So I did a system restore and then I reset the password for my disk encryption. Then I upgraded to F44 and restored again (to a date prior to the first restore). Now both of my luks passwords the old and new both don’t work. Did I just brick my computer and the encryption password got like corrupted somehow? Is it still possible to unencrypt my disk? I don’t think it’s a keyboard issue as I have a US keyboard.
I think you will need to provide more details before someone can seriously try to support you. How did you “restore” your system? Image based backup? Filesystem snapshot? Something else? What do you mean by “reset the password for my disk encryption”?
LUKS has a concept of key slots. It would be interesting to see the output of cryptsetup luksDump to see how many slots have key material in them, something like
$ sudo cryptsetup luksDump /dev/nvme0n1p3
LUKS header information
Version: 2
Epoch: 52
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: [redacted]
Label: (no label)
Subsystem: (no subsystem)
Flags: allow-discards
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 4
Memory: 1048576
Threads: 4
Salt: [redacted]
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
[...]
Alright thank you. I used the snapshot tool in btrfs assistant which I believe restores /root (is that still vague?) Also how would I enter somewhere where I can run cryptsetup? Right now I can only boot into grub and then when I select a kernel to boot I have to put in the password and the password doesn’t work. Sorry if I’m missing something super obvious here.
OK, that tells me a few things: LUKS was unlocked, the filesystem was mounted, and because it was on the filesystem level, you didn’t touch the LUKS header in this step. (And you also didn’t restore an image of the whole partition, which would have overwritten the LUKS header.)
For now, I would rule out that this messed up your LUKS header.
(Technically, this restored /, the root filesystem, not just /root, the root user’s home.)
It clarified the restore part, but it didn’t answer my second question about resetting the LUKS password.
There are two possibilities on the commandline to change a passphrase of a LUKS volume (and possibly some graphical ones, too, but I have never used any of those).
$ sudo cryptsetup luksChangeKey /dev/nvme0n1p3
$ sudo systemd-cryptenroll --password /dev/nvme0n1p3
The second one adds a new passphrase to a new keyslot, but can be combined with --wipe-slot= to wipe another slot in one command.
It would be helpful to know exactly what steps you performed.
Just boot into a live system, run lsblk to identify your LUKS partition (or skip it if you already know the partition) and then inspect its LUKS header (if you post the output here, make sure to redact anything you consider sensitive, like UUIDs or salt):
$ sudo cryptsetup isLuks /dev/nvme0n1p3 # <- assuming that is the partition you identified
$ sudo cryptsetup luksDump /dev/nvme0n1p3
After that, try unlocking and mounting it from the live system to see if that gives you any error messages:
$ sudo cryptsetup open --type luks /dev/nvme0n1p3 myrootfs
$ sudo mkdir -p /mnt/myrootfs
$ sudo mount -o ro /dev/mapper/myrootfs /mnt/myrootfs # read-only to make sure we don't cause more problems, just in case
$ sudo ls /mnt
So I did everything you said but then I was like what if I just do luksChangeKey again and I changed my password again and then logged on/decrypted with the new password and it worked. At first when I did this I was like that was dumb of me because me deciding to do randm stuff to my system is what caused it to not decrypt the drive and yadda yadda. But a bunch of the commands didn’t spit anything back out and it just went to another line where it starts with the colored text and the $ so I guess that’s why I did that. But besides all that thank you very much because I wouldn’t have known to run commands in a live system.