Cannot unlock encrypted root after upgrading to 22.04 due to use of non-standard ciphers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cryptsetup (Ubuntu) |
Fix Released
|
Critical
|
Unassigned | ||
Jammy |
Fix Released
|
Critical
|
Unassigned | ||
Kinetic |
Fix Released
|
Critical
|
Unassigned |
Bug Description
[Impact]
After upgrading to Ubuntu 22.04 with an encrypted root filesystem, the root drive can no longer be unlocked at the "Please unlock disk <diskname>" prompt on boot.
The encrypted root disk can be unlocked fine from the liveCD, but not from the initramfs environment on boot.
The issue is caused by support for various luks encryption protocols now being missing from the initramfs environment due to changes introduced in OpenSSL 3.0 and Ubuntu pre-release testing not including a test-case of upgrading older Ubuntu versions with an encrypted root to the new version.
[Test Plan]
Test a fresh installation:
* Use Ubuntu 22.04 installer
* Prepare encrypted disk layout (first partition /boot, second for /) and go one step back
* Then change hash in terminal
```
sudo cryptsetup close vda2_crypt
sudo cryptsetup luksFormat --hash=whirlpool /dev/vda2
sudo cryptsetup luksOpen /dev/vda2 vda2_crypt
sudo mkfs.ext4 /dev/mapper/
```
* Continue and complete installation
* Ensure that /target/
* Reboot
* The system should ask for the password during boot and successfully boot into the desktop
Test an upgrade:
* Install Ubuntu 20.04 (similar to above)
* Upgrade to Ubuntu 22.04
* Reboot
* The system should ask for the password during boot and successfully boot into the desktop
[Where problems could occur]
The changed code is called when running "update-initramfs". Therefore generating a new initramfs could fail (and the user would stay on an old one). Upgrading the package will trigger "update-initramfs". So bugs in initramfs (or it scripts) can be triggered at that time.
[Workaround]
The issue can be worked-around by:
1. Booting from the 22.04 liveCD.
2. chrooting into the target system's root.
See https:/
3. Creating a file /etc/initramfs-
---
. /usr/share/
copy_exec /usr/lib/
---
4. Mark the file as executable: chmod +x /etc/initramfs-
5. Regenerating the initramfs. ie. update-initramfs -k all -u
description: | updated |
Changed in cryptsetup (Ubuntu): | |
importance: | Undecided → Critical |
tags: | added: rls-jj-incoming rls-kk-incoming |
tags: | added: transition-openssl3-jj |
tags: | added: fr-2498 |
Changed in cryptsetup (Ubuntu Jammy): | |
importance: | Undecided → Critical |
tags: | removed: rls-jj-incoming rls-kk-incoming |
Changed in cryptsetup (Ubuntu Jammy): | |
milestone: | none → ubuntu-22.04.1 |
tags: | added: patch |
description: | updated |
description: | updated |
summary: |
- Cannot unlock encrypted root after upgrading to 22.04 + Cannot unlock encrypted root after upgrading to 22.04 due to use of non- + standard ciphers |
Would there be any way to workaround the issue BEFORE the upgrade to 22.04? resorting to booting a live CD is far from ideal, in my case I've many machines to upgrade.