Disk Encryption not working on recent neon iso's but is working on older images?

ricksanchez137c · January 11, 2024, 2:27am

Disk Encryption not working on recent neon iso’s but is working on older images?

When I installing neon using the following iso images with disk encryption I’m unable to boot into the system.
neon-user-20231221-0716.iso
neon-user-20240104-0715.iso
neon-unstable-20240107-1119.iso

I’m quite sure that I am entering the right password as I get the message slot 0 open but then I get a message stating that the password is not correct or an option is the cause. Then I get a message that the max tries has been exceeded.
Though I don’t get this issue when installing using
neon-user-20231130-0716.iso

Any ideas?

Kilian · January 17, 2024, 11:23pm

I have the exact same problem! Is there anywhere, where I can download an older KDE Neon install ISO, which is not broken as workaround?

ricksanchez137c · January 18, 2024, 6:13am

You can try Distrowatch they keep torrent files for older releases of many distros.

I did have a few have a few older iso images on my HDD as I like to keep around the last four neon iso releases. Just is case, this is the first time I’ve needed to use an older image.

W4RH4WK · January 19, 2024, 3:31pm

I can confirm that iso neon-user-20240104-0715 is broken. A fresh install with full disk encryption is not bootable.

Manually mounting the encrypted partition works, so the passphrase was correctly read and set by the installer.

Edit: I can confirm that iso neon-user-20231206-1454 works as expected.

frmdstryr · January 23, 2024, 2:07pm

For anyone wanting to still boot until this is fixed… after it drops you into the shell. Use cat /cryptroot/crypttab and take note of the luks-<uuid> partition.

Then unlock it with

cryptsetup luksOpen /dev/sda2 luks-<uuid>

and enter the password. Then run

exec run-init /root /sbin/init /root/dev/console

and the desktop should start.

lionatic · February 24, 2024, 6:14am

There’s a bug report about this here: 480856 – Fresh Neon install can't boot if encryption is used (20240201-0717 iso)

Please chime in to hopefully get the devs to pay attention

mstemle · March 4, 2024, 8:31pm

That didn’t work for me. It kept saying that the /dev/sda2 (or /dev/sda1 in my case) didn’t exist or that I lacked permissions.

John_Friedson · March 5, 2024, 9:22pm

With -0715 I’m getting FAILED Failed to start Snap Daemon
and system boot freezes…

broulik · March 13, 2024, 8:25am

So while it is fixed for new ISOs, I didn’t want to reinstall my system. Basically what I did, from the (initramfs) prompt, I booted manually

cryptSetup luksOpen /dev/nvme0n1p2 luks-<the uuid>`

Make sure to adjust the /dev partition to your drive. And more importantly: make sure the luks- you name it matches up with what your crypttab says your root drive should be! Then boot through (exec run-init or something)

Once booted up, put the Calamares config [1] neon now uses into /usr/share/initramfs-tools/hooks/

Then regenerate your initramfs sudo update-initramfs -u. Pay attention that there is no cryptsetup: WARNING: target ... is not found in /etc/crypttab. If there is, you probably mistyped your luks- above or it doesn’t match up or an encrypted partition you have wasn’t set up properly.

If there are no warnings of the sort, try rebooting. (This message is proudly presented to you by a working neon installed with three weeks old ISO image fixed just this morning)

[1] calamares/src/modules/initramfscfg/encrypt_hook at calamares · calamares/calamares · GitHub

John_Friedson · March 13, 2024, 2:07pm

The good news is, neon-user-20240312-2344 encryption works… at least for / I could not get it working with swap also encrypted, but that could be my ignorance.

Graphite · June 28, 2024, 9:14am

Encryption is still broken. Just discovered this in neon-user-20240627-0718.

dariowho · June 29, 2024, 5:47pm

I also report the same bug after a fresh install from neon-user-20240627-0744. After I am prompted for the disk passphrase the system hangs for ~1m, then the Neon splash appears, with the “cryptsetup … maximum number of retries exceeded” message, hangs for another ~1m, then drops in the (initramfs) prompt.

From there I manage to decrypt and boot Neon (cryptsetup luksOpen ... + exec run-init ... as mentioned in the thread).

However, the content of /usr/share/initramfs-tools/hooks/ already matches the Calamares conf on GitHub, regenerating the initramfs doesn’t solve (no crypttab warnings appear in the process).

Any idea how to fix the issue, or what could be its cause?

Graphite · June 30, 2024, 7:18am

I fixed mine by doing 3 things, but I think only 2 of them were necessary:

Add KEYFILE_PATTERN=/crypto_keyfile.bin in /etc/cryptsetup-initramfs/conf-hook
Edit /etc/crypttab and replace “none” after the UUID with /crypto_keyfile.bin, then in the series of comma-separated strings at the end, change it to luks,discard,key-slot=1,keyscript=/bin/cat

Rebuild initramfs:
sudo update-initramfs -c -k all

According to the crypttab documentation, the 3rd argument in the crypttab line is passed to the keyscript. That would be “none” in the crypttab the installer creates, but that means it’s simply passing “none” to /bin/cat and trying to decrypt the volume with that. That can’t work. Adding /crypto_keyfile.bin makes it pass the file to /bin/cat so it can enter the password, so to speak. Oddly, it doesn’t work fully if I remove keyscript=/bin/cat, when it should work without any keyscript. When I did that, it did decrypt, but then it just froze on a blinking cursor, never loading KDE. It’s strange because I have done this many times on Ubuntu and Debian systems. Neon seems to have a non-standard way of decrypting the volumes using /bin/cat or something.

The 3rd thing I did, which think is likely unnecessary, but if the above doesn’t work, you can try it. Add the keyfile manually to both encrypted volumes:
sudo cryptsetup luksAddKey /dev/the_partition /crypto_keyfile.bin

This will add the key file to slot 2 (0-index). You will have to change /etc/crypttab again to point to the correct slot:
luks,discard,key-slot=2,keyscript=/bin/cat

Again, rebuild initramfs.

If step 3 is required, then I suspect key slot 1 (the one generated for the key file by the installer) was created with some kind of bad data and should be removed for security purposes.

Just a note: To avoid errors/warnings while rebuilding initramfs, make sure to decrypt the root volume using the same name/id shown in /etc/crypttab. (The 1st is root, 2nd is swap.)

Edit: Leave out “discard” from crypttab if you are concerned about the security implications.

dariowho · June 30, 2024, 10:52am

Thanks, that worked! I also followed roughly the same steps yesterday based on Reddit posts [1][2], except adding the discard,key-slot=2 bit to /etc/crypttab (I confirm that it doesn’t work if keyscript=/bin/cat is omitted)

[1] https://www.reddit.com/r/kdeneon/comments/1aenouy/comment/koki816
[2] https://www.reddit.com/r/kdeneon/comments/ycpmg6/fyi_be_careful_when_upgrading_to_kde_neon_with

Graphite · June 30, 2024, 5:26pm

That’s great. Did you end up having to add /crypto_keyfile.bin to a new luks key slot? key-slot=2 shouldn’t work if you didn’t because it only defaults with 2 keys (slots 0 and 1).

Edit: I just did some testing and found out that 1) Keyslot 1 is fine and there is no need to add /crypto_keyfile.bin in a new keyslot. 2) After booting into Neon and doing some updates, I can now delete keyscript=/bin/cat and it still works. Also, I noticed during boot it no longer shows the text on the screen saying decryption of the volume was successful. It doesn’t show anything anymore, just like all the other distros I’ve used. I have a feeling something in one of the updates changed the way it works.