I ran into a problem a few weeks ago with my Linux system. After performing a kernel update and rebooting, I couldn’t remember the disk encryption password. I tried for an hour or more, running through all of the passwords I could think of, including with new combinations and possible miskeys, but nothing worked. Finally, I shut it off in frustration.
Last night, I figured I’d take another crack at it. After nearly 30 minutes, I finally stumbled across the right password, and it was something that I’d tried before several times both last night and during the previous failure but apparently managed to miskey it a few dozen times. Success!
Until I tried to log in.
Password for my account? Wasn’t happening. Couldn’t remember what it was. Worse, I couldn’t remember the root password, either. OK, I figure. I’ll just reboot into single-user mode and reset the password.
It wasn’t quite that simple.
First tip of the post
If you’re using grub2, arrow down to find the “linux” line. Fedora doesn’t put a nice box around it as some other distros seem to (or at least it doesn’t happen on mine). And being a little less familiar with grub2 than grub (and perhaps a bit tired), it took me a couple of tries to realize the need to scroll the content.
Once I figured this out, I added “1” to the end of the line, just as I have many times before in grub. It booted, I gave it the disk password, and it tried to drop to a maintenance prompt. Not quite what I was expecting, but OK. Except it wanted the root password. The same thing happened when I used “single” or “rescue” instead of “1”: I was expected to enter the root password. Whatever I tried, it wanted the password I was trying to reset.
As best I can tell from poking around, this is due to SELinux enforcing a policy. I’m not opposed to it, and in fact it made me happy (in an angering kind of way). After all, if it was going to enforce this on me, it would enforce it on anyone else. But it didn’t get me the access I needed.
Second tip of the post
Always keep the installation media around. I dug around for the DVD+RW that I use for Linux installations (no sense making permanent what might be used only 2-3 times) and found that it still had the Fedora 19 installer on it. I booted from that, chose the Rescue option, and got to see where it failed to mount the encrypted partition (maybe because I use btrfs?). But that’s where Google came in.
Resetting the password
Thanks to DigitalVectorz, I had some things to try. Here’s what I ended up doing once I booted from the DVD (some of this rests on knowing which partitions are which).
- Press <Tab> and add “rescue” to the end of the line, then press <Enter>.
- Press <Esc> to cancel the integrity check. Let the boot finish, which may take a minute or two.
- Press <Enter> to select “Continue” to get a rescue shell. Press <Enter> when warned that there are no partitions, and then press <Enter> on the next menu to get a shell.
- Type the following command to see what partitions have been mapped. In my case, only control and live-rw were listed.
- Type the following command to unlock the encrypted partition. Note that your partition may be different from sda3; if you get a warning after entering the password about partition type swap or something else unexpected, try another partition.
cryptsetup -v luksOpen /dev/sda3 myroot
- After you’ve unlocked the correct partition, use the following commands to mount the partition, confirm that it’s present, and chroot to it.
mount /dev/mapper/myroot /mnt/sysimage/
- Now you can change the password for root (or whatever other accounts may need it) or fix other configuration-related boot problems.
- Type “exit” a couple of times to reboot. Don’t forget to remove the disc.
After this, I was able to get in. You can also, of course, use this for backing up files like, say, /etc/passwd, /etc/shadow, and all the database files.
And, of course, by “backup” I mean “copy to another location so that you do whatever you want with the data.” After all, if you have physical access to the box (and especially if you have the encryption password), you’ve already won.