I believe i did try that last week. I will try again.
Yes i ran sudo update-initramfs -u and it did not resolve this situation. For reference to this issue, from 2015! This is greek to me. so i’ll need help interpreting: https://unix.stackexchange.com/questions/164403/unlock-luks-encrypted-debian-root-with-key-file-on-boot-partition
You see this same error?
cryptsetup: WARNING: target sdaX_crypt uses a key file, skipped.
What is the error on your machine? Can you take a picture or write it down?
Was this ever resolved? Experiencing very similar issue only if you hit Escape and select an older kernel you can still get into the device, run all the update commands that do not work and validate a few things. My brand new V5 Librem 15 has 4 options total:
one newest kernel (this one will not boot bc of bad password)
one newest recovery(loops are fun)
older kernel (this lets you in)
older kernel recover (this also lets you in)
If not it is cool, I will reimage the laptop when the PureOS USB and Key arrive. Likely will just use an alternate linux distro until them.
This is the standard grub menu you’re seeing with regular kernels and recovery kernels.
That is correct Jeremiah, very good, the underlying issue is that straight out of the box after going through the simple process of configuring and getting familiarized with the Librem 15v4 with PureOS for the first time (for myself anyways as it was the first time using PureOS as my goal was simply to support linux Hardware, free software and I think the killswitches/built in hardware tamper protection were what made me pull the trigger…so small learning curve for myself)
Fact is I simply ran and likely you can validate by grabbing one of the new Librem 15v4 laptops fresh out of the box, add a couple apps, tweak a few settings, run apt-get update && apt-get upgrade, then on the next reboot and the following likely appears:
ERROR: (luks-07f23b4f-d170-4148-b8f1-60b1cec24d20: cryptsetup failed, bad password
No matter what I tried until I found this forum from my phone I could not log in because of this. Thanks to this post and the person who explained the ESC select different kernel work around I was at least able to get into the laptop. I was relieved I was not the only one experiencing the issue as stated above, it was my out of the box experience. I attempted all the fixes recommended in this post and on the wiki as I was able to get access via the old recovery kernel thus I tried all suggestions.
The actual fix that worked for me last night was as follows:
1.) Locate a USB (If you do not have one, buy one, currently PureOS is out of stock but it will be shipped soon, anytime after 8 aug 2019 they may be restocked so if new to Linux or want simplicity order the $10 PureOS thumb drive, I did but out of stock…)
2.) Download PureOS (pureos.net)
3.) Flash the USB with bootable PureOS via Etcher or Rufus
4.) Look up the advanced Install instructions to erase and create the partitions
on separate computer/phone or print out unless your memory is good and are more familiar with Linux
5.) Plugin the USB, boot into Option 3 and follow the instructions verbatim (note: reference was for a 8GB of memory so if 16GB or 32GB increase the swap size, there are 2x rules that some folks opt for.)
6.) Open terminal and run the update/upgrade command, do a few preference tweaks for good measure
7.) Pray to your respective god(s)
8.) Wallah worked for me so far and all I lost was a few days worth of tweaks, history and stuff I did not care about
Being that this is a common issue, perhaps provide the $10 dollar USB and a tiny booklet of instructions or document in the USB until it is resolved to help out new customers in the future.
Although the Wiki has been helpful, sometimes a document to open up and follow along with without the need for internet is nice and takes up almost no space on the usb-drive. Although, version control, tech writing processes being implemented can take time/resources for a problem that many folks do not experience and/or will be resolved by next version. Sometimes it really is the little things people appreciate. Then again your common customer may be a little more Linux savy and enjoy spending time figuring out why this error appeared out of nowhere and they can not log into a brand new laptop.
I am grateful this post exists because of the person who explained that you could hit ESC and select the older kernel that allows you in only all the recommended actions to fix it however, non of them worked for me so I was not locked out of it completely for long.
Hopefully any customer who see’s this saves time by re installing PureOS if this happens to them. Part of me is really curios why this happened out of the box (Received this last Friday) yet, the Advanced Installation procedure with the download has yet to experience the same issue.
The Librem 15v4 with PureOS is a really good configuration and it is really simple to get used to. I just do not want any new users to get discouraged by these things which is easy to do when you just want things to be simple and work. Someone else may not have another computer or usb stick to available to fix this so hopefully mine was just not configured correctly or the laptop out of the box has an older distro version then the one on the website which enables the upgrade to produce the bug. (I will have to check my video of the unboxing and pictures capturing the error when I get home to see if that guess is at all possible)
Either way, it works great now and am still content with the purchase. Hopefully this is helpful to someone.
This is extremely helpful - thanks for taking the time to write up your work, much appreciated.
As for mitigation on the PureOS side, we believe that this issue is in fact corrected. Unfortunately its entirely possible that the older image without the fix was used to flash your laptop, in which case, I apologize. It ought to be a newer image. I will work on updating that on our web site and I know we’ve updated it internally.
Should you, or anyone else, want a newer image, we have them available here:
https://downloads.puri.sm/oem/gnome/
We also have live images which boot from a USB or SDcard if you change your BIOS.
https://downloads.puri.sm/live/gnome/
No this was not resolved for me. Yes, i’m familiar with logging in via the advanced menu/original kernel(for me 4.16-02) After trying everything in the forums and suggested by support via a long email exchange, I gave up for a bit. too busy. I originally told them I did not want to reinstall, i thought that was an odd solution. I guess thats what i’ll have to try though. that makes me sad and discouraged. That just means the actual cause/solution either were not discovered or were unsolvable, either way, that doesn’t inspire confidence for me with Pure. I see a few people latched on to this convo below. I’m sort of glad other people are experiencing this. Have a good day, hope your machine is functioning normally.
Thank you Jeremiah for the links.
Is there any links for the Librem 15v4 drivers?
Laptop worked great with just PureOS after the last fix action but then I wanted to install Parabola on the other drive in which it would not boot and because I still have not gotten my token figured I would experiment with just only Parabola before reverting back permanently after getting that set up.
Laptop did not play well with other Distros and am looking to just revert back as I have another device to run Parabola on. Hopefully the OEM version on a new thumb drive will successfully install this time. I had nuked the disks so if the reinstall does not work, I likely just have to refresh the seabios or something.
Thanks again for the OEM link Jeremiah
The thing is, if you’re getting this error;
ERROR: cryptsetup failed, bad password
What is happening is that you cannot enter your password in such a manner as cryptsetup can recognize. This is because any number of reasons;
- You forgot your original password
- Your keyboard layout has switched
- Number Lock
- Possible changes in crytpsetup after version upgrade
We’ve seen all these things unfortunately and it is hard to diagnose since we have so little information to go by. None of this is to say this is your fault, I’m sure it’s not (although I confess I have forgotten my original password and had to reinstall).
We recommend reinstalling the OEM version of PureOS (if you have backups) because this gives you an opportunity to start with a clean slate, but we’re happy to help diagnose the issue if you’d rather not. One thing that often helps is taking a screen shot with a phone camera when your reach the point where the boot stops - that can be a diagnostic aid.
I just received a new librem 15v4 and went through the setup prompts and then ran the usual apt update / upgrade. After restarting the computer I have the same errors you describe except I am never prompted to enter my disk encryption passphrase to begin with. It’s as if it thinks I’m pressing ‘enter’ repeatedly. I’ve also tried booting into recovery mode but it made no difference.
In my case it definitely has nothing to do with me forgetting the password because I haven’t had the opportunity to enter it. Can I just locate the prior kernel and add it to grub so that I can run the prior version instead of reinstalling everything? Fedora keeps the last 5 kernels in grub so that a bad update doesn’t prevent you from getting work done. Maybe PureOS should do this too.
If you did go through the setup prompts you should have been asked to enter the password for disk encryption during setup. There is a graphical dialog asking you to set it.
Background information about disk encryption and links to the patch to gnomes initial setup you can find here.
Yes, and it did. I created a passphrase.
But when the machine is booting up I am never prompted to enter the pass phrase. Instead the error keeps repeating over and over:
cryptsetup: ERROR: luks-: cryptsetup failed, bad password or options?
It’s as if it is receiving input from somewhere else.
Maybe it’s the ‘options’ in ‘bad password or options?’
There’s also another error ‘UUID does not exist’ at the end of the log. I can change the UUID in grub but I don’t know what I would change it to.
I am able to mount /dev/sda1 in initramfs and view files but I don’t know where I would get the UUID. I imagine the UUID has to do w/ UEFI?
I will create an issue in the PureOS bug tracker, but if anyone has any troubleshooting ideas I’m interested in getting this working. I would like for this to be my primary computer.
I booted up the computer w/ a PureOS live-install and viewed the partition with the disks tool. The LUKS partition UUID does match the UUID in the error ‘cryptsetup failed, bad password or options?’
I tried to unlock the partition (within the disks tool) and it asked me for the passphrase. It doesn’t seem to like my passphrase ‘Operation not permitted’. I doubt that I am miskeying the passphrase. I wrote it down. Besides, if I do have it wrong I should still be able to enter it in without using a live disk…
Are you using an english keyboard layout?
Background: During initial setup you choose your keyboard layout before you enter your password for encryption - BUT in the password dialog still the default keyboard layout is active and not the one you chose!
If you later type your password on a keyboard layout configured differently you might not enter the same password, before the position of keys changed.
Furthermore there is a bug in the keyboards that makes it difficult to enter some keys.
But your screenshot seems to tell a different story or at least points to additional problems. If you’d like to debug the problem you’ll probably need to look at the scripts and information inside your initramfs. This is time consuming work to do and probably only makes sense if you’re able to read shell scripts.
In your screenshot you’re at a prompt in the initramfs - a minimal linux system that is started during boot to allow the loading of drivers and initializing some things (like decrypting encrypted drives) before initd or systemd from the root partition can takeover.
To start you could look at the following files:
- /etc/crypttab
- /cryptroot/crypttab
- /bin/cryptroot-unlock
- /scripts/local-top/cryptroot
Also you could copy the initramfs file /boot/initrd.img-x.y.z-r-amd64 to a different computer and unpack the filesystem there. The file is an cpio archive compressed with gzip (zcat initrd.img-x.y.z-r-amd64 | cpio -i
would unpack it in the actual directory).
Yes, I’m using the English / US keyboard layout. It sounds like I could switch to my layout to ‘default’ (is that what it is called?) while running the live USB and then test my encryption passphrase from there to confirm that I wrote down the correct passphrase.
I was able to mount the boot partition in initramfs but that’s as far as I got. I’ll check into those files when I have time. In the mean time I’ve installed another OS my other SSD so I have something I can use until I get this fixed.
Is this how all distros work? This seems like a really poor design… does this mean that anyone who chooses to use a non-default keyboard layout has broken encryption from the start?
First of all I don’t know about any other notebook that comes with a pre-installed Linux and full disk encryption.
The patch that adds the password dialogue for encryption of the masterkey for disk encryption into gnome initial setup is maintained in the purism gitlab.
I’d say that the problem for the wifi password is probably the same for Debian Buster (please correct me, I didn’t really try it) and the password dialogue for disk encryption is specific to PureOS.
The design flaw only affects people who do not use an english keyboard and yes, I think it is a real show stopper that has to be fixed alongside with the problem that a fix for a keyboard firmware error in english layout keyboards breaks the keyboard layout for people ordering with a non-english keyboard layout (at least this is what happened when I got my Librem a few weeks ago).
But no, you’re not breaking the encryption by using the wrong layout. If you remember the password you typed you can use any other computer to type it blindly while using an english keyboard layout. What you get on the screen is the password you have to type in.
Furthermore you might need into account
described here.
From my point of view (using the german keyboard version of a Librem13v4) I absolutely cannot recommend the notebook with german keyboard layout to anybody without deep and good knowledge of Linux and the willingness to overcome these first obstacles by investing time.
On the other hand I’d strongly recommend the notebook as is to any Linux professional with the hint to this forum and the initial problems.
About the disk encryption and - from my point of view - another design flaw you can read here.
Keep in mind that Purism is taking a lonely way to build something new (based on what already there is) and make the world a bit better. If you expect the polished perfection of Google, Apple, Samsung, Microsoft etc. you’ll have to go on accepting that you’re not owning your data and that your data is exploited.