ubiquity does not support existing LUKS encrypted partitions

Status changed to 'Confirmed' because the bug affects multiple users.

I confirm. That's a quite horrible experience. The previous text-based installer worked perfectly to unlock the disc and map the partitions. It was never supported in the GUI installer and I killed my disk once because of that.

This is a major downturn as encryption is a best-practice for quite a long time.

Yeah it's a pretty ridiculous bug to have in an LTS release. Disk encryption is a must these days, and other OSes like Windows support it by default

I have used the "cryptsetup luksOpen` work-around successfully already years ago.

However, when installing 20.04 with the server installer it does no longer work.
Installation aborts; in the log I found the cause to be

   raise ValueError("encryption key or keyfile must be specified")

from

https://github.com/canonical/curtin/blob/45877d0e1f5774dc424f73b0c1c16b65e0353e63/curtin/commands/block_meta.py#L1394

(Note: This is not necessary the commit that was in use when I used the installer. I just looked at the current master branch to point to the message I got. I did upload the crash report, but I don't have a link to my upload.)

Obviously the installer got confused ny the work-around because it noticed that there is a LUKS container, but it had never gotten any secret related to it.

Is there more than one Server installer, that could explain the discrepancy against the instructions above?

I tried the xubuntu-20.04.2.0 and there the work-around still works.

> I tried the xubuntu-20.04.2.0

Sorry, that should have been

xubuntu-20.04.2.0 installer

> Then, either do this at the end after the installer has run, or boot into a live CD environment (e.g. Kubuntu) and do:

The many steps given there are not really necessary. If you installed without downloading updates the following steps should be easier:

1. The first boot after the installation will not succeed, but give you a busybox shell from initramfs.
1. In that shell give the cryptsetup command as given above.
1. Exit the shell using Ctrl-D.
1. The boot will now complete.
1. Create the /etc/crypttab file. Typically you can just copy it from your previous root file system.
1. Update the system using apt or whatever you use. Unless you do this immediately when the installer image was built there will be updates that recreate the initramfs. The recreated initramfs will contain your new /etc/crypttab.
1. Reboot.
1. It works!

I am trying to install ubuntu 20.04 on top of an old LUKS partition with ubuntu 18.04. I have a single encrypted partition so I set it as mount point "/". But the installation then fails saying that the bootloader installation failed. For bootloader I selected the disk where the LUKS partition is. There are other two partitions on that disk, an efi and an ext2. Should the selection for the bootloader installation be different?

Using the installer for 20.04.3 server using the workaround and the installer is failing with raise ValueError("encryption key or keyfile must be specified") in the log as well.

Do you have to use the server installer to use the workaround or can the desktop installer do the same?

Has anyone come up with a workaround for the "ValueError: encryption key or keyfile must be specified" bug? I'm trying to install Ubuntu Server 20.04.3 here, too, after manually creating a slightly tweaked LUKS device, and the installer keeps failing. Perhaps an older point-release of 20.04 still works? Thanks!

This problem's still there on 22.04. I simplified my notes on how to workaround it, HTH:

**Ubuntu 22.04 and Newer: Extra Steps for Re-Using Existing LUKS Encrypted Partition**
This has to be done using the Kubuntu or Ubuntu desktop live CD. Using the Ubuntu Server Live CD (with text-based installer) doesn't work in either of 20.04 or 22.04 as the installer will just crash a few seconds after it starts installing. Steps:
- Boot off Kubuntu Live CD, select Try Kubuntu to get the desktop
- Open a terminal and run: sudo cryptsetup luksOpen /dev/sdX sdX_crypt #replace with nvme0nXpX or whatever the machine has
- Start the installer and run through it. The LVM LV's will appear in the installer. Note that (as of 22.04 at least) makes you create an EFI system partition - hopefully you have one even if it's unformatted
- End the installer and reboot as normal. You'll find it dumps you to an initramfs prompt. At this point again run:
sudo cryptsetup luksOpen /dev/sdX sdX_crypt #replace with nvme0nXpX or whatever the machine has
exit
It'll now continue booting successfully
- Once booted, create a valid /etc/crypttab:
sudo bash
export MAINLUKSPARTITION=sda4 # other examples: nvme0n1p3, whatever the machine has
UUID=$(blkid -s UUID -o value /dev/${MAINLUKSPARTITION})
echo "${MAINLUKSPARTITION}_crypt UUID=${UUID} none luks,discard" >> /etc/crypttab
cat /etc/crypttab
# check it looks right

update-initramfs -u -k all

> - Start the installer and run through it. The LVM LV's will appear in the installer. Note that
> (as of 22.04 at least) makes you create an EFI system partition - hopefully you have one even if
> it's unformatted

Note this doesn't work anymore with the lunar installer, see https://github.com/canonical/ubuntu-desktop-installer/issues/1770

Still an issue, this makes things difficult with luks encrypted rootfs and database partitions.

Installation with ubuntu 22.04.02 LTS server edition (ubuntu-22.04.2-live-server-amd64). Bug is still an issue.
Manual installation selected. If encrypted LVM is mounted, partition can be selected. A selection of a distinct boot partition seems also mandatory to go further.
However Installation fails during the next step (log: ValueError("encryption key or keyfile must be specified"))

I am also affected by this bug with 22.04 LTS server cloud-init base autoinstall, updated to newest subiquity during install.

In early-comands, I
 - create an appropriate /etc/crypttab
 - cryptdisks_start all the encrypted volumes

Still no success, since subiquity verifies volume name using

  dmsetup info -C -o name,uuid,blkdevname,blkdevs_used,subsystem

dmsetup reports "nvme0n1p3" but subiquity expects "/dev/nvme0n1p3" (note the missing "/dev/")

I can't find any way to tell dmsetup to include the "/dev/" when reporting blkdes_used.

For three years it is not possible to properly use encrypted filesystems, which should be standard for decades.

This still happens in noble daily. I worked around it in a rather nasty way by injecting the key value and adding the missing "/dev" in curtin's block_meta, and after that installation continues as expected.

Nearing 2nd LTS release after the bug was reported and still no solution or even acknowledgement of how serious the problem is.

To make it worse, in main desktop image they completely removed encryption option from manual disk partitioning screen.