9

I've got a laptop which I haven't used since the last summer vacation: I did put Debian 7 on it and used Debian's feature to fully encrypt the disk, besides a tiny bootloader (or a tiny partition) I guess (not too sure which encryption this is nor how to find out).

I do know the password of the encrypted filesystem so the system boots, but I'm stuck the login prompt: I did forgot my password(s).

Seen that I know the password of the encrypted filesystem, I take it I can boot from a Live CD (or even maybe from the Debian install CD?) and somehow "mount" the encrypted partition.

If that's the case, can someone explain me how to do this? (knowing that I've never mounted an encrypted partition / filesystem manually)

Cedric Martin
  • 2,777
  • 6
  • 28
  • 32
  • 1
    It wouldn't be a big deal for me to reinstall a whole Debian system (there's nothing of value and I can install Debian) but it seems a bit overkill and, moreover, I may learn something in the process by mounting the encrypted filesystem and changing the passwords... – Cedric Martin Apr 23 '14 at 19:16

1 Answers1

16

Full disk encryption is usually done using the dm-crypt Device Mapper target, with a nested LVM (Logical Volume Manager) inside. So to reset your password you'll have to

  1. Unlock/open the crypto container; this is done using cryptsetup
  2. Activate the logical volumes; vgchange is used for this.

Usually you won't need to care about this. Just let the initrd provided by your distribution do the job but tell it not to start /sbin/init but something else — a shell would be good. Simply append init=/bin/sh to your kernel's command line in your boot loader (with GRUB you could press E with the appropriate boot entry selected to edit the entry).

Then your kernel should boot up normally, booting into the initrd which should ask for your passphrase and set up your file-systems but instead of booting the system up drop you into a shell. There you'll have to

  1. remount / read-write: mount -o rw,remount /
  2. reset your password using passwd <user> (since you're root you won't get prompted for the old one)
  3. remount / read-only: mount -o ro,remount / (skipping this might confuse your init scripts)
  4. Start the regular init with exec /sbin/init (or simply reboot -f).

If this does not work, you'll have to take the approach with greater effort and do it from "outside", a.k.a. booting a Live CD. Usually this should be possible by using the Debian install CD — the tools should be installed, since the installer somehow has to set up encryption which uses the same schema:

  1. Boot a Live CD

  2. Open the encrypted partition by issueing

    # cryptsetup luksOpen /dev/<partition> some_name

    where <partition> should be your encrypted partitions name (sda2, probably). some_name is just… some name. This will prompt you for the disk's encryption passphrase and create a block device called /dev/mapper/some_name.

  3. Activate the logical volumes. This should usually work by issueing

    # vgscan
# vgchange -ay

    This will create block device files for every logical volume found in the LVM in /dev/mapper/.

  4. Mount the volume containing your / file system:

    # mount /dev/mapper/<vgname>-<lvname> /mnt

    where <vgname> and <lvname> are the names of the volume group and the logical volume. This depends on the way distributions set it up, but just have a look into /dev/mapper/, normally names are self-explanatory.

  5. Change your password with passwd <user> accordingly.

Andreas Wiese
  • 10,112
  • 1
  • 32
  • 38
  • This explains how to change the filesystem's password. If you read the question more carefully, he knows that password. He's forgotten his user (login) password. – cjm Apr 23 '14 at 20:00
  • Oh, sorry, I missed that — it's late here. ;) Corrected. – Andreas Wiese Apr 23 '14 at 20:18
  • @AndreasWiese: +1, thanks... Indeed, it's the users passwords I need to change! I'll try what you suggested ASAP: I really like the approach without a live CD. – Cedric Martin Apr 23 '14 at 20:55
  • @AndreasWiese: worked perfectly. At first I wasn't too sure about which line I was supposed to add *"init=/bin/sh"* inside Grub but things went smoothly. I simply recopied (which was kinda painful) character by character an entry of an */etc/passwd/* from another system, for the root user. Everything is smooth again. Thanks again. – Cedric Martin Apr 25 '14 at 14:40
  • Meh, it just came to my mind that once you've remounted `/` r/w you could have simply done `passwd root` since `root` doesn't get asked for his/her old password. Sorry for that. – Andreas Wiese Apr 25 '14 at 14:47