Disabling LUKS encryption without backing up and restoring the whole partition
Last update by Richard on 2014-06-16
The problem: When installing Ubuntu, Debian or another flavour of Linux you chose to encrypt the hard disk, but now you want to get rid of the password prompt while booting. How do you do this without backing up, reformatting and restoring the entire partition?
The short answer first: There is no way to completely disable LUKS encryption - for that reason, many people in forums etc. recommend to back up the data, recreate partitions (or re-install the system) and then to restore the data.
However, it is possible to disable the password prompt while keeping the encryption in place. This effectively makes the encryption useless because we store the decryption password on the machine in clear text. Still, it is a much easier route than a full backup and restore. Furthermore, you can re-enable encryption easily again at a later time. The extra overhead of de/encrypting data on the drive is negligible these days.
The approach is as follows: Add a trivial password to the LUKS password slots, then instruct the boot process to create the password by printing it from a script during boot.
This is made slightly more complex by the fact that the script with the password must be added to the initramfs, the regular filesystem is not enough. Furthermore, what I only found out after many tries and a lot of headscratching is that empty pass phrases are not allowed in LUKS. This means that specifying /dev/null as the password file (or using /bin/true as the script) does not work. Finally, the setup "helpfully" disallows reading the passphrase from a file directly, we need to write a short script to output it.
Step-by-step instructions:
- Add a new trivial passphrase to the passwords that will unlock your partition(s). My suggestion is the old classic, "password". Using a more obscure password will not give you extra security:
cryptsetup luksAddKey /dev/sda2
The sda2 may be different on your system - look at /etc/crypttab to find the correct value for your machine. (If LVM is used, /etc/crypttab may list "sda2_crypt" or similar instead of just "sda2".) - Ensure that a file containing the passphrase will be available at boot time, by hooking into the initramfs generation. Put into /etc/initramfs-tools/hooks/local-noluksprompt the following lines:
mkdir -p ${DESTDIR}/root/bin
cat >${DESTDIR}/root/bin/luks-password <<END
#!/bin/sh --
echo -n password
END
chmod +x ${DESTDIR}/root/bin/luks-password
echo "Added cleartext password -- http://atterer.org/linux-remove-disable-luks-encryption-password-on-disk-partition-crypttab-initrd" - Make the file executable with
chmod +x /etc/initramfs-tools/hooks/local-noluksprompt - Specify in /etc/crypttab that LUKS should get the passphrase during boot by executing the "luks-password" script. Do this by changing the last word
luksintoluks,keyscript=/root/bin/luks-password, so the line in crypttab will look similar to the following:
sda2_crypt UUID=123456789 none luks,keyscript=/root/bin/luks-password
Note: More recent versions of update-initramfs seem to be clever enough to make a copy of the script in the initramfs's /lib/cryptsetup/scripts/luks-password, so the extra hook script may not be required. - Finally, ensure that the initramfs filesystem of your currently running kernel is regenerated - if everything works, the "Added cleartext password" line should be output during the following command:
update-initramfs -u -k`uname -r`
I recommend against using the-kalloption to update all initramfs-es - that way, if something goes wrong with this procedure you can still unlock the HD by booting an older kernel.
That's all! Should you want to disable this setup at a later point and go back to your previously set password, which still exists in one of the other LUKS password slots, just remove the trivial "password" entry:
cryptsetup luksRemoveKey /dev/sda2
initramfs prompt on bootSubmitted by initramfs (not verified) on Thu, 2021-04-15 18:21
Following this blog post didn't work for me. On boot I'd get an initramfs prompt. I didn't have any other kernel versions to recover from, so I recovered by following these steps:
1) Boot into a live USB
2) Open and mount the encrypted partition to /mnt
...a) I'm on Pop-OS so after unlocking the partition I was able to mount /dev/mapper/data-root at /mnt
3) Prepare to chroot into the now decrypted partition by mounting /proc /sys /dev and the EFI partition (if you have one) to the corresponding locations under /mnt
...a) Ref: https://bit.ly/3admAQS
4) chroot into the mount
5) Delete /etc/initramfs-tools/hooks/local-noluksprompt
6) Follow these steps instead: https://bit.ly/3ad9UJD
Restoring whole disk partitionSubmitted by Anonymous (not verified) on Tue, 2020-12-29 21:05
https://afrosongs.org/mp3-download/hypesoul-qinisela-feat-refilwe/
https://afrosongs.org/mp3-download/hypesoul-window-pain-feat-vuscare/
https://afrosongs.org/mp3-download/sp-nation-sa-treezy-matee-zazazel-ori...
https://afrosongs.org/albums-ep-zip/
https://afrosongs.org/mp3-download/
JowoSubmitted by Naijanewsgist (not verified) on Sat, 2020-12-05 01:13
Video: Davido – Jowo [Starr. Nengi & RMD] (Download Video)
Nigerian international superstar, Davido has finally released the official music video for his buzzing record, “Jowo.”
Jowo
Produced by Napji (the fingers behind FEM) and Magic Boi, “Jowo” serves as the 2nd track on Davido’s latest album, “A Beter Time.
The video was directed by the usual suspect, Dammy Twitch and it stars Nollywood legend, RMD alongside BBNaija season 5 finalist, Nengi.
https://www.naijanewsgist.com/video-davido-jowo-starr-nengi-rmd-download...
Vanguard
When an all-powerful Superintelligence chooses to study the most average person on Earth, Carol Peters, the fate of the world hangs in the balance.
As the A.I. decides to enslave, save or destroy humanity, it’s up to Carol to prove that people are worth saving.
JowoSubmitted by Naijanewsgist (not verified) on Sat, 2020-12-05 01:16
When an all-powerful Superintelligence chooses to study the most average person on Earth, Carol Peters, the fate of the world hangs in the balance.
As the A.I. decides to enslave, save or destroy humanity, it’s up to Carol to prove that people are worth saving.
Video: Davido – Jowo [Starr. Nengi & RMD] (Download Video)
Nigerian international superstar, Davido has finally released the official music video for his buzzing record, “Jowo.”
Jowo
Produced by Napji (the fingers behind FEM) and Magic Boi, “Jowo” serves as the 2nd track on Davido’s latest album, “A Beter Time.
[url=https://www.naijanewsgist.com/]Naijanewsgist[/url]
The video was directed by the usual suspect, Dammy Twitch and it stars Nollywood legend, RMD alongside BBNaija season 5 finalist, Nengi.
https://www.naijanewsgist.com/video-davido-jowo-starr-nengi-rmd-download...
Vanguard
Setting upSubmitted by Anonymous (not verified) on Thu, 2020-03-12 01:03
Thanks
https://zulupop.com
best author and well structured blogSubmitted by Latest Music & Videos Website (not verified) on Tue, 2019-12-24 10:26
Greate post. Keep writing such kind of info on your
blog. Im really impressed by it.
Hey there, You’ve performed an excellent job. I will definitely digg it and
for my part recommend to my friends. I am sure they’ll be benefited from
this site.
Good blog with amazing authourSubmitted by Latest Music & Videos Website (not verified) on Tue, 2019-12-24 10:25
I just stumbled upon your weblog and wished
to say that I’ve really enjoyed browsing your blog
great article i will searchSubmitted by Brainchyld (not verified) on Tue, 2019-12-03 23:28
great article i will search more on it .
coolSubmitted by Naija (not verified) on Fri, 2019-11-29 04:29
Great
Nice responseSubmitted by west (not verified) on Tue, 2019-11-26 11:57
Nice response this has answered my question, thanks am going to finish up my work at https://westvibez.com/
Download music mp3: Offset – Big Bank Take Lil BankSubmitted by kinmp3 (not verified) on Thu, 2019-10-17 11:54
music
How to download any music free from spotifySubmitted by Collins Bolt (not verified) on Thu, 2019-10-17 11:46
download music mp3
exploring for a little bit for any high-quality articlesSubmitted by Latest Music & Videos Website (not verified) on Tue, 2019-07-09 18:32
I’ve been exploring for a little bit for any high-quality articles or blog posts in this
sort of area . Exploring in Yahoo I ultimately stumbled upon this website.
Studying this info So i am satisfied to express that I have
a very excellent uncanny feeling I discovered just what I needed.
I most definitely will make sure to do not fail to remember this web site
and give it a glance on a relentless basis.
WRONG TITLE. This is notSubmitted by Anonymous (not verified) on Sun, 2019-05-26 07:52
WRONG TITLE.
This is not disabling LUKS, just bypassing the password prompt...
No joy on Ubuntu 18.04Submitted by Jeff G (not verified) on Tue, 2019-05-21 19:48
I followed all the steps and it seemed to work, but upon restart, it hung forever on the cryptsetup step even in recovery mode. My only recourse was to use a different kernel version and undo the attempted changes. It was a good try and with a little more diligence I could probably figure out what went wrong. Thanks anyway!
Restoring the partitionSubmitted by Hiphop based niche (not verified) on Tue, 2019-04-16 14:11
The whole idea is just so confusing to me still with the vivid explanation
Got this working great,Submitted by Anonymous (not verified) on Wed, 2018-06-06 07:12
Got this working great, however, after an apt-get upgrade, the crypttab file was renamed to crypttab_ and I had to rebuild the initramfs image from a live usb in order to boot back into my system. How do you get the changes to persist through updates?
16.04.3Submitted by Anonymous (not verified) on Tue, 2017-09-19 14:48
How I did it on Ubuntu 16.04.3
Add this at the end of the relevant line in r/etc/crypttab:
,keyscript=/root/lukspwCreate the file /root/lukspw with the content:
#!/bin/sh
printf "password"
And make it executable:
chmod +x /root/lukspwAnd update the initrd:
update-initramfs -u -k`uname -r`As reported above already, no hook file necessary anymore. The keyscript from the crypttab is picked up, and the script is copied from the place mentioned into the initrd.
Better yet how do I get outSubmitted by Tom (not verified) on Sun, 2016-12-11 19:15
Better yet how do I get out of initramfs?
now how do i add the rootSubmitted by Tom (not verified) on Sun, 2016-12-11 18:53
now how do i add the root password to the script?
`chmod: cannot access '/root/bin/luks-password': Permission denied`
I think the author expectsSubmitted by Vishwa Prakash A (not verified) on Wed, 2017-02-01 14:41
I think the author expects all the above commands to be run as sudo. I hope he updates the article making this requirement explicit.
It doesn't worked out for meSubmitted by Anonymous (not verified) on Thu, 2016-05-05 16:26
xUbuntu 14.04 in VMware VM
http://i.imgur.com/ij7RWI8.png
what does ${DESTDIR} contain,Submitted by rapg (not verified) on Fri, 2015-10-30 08:20
what does ${DESTDIR} contain, as from the script it doesn't contain any thing!?
Helpppp! This caused mySubmitted by Anonymous (not verified) on Tue, 2015-10-27 05:26
Helpppp! This caused my computer to not start it boots me to an initramfs terminal type screen
Same problem. I couldn'tSubmitted by Anonymous (not verified) on Sun, 2018-03-18 17:27
Same problem. I couldn't update the kernel with `update-initramfs` and now I'm stuck on the boot screen with initramfs prompt. I cannot load the logical volume any more.
Did you find a solution toSubmitted by Soccertrash (not verified) on Fri, 2016-06-17 13:54
Did you find a solution to your problem?
In case anyone runs into thisSubmitted by The Magic Boar (not verified) on Mon, 2019-03-25 22:04
In case anyone runs into this problem in the future, this article helped me to get everything working again.
https://feeding.cloud.geek.nz/posts/recovering-from-unbootable-ubuntu-en...
Let's try that again...Submitted by The Magic Boar (not verified) on Mon, 2019-03-25 22:06
Link didn't work for some reason.
https://bit.ly/2AQ3cqq
Centos + redhatSubmitted by xslima00 (not verified) on Fri, 2014-09-12 22:12
Good article buddy. I tried to search how to do it on Centos and with dracut is even easier.
Just create new file like this and update /etc/crypttab to point on your password file.
# cat /etc/dracut.conf.d/99-mypwfile.conf
install_items="/etc/ /etc/crypttab”
After force dracut to rebuild initramfs with "dracut -f".
updateSubmitted by xslima00 (not verified) on Fri, 2014-09-12 22:15
install_items="/etc/pass /etc/crypttab”
of course