Install with disk encryption, password fails

I just installed Fedora 30 for the first time and enabled disk encryption in the process. Everything worked fine until I actually tried to boot. My password did not work. Its quite improbable that I did the same typo twice during the installation, but just to make sure, I reinstalled anyway. The problem persists.

Is this a keyboard issue? Or what could be going on here?

1 Like

Pay attention to special characters you used in your password.
In such phase the keyboard layout is still us-qwerty (if I’m not wrong) even if you chose another layout during installation.

I did indeed use another keyboard layout for the install (German T3). I also considered this being the problem, but tried and failed to log in entering my password based on a US keyboard layout. I did not include that in my initial post, because Fedora informs the user during installation that the layout used for entering the password during installation would always be used to enter the password for decryption.
But if special characters problematic in general, I will try a new installation setting a password without them.

No no, I don’t mean that. Special chars are fine. I mean that, as you have seen in the installation spokes, you can’t change the layout when entering the decryption passphrase.

So I have to correct myself: as you say, the layout will be the one selected during the installation.

I installed F30 Workstation Live using German T3 layout, and it seems there is something wrong in the keymap. Indeed even entering my password based on a US keyboard layout it doesn’t work. In the other hand, selecting another keymap (I tried Italian and French), it works.

I can confirm this. And the issue does not seem to be limited to the German T3 layout, I also tried the standard German layout and it did not work either. Using US layout it worked fine.

Thank you very much for your help.

Ok, the problem is back, somewhat at least:

This is my Grub menu. Entries 1 and 2 appeared after updates. Unfortunately, my password doesn’t work on either, only on the third (and I think the fourth).

As the first entry is the default one, this is somewhat annoying. I don’t really know what the difference between these entries are. Are updates not being loaded, when I use the old entry?

The difference is quite simple. The numbers you see beside each one is Linux kernel version. Fedora by default keeps three kernel versions (newest + two previous ones), and if newest kernel gives you some trouble, you can always boot into previous (presumable working) one. This has helped me several times.

The kernel is like the heart of your system, and it’s very important. I don’t think I can give simple and good enough description if you have absolutely no idea, what’s an OS’es kernel is. There’s definitely a wikipedia article and maybe some other good explanations in the net though.

So when you choose an older boot option, you boot with older kernel – but all the other updates you’ve installed are active and being used.

In general – when all works ok – you should use the latest kernel available to you, as kernel’s updates contain bugfixes and various other fixes, and even newer hardware support.

Hope this’ll help you to understand your system a little better. If explanation isn’t clear enough, ask, I’ll try to provide you with additional details.

Also you may add additional passwords to your already encrypted drive. Here’s some details:

It says that you can have up to 8 passwords/keys (I’ve used two).

The command you need is

sudo cryptsetup luksAddKey /dev/sdaX

sdaX should be your LUKS partition. More details are in the article.

Please be careful, you can loose access to you encrypted data if you seriously mess the passwords. Though just adding new LUKS password doesn’t invalidate old one, they are used simultaneously (and you need only one of them to decrypt the drive), there are commands to delete password and possible change exiting ones.

The idea is this: first you ensure you use English US layout, then you add new password to your LUKS drive/partition, then test if new one works upon reboot.

So basically with the next kernel update, the oldest version will disappear and I will no longer be able to log in, because the oldest version is the only one where that works?

Yes, exactly. You can postpone your updates until you resolve your password problem.

And the possibility is high it’s just a keyboard layout problem. You need to determine, which layout is used upon boot when you enter your LUKS password, and provide LUKS with additional password in this layout. Then – after you test it and 100% sure it works – you can remove glitchy/confusing password entry (or entries).

Since Kernel 5.2 I have not been able to decrypt my disk. I am holding on by kernel 5.0.9. A layout problem is highly unlikely.

it’s a good solve the problem. have a niced day!

Hi @jorise! Welcome to Ask Fedora! Please have a look at the introductory posts in the #start-here category if you haven’t had a chance to do so.

Even if the layout problem is unlikely, I’d suggest adding second key in kernel 5.0.9 (where it all works) – maybe something really simple, maybe even just with numbers alone (I know it’s very insecure, but please keep with me for a moment) – and then testing this new key in a 5.2 kernel.

You can (and really should!) delete or change this insecure second passphrase after trying it (whether it works or not).

If this numbers-only passphrase works – then obviously the issue was with original passphrase (however unlikely). If it doesn’t work – then the issue is with something else. In such a case I suggest you open a separate topic, ping me from it – and we’ll try to troubleshoot it together (others will help too, I’m sure).

Hi @nightromantic, thank for the reply. I was in a kind of tight situation, so I installed another Distro and now I won’t be able to test your solution. Thanks anyway!

1 Like

I was surprised to see this error happening again. I had this with Fedora 22 and switched then for other reasons to another distro.

Same problem here. The cause is in the installer, I suppose, when you enter special characters it discards them. The solution to boot on a newly installed system is to enter the same passphrase but omit the special characters. For an updated system I don’t know if it will work …

Hi @iranzoferri , welcome to the Fedora community!
If you’ve not had a chance yet, please look at the #start-here category. It has some very useful information on using the forum and tips on Fedora usage.

On your issue I have to disagree. Special characters are certainly not discarded when entering a LUKS password in the installer. However, you need to be aware that your keyboard layout may still be EN_US during the installer while your physical keyboard may be different and that may mess things up if characters of keymap and keyboard don’t align.

The best is to choose the right keyboard layout in the installer.

After the fact, I would suggest to change the passphrase according to

And finally, there is is this long standing, and if unknown, annoying bug that when you change your keyboard layout, it also changes the keyboard layout for plymouth (startup/disk encryption) But only after the next kernel update (when initramfs is being rebuild).

Meaning: while you think you have a new keymap, the disk encryption dialog be still be on the old keymap (for instance EN_US) until you install a new kernel…

A fix may be coming for F33 (see #53)