows reading the passphrase from a file directly, we need to write a short script to output it.

Step-by-step instructions:

  • Add a new trivial passphrase to the passwords that will unlock your partition(s). My suggestion is the old classic, "password". Using a more obscure password will not give you extra security:
    cryptsetup luksAddKey /dev/sda2
    The sda2 may be different on your system - look at /etc/crypttab to find the correct value for your machine. (If LVM is used, /etc/crypttab may list "sda2_crypt" or similar instead of just "sda2".)
  • Ensure that a file containing the passphrase will be available at boot time, by hooking into the initramfs generation. Put into /etc/initramfs-tools/hooks/local-noluksprompt the following lines:
    mkdir -p ${DESTDIR}/root/bin
    cat >${DESTDIR}/root/bin/luks-password <<END
    #!/bin/sh --
    echo -n password
    chmod +x ${DESTDIR}/root/bin/luks-password
    echo "Added cleartext password -- http://atterer.org/linux-remove-disable-luks-encryption-password-on-disk-partition-crypttab-initrd"
  • Make the file executable with
    chmod +x /etc/initramfs-tools/hooks/local-noluksprompt
  • Specify in /etc/crypttab that LUKS should get the passphrase during boot by executing the "luks-password" script. Do this by changing the last word luks into luks,keyscript=/root/bin/luks-password, so the line in crypttab will look similar to the following:
    sda2_crypt UUID=123456789 none luks,keyscript=/root/bin/luks-password
    Note: More recent versions of update-initramfs seem to be clever enough to make a copy of the script in the initramfs's /lib/cryptsetup/scripts/luks-password, so the extra hook script may not be required.
  • Finally, ensure that the initramfs filesystem of your currently running kernel is regenerated - if everything works, the "Added cleartext password" line should be output during the following command:
    update-initramfs -u -k`uname -r`
    I recommend against using the -kall option to update all initramfs-es - that way, if something goes wrong with this procedure you can still unlock the HD by booting an older kernel.

That's all! Should you want to disable this setup at a later point and go back to your previously set password, which still exists in one of the other LUKS password slots, just remove the trivial "password" entry:
cryptsetup luksRemoveKey /dev/sda2

Got this working great,

Got this working great, however, after an apt-get upgrade, the crypttab file was renamed to crypttab_ and I had to rebuild the initramfs image from a live usb in order to boot back into my system. How do you get the changes to persist through updates?


How I did it on Ubuntu 16.04.3

Add this at the end of the relevant line in r/etc/crypttab:

Create the file /root/lukspw with the content:
printf "password"

And make it executable:
chmod +x /root/lukspw

And update the initrd:
update-initramfs -u -k`uname -r`

As reported above already, no hook file necessary anymore. The keyscript from the crypttab is picked up, and the script is copied from the place mentioned into the initrd.

Better yet how do I get out

Better yet how do I get out of initramfs?

now how do i add the root

now how do i add the root password to the script?

`chmod: cannot access '/root/bin/luks-password': Permission denied`

I think the author expects

I think the author expects all the above commands to be run as sudo. I hope he updates the article making this requirement explicit.

It doesn't worked out for me

xUbuntu 14.04 in VMware VM

what does ${DESTDIR} contain,

what does ${DESTDIR} contain, as from the script it doesn't contain any thing!?

Helpppp! This caused my

Helpppp! This caused my computer to not start it boots me to an initramfs terminal type screen

Same problem. I couldn't

Same problem. I couldn't update the kernel with `update-initramfs` and now I'm stuck on the boot screen with initramfs prompt. I cannot load the logical volume any more.

Reply to comment | Richard Atterer

What's up, I want to subscribe for this web sitye to gget hottest updates, so where can i do it please help.

Did you find a solution to

Did you find a solution to your problem?

Centos + redhat

Good article buddy. I tried to search how to do it on Centos and with dracut is even easier.

Just create new file like this and update /etc/crypttab to point on your password file.

# cat /etc/dracut.conf.d/99-mypwfile.conf
install_items="/etc/ /etc/crypttab”

After force dracut to rebuild initramfs with "dracut -f".


install_items="/etc/pass /etc/crypttab”

of course

More details ?

Thanks for your comment !
I am having the same issue on CentOS6.6 and I can't reproduce your solution. Could you please give us more details about it? For instance, could you please show us the content of your /etc/crypttab file and which steps (if any) of the richard's instruction you followed before ?
Besides install_items="/etc/ /etc/crypttab” does not work for me, I had to use simple quotes...

CentOS 6.6 - don't require password on boot

Not sure if you are still looking for an answer but in case you're still interested I've got this working on CentOS 6.6 and have posted what I did on stackoverflow http://stackoverflow.com/a/30247650/3051627

Hope helpful

Almost worked

This almost worked for me, but during update-initramfs I got:

cryptsetup: WARNING: target /dev/sda5 has an invalid keyscript, skipped

What I did get to work was putting

$!/bin/sh --
echo -n password

into /lib/cryptsetup/scripts/echopassword, and then adding luks,keyscript=echopassword to the line in /etc/crypttab.

Thanks for the good start!

I got that same error then

I got that same error then realized that i failed to ./local-noluksprompt at least once before running update-initramfs -u -k`uname -r`

once I did that, it worked like a champ!

Oh, and make it executable.

Oh, and make it executable.

and use #! at the beginning

and use #! at the beginning of the script.
Thanks to the original post and this comment, it worked perfectly for Ubuntu 14.04 LTS.

Thanks works great!

Thanks works great!