Ubuntu
calamares package

Lubuntu and Kubuntu 24.04 fail to decrypt on boot when installed on encrypted partition

Bug #2064909 reported by Minhaz Haque
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
calamares (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

Test hardware 1 (Lubuntu 24.04 and Kubuntu 24.04):
VirtualBox, 2 CPUs, 8192 MB RAM, 128 MB VRAM, EFI disabled, Host I/O cache disabled.

Test hardware 2 (Kubuntu 24.04):
Intel Core i5 7400, 32 GB DDR4 RAM, RTX 3060 12 GB.

Language and locale: en_US.UTF-8.
Keyboard: Generic 105-key PC.

During installation, I selected manual partitioning, created an ext4 partition, checked the encrypt box, entered a passphrase, selected "/" as mount point, and proceeded with the installation. But after reboot when it asks for the encryption passphrase, and the passphrase is entered correctly, it immediately shows an error like this:

error: Invalid passphrase.
error: disk 'cryptouuid/abc123...' not found.
Entering rescue mode...
grub rescue>

This same problem occurs in both Lubuntu 24.04 and Kubuntu 24.04. But the same installation steps work just fine with Lubuntu 22.04.4. I tried different installation settings (VirtualBox/PC, MBR/GPT, BIOS/EFI, etc.) and all resulted in the same error.

This bug report is a followup of this question in Ask Ubuntu: https://askubuntu.com/questions/1512978
---
ProblemType: Bug
.etc.calamares.modules.finished.conf:
 ---
 restartNowMode: user-checked
 restartNowCommand: "systemctl -i reboot"
.etc.calamares.modules.fstab.conf:
 crypttabOptions: luks,keyscript=/bin/cat
 efiMountOptions: umask=0077
.etc.calamares.modules.shellprocess_logs.conf:
 ---
 dontChroot: true
 timeout: 30
 script:
     - calamares-logs-helper ${ROOT}
.etc.calamares.modules.unpackfs.conf:
 ---
 unpack:
     - source: "/cdrom/casper/filesystem.squashfs"
         sourcefs: "squashfs"
         destination: ""
ApportVersion: 2.28.1-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: pass
CasperVersion: 1.498
CurrentDesktop: LXQt
DistroRelease: Ubuntu 24.04
LiveMediaBuild: Lubuntu 24.04 LTS "Noble Numbat" - Release amd64 (20240425.1)
Package: calamares 3.3.5-0ubuntu4
PackageArchitecture: amd64
ProcVersionSignature: Ubuntu 6.8.0-31.31-generic 6.8.1
RelatedPackageVersions:
 calamares-settings-ubuntu-common 1:24.04.39
 calamares-settings-lubuntu 1:24.04.39
 xfsprogs 6.6.0-1ubuntu2
 btrfs-progs 6.6.3-1.1build2
Tags: noble
Uname: Linux 6.8.0-31-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo users
_MarkForUpload: True

See original description
Revision history for this message
Chris Guiver (guiverc) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

If possible, can you boot your system (using 24.04 media you tried to install) and try the install again, assuming it fails again, please follow the following instructions AFTER the error has [re-]occurred.

Please execute the following command only once, as it will automatically gather debugging information, in a terminal:

apport-collect 2064909

( When reporting bugs in the future please use apport by using 'ubuntu-bug' and the name of the package affected. You can learn more about this functionality at https://wiki.ubuntu.com/ReportingBugs. )

Revision history for this message
Minhaz Haque (cluelessnoob) wrote :

Sorry, I'm new to launchpad. I'm a bit unsure about where to run the apport-collect command. The installation completes normally and asks me to reboot as usual. The problem occurs after the reboot, at which point I no longer have access to a terminal except the grub rescue shell (as the system doesn't decrypt and boot). Do I run the command from the live boot once the installation finishes?

Revision history for this message
Chris Guiver (guiverc) wrote :

Thanks for responding, AND asking for further help!

Sorry I didn't think thru my wording clear enough... To be useful the `apport-collect` has to be run AFTER a failed install, however to confirm it failed (by your already provided description) you need to reboot & thus the report I want will have been lost (due to reboot). My mistake Sorry.
-- NEW INSTRUCTIONS FOLLOW

Please boot your machine again (install media), run the install (as you've done a number of times again) and then after install completes DO NOT REBOOT when asked to.

Instead open a terminal and run

apport-collect 2064909

ie. it'll add details from that machine, your ISO used, and the install report & other details from the currently 'it appeared to work' install... THEN YOU CAN REBOOT.

On reboot, you can confirm the INSTALL FAILED (ie. you could NOT boot into your installed system) or INSTALL SUCCEEDED...

At this time, return to this report & please just add a comment that followed instructions I laid out here (comment #3) and run `apport-collect` as requested, and please add the install FAILED TO BOOT (as described in bug description), or worked perfectly etc... (or whatever you feel compelled to add given you're running the install).

THANK YOU for taking time here to make our Ubuntu system better (Ubuntu includes flavors like Lubuntu/Kubuntu..)

Revision history for this message
Minhaz Haque (cluelessnoob) wrote : .etc.calamares.modules.automirror.conf.txt

apport information

tags: added: apport-collected noble
description: updated
Revision history for this message
Minhaz Haque (cluelessnoob) wrote : .etc.calamares.modules.before_bootloader_context.conf.txt

apport information

Revision history for this message
Minhaz Haque (cluelessnoob) wrote : .etc.calamares.modules.before_bootloader_mkdirs_context.conf.txt

apport information

Revision history for this message
Minhaz Haque (cluelessnoob) wrote : .etc.calamares.modules.bootloader.conf.txt

apport information

Revision history for this message
Minhaz Haque (cluelessnoob) wrote : .etc.calamares.modules.displaymanager.conf.txt

apport information

Revision history for this message
Minhaz Haque (cluelessnoob) wrote : .etc.calamares.modules.locale.conf.txt

apport information

Revision history for this message
Minhaz Haque (cluelessnoob) wrote : .etc.calamares.modules.machineid.conf.txt

apport information

Revision history for this message
Minhaz Haque (cluelessnoob) wrote : .etc.calamares.modules.mount.conf.txt

apport information

Revision history for this message
Minhaz Haque (cluelessnoob) wrote : .etc.calamares.modules.packages.conf.txt

apport information

Revision history for this message
Minhaz Haque (cluelessnoob) wrote : .etc.calamares.modules.partition.conf.txt

apport information

Revision history for this message
Minhaz Haque (cluelessnoob) wrote : .etc.calamares.modules.users.conf.txt

apport information

Revision history for this message
Minhaz Haque (cluelessnoob) wrote : .etc.calamares.modules.welcome.conf.txt

apport information

Revision history for this message
Minhaz Haque (cluelessnoob) wrote : .etc.calamares.settings.conf.txt

apport information

Revision history for this message
Minhaz Haque (cluelessnoob) wrote : .home.lubuntu..cache.calamares.session.log.txt

apport information

Revision history for this message
Minhaz Haque (cluelessnoob) wrote : Dependencies.txt

apport information

Revision history for this message
Minhaz Haque (cluelessnoob) wrote : ProcCpuinfoMinimal.txt

apport information

Revision history for this message
Minhaz Haque (cluelessnoob) wrote : ProcEnviron.txt

apport information

Revision history for this message
Minhaz Haque (cluelessnoob) wrote :

Thanks. I followed your instructions and hopefully did things right. I ran a fresh install of Lubuntu 24.04 in VirtualBox again, and at the end unchecked the reboot box and clicked done. It took me to the live desktop. I opened the terminal, ran the "apport-collect 2064909" command, authorized from Firefox (from within the live desktop), and submitted the report.

After that, I rebooted, and faced the exact same problem mentioned in the original report.

Thank you for taking the time to look into it.

Revision history for this message
Minhaz Haque (cluelessnoob) wrote :

UPDATE: I tried selecting the erase whole drive option (instead of manual partitioning) and encrypt from there, and that seems to be working. I tried both Kubuntu 24.04 and Lubuntu 24.04 in VirtualBox, and they both seem to be working as expected. So the problem might be with manual partitioning only, which worked back in 22.04 but not in 24.04.

Revision history for this message
Chris Guiver (guiverc) wrote :

Thanks for the additional testing.

The erase disk & install using encryption gets more QA (https://discourse.lubuntu.me/t/testing-checklist-noble/4809 shows six QA tests for that), and whilst there are some manual partitioning install tests, no encryption is mandated there.

Revision history for this message
Aaron Rainbolt (arraybolt3) wrote (last edit ):

It looks like you don't have a separate /boot partition being created? All Ubuntu flavors use Canonical's build of GRUB (naturally), and Canonical explicitly **does not support /boot being located on an encrypted partition.** It actually creates additional security risks to do so as Canonical doesn't test the code that handles encrypted /boot.

Most likely what broke this is we changed from LUKS1 to LUKS2 in Lubuntu to increase security. I do not believe GRUB supports LUKS2. As encrypted /boot is not supported, and as there are security concerns when using LUKS1, I don't think we probably should fall back to LUKS1.

If you're *really* determined to install with /boot on an encrypted partition despite the fact that this is dangerous, try running `sudo nano /etc/calamares/modules/partition.conf`, and change `luksGeneration: luks2` to `luksGeneration: luks1`. Then try installing with one big encrypted partition again. Again, **this is dangerous**, and also it has a good chance of breaking if you use a keyboard layout other than US.

Hope this is helpful!

ԜаӀtеr Ⅼарсһуnѕkі (wxl)
Changed in calamares (Ubuntu):
status: New → Won't Fix
Revision history for this message
Minhaz Haque (cluelessnoob) wrote :

Ah, that makes sense now. I avoided the erase disk option before, because if I remember correctly, it didn't work with my multi-boot setup in 22.04. But it seems to work fine in 24.04 (OS switching with BIOS boot menu, or rEFInd). So no need for me to mess with luks1 and potential security issues.

Thanks y'all for clarifying the issue. Much appreciated.

Revision history for this message
ԜаӀtеr Ⅼарсһуnѕkі (wxl) wrote :

Thank YOU for all the effort. Had this been an actual bug the extent to which you went would have made a big difference.

Revision history for this message
Leigh Koven (lkoven) wrote :

So I came across this bug because I was *trying* to use a separate unencrypted boot partition, but then calamares yelled at me with:

A separate boot partition was set up together with an encrypted root partition, but the boot partition is not encrypted.

There are security concerns with this kind of setup, because important system files are kept on an unencrypted partition.
You may continue if you wish, but filesystem unlocking will happen later during system startup.
To encrypt the boot partition, go back and recreate it, selecting Encrypt in the partition creation window.

My understanding from previous versions of Ubuntu that /boot needed to be unencrypted, so I was a little surprised when the installer bugged me to encrypt it. Since this apparently isn't actually properly possible, can it be fixed to *not* tell me to do something I shouldn't do?

Revision history for this message
Aaron Rainbolt (arraybolt3) wrote :

Oooh, good catch. That *is* a bug that we should fix.

To post a comment you must log in.