I booted up the computer w/ a PureOS live-install and viewed the partition with the disks tool. The LUKS partition UUID does match the UUID in the error ‘cryptsetup failed, bad password or options?’
I tried to unlock the partition (within the disks tool) and it asked me for the passphrase. It doesn’t seem to like my passphrase ‘Operation not permitted’. I doubt that I am miskeying the passphrase. I wrote it down. Besides, if I do have it wrong I should still be able to enter it in without using a live disk…
Background: During initial setup you choose your keyboard layout before you enter your password for encryption - BUT in the password dialog still the default keyboard layout is active and not the one you chose!
If you later type your password on a keyboard layout configured differently you might not enter the same password, before the position of keys changed.
Furthermore there is a bug in the keyboards that makes it difficult to enter some keys.
But your screenshot seems to tell a different story or at least points to additional problems. If you’d like to debug the problem you’ll probably need to look at the scripts and information inside your initramfs. This is time consuming work to do and probably only makes sense if you’re able to read shell scripts.
In your screenshot you’re at a prompt in the initramfs - a minimal linux system that is started during boot to allow the loading of drivers and initializing some things (like decrypting encrypted drives) before initd or systemd from the root partition can takeover.
To start you could look at the following files:
/etc/crypttab
/cryptroot/crypttab
/bin/cryptroot-unlock
/scripts/local-top/cryptroot
Also you could copy the initramfs file /boot/initrd.img-x.y.z-r-amd64 to a different computer and unpack the filesystem there. The file is an cpio archive compressed with gzip (zcat initrd.img-x.y.z-r-amd64 | cpio -i would unpack it in the actual directory).
Yes, I’m using the English / US keyboard layout. It sounds like I could switch to my layout to ‘default’ (is that what it is called?) while running the live USB and then test my encryption passphrase from there to confirm that I wrote down the correct passphrase.
I was able to mount the boot partition in initramfs but that’s as far as I got. I’ll check into those files when I have time. In the mean time I’ve installed another OS my other SSD so I have something I can use until I get this fixed.
Is this how all distros work? This seems like a really poor design… does this mean that anyone who chooses to use a non-default keyboard layout has broken encryption from the start?
First of all I don’t know about any other notebook that comes with a pre-installed Linux and full disk encryption.
The patch that adds the password dialogue for encryption of the masterkey for disk encryption into gnome initial setup is maintained in the purism gitlab.
I’d say that the problem for the wifi password is probably the same for Debian Buster (please correct me, I didn’t really try it) and the password dialogue for disk encryption is specific to PureOS.
The design flaw only affects people who do not use an english keyboard and yes, I think it is a real show stopper that has to be fixed alongside with the problem that a fix for a keyboard firmware error in english layout keyboards breaks the keyboard layout for people ordering with a non-english keyboard layout (at least this is what happened when I got my Librem a few weeks ago).
But no, you’re not breaking the encryption by using the wrong layout. If you remember the password you typed you can use any other computer to type it blindly while using an english keyboard layout. What you get on the screen is the password you have to type in.
From my point of view (using the german keyboard version of a Librem13v4) I absolutely cannot recommend the notebook with german keyboard layout to anybody without deep and good knowledge of Linux and the willingness to overcome these first obstacles by investing time.
On the other hand I’d strongly recommend the notebook as is to any Linux professional with the hint to this forum and the initial problems.
About the disk encryption and - from my point of view - another design flaw you can read here.
Keep in mind that Purism is taking a lonely way to build something new (based on what already there is) and make the world a bit better. If you expect the polished perfection of Google, Apple, Samsung, Microsoft etc. you’ll have to go on accepting that you’re not owning your data and that your data is exploited.