How to access your encrypted Linux system from the Ubuntu installer when your system won’t boot

By | May 13, 2023

OK, so, you’re here because you’ve managed to do something to screw up your Linux box which has a LUKS-encrypted root filesystem, and now it won’t boot, and you need to boot from Ubuntu install media to fix what’s broken.

Or, at least, that’s why I’m here, and I’m writing out these notes about what I needed to do to fix my system. In my particular case I was experimenting with different nvidia driver versions and discovered that several of them prevent my system from booting up even in recovery mode.

In a nutshell, here’s what you do:

Download the Ubuntu Desktop ISO version that matches the version of Ubuntu you’re running onto another working Ubuntu Linux machine. It may not be 100% necessary for the versions to match, but it’s safer. See for all the installers.

Write the ISO to a thumb drive. To do that:

  1. Plug in the thumb drive.
  2. Open the Disks utility.
  3. Tell it to unmount the thumb drive if it’s mounted by selecting the thumb drive on the left and then clicking the stop button.
  4. Click the three dots menu button in the upper right corner and select “Restore Disk Image…”.
  5. Select the ISO file you downloaded as the image.
  6. Select the thumb drive as the target.
  7. Click “Start Restoring…”.
  8. Wait for it to finish.
  9. Unmount the thumb drive again.

Boot your broken system from the thumb drive.

When Linux boots up it may ask whether you want to try or install Ubuntu. If it does, say try.

Open a Terminal window.

Run sudo lsblk --fs | grep crypt to get a list of all encrypted devices. For me, the output looks like this:

sdc3 crypto_LUKS 1 [random uuid not included here]

You might have more than one encrypted device. You need to unlock each of them with cryptsetup. Something like this:

sudo cryptsetup /dev/sdc3 sdc3_crypt

You will be prompted for the passphrase for each device that you unlock.

Now open the Disks utility and you should see your filesystems are available under /dev/mapper. For example, I see /dev/ubuntu-vg/root and /dev/ubuntu-vg/swap which weren’t there until after I ran cryptsetup. We’re going to ignore the swap partition, it doesn’t matter for this.

Run fsck /dev/ubuntu-vg/root (or whatever the correct device path is) to make sure the filesystem isn’t corrupt, and then mount [the-same-device-path] /mnt (replace the device path with whatever the Disks utility shows for you).

Look in /mnt/etc/fstab for other filesystems that need to be mounted. You’ll probably have /boot and maybe others. You’re just looking for actual filesystems now, not special things like /sys etc. I’ll deal with them below. Mount them underneath /mnt. For example, my fstab lists /boot with a UUID instead of a device path, so I have to do sudo fsck UUID=[uuid-from-fstab] and then sudo mount UUID=[uuid-from-fstab] /mnt/boot.

Mount other special filesystems:

sudo mount -o bind /sys /mnt/sys
sudo mount -o bind /dev /mnt/dev
sudo mount -o bind /dev/pts /mnt/dev/pts
sudo mount -o bind /proc /mnt/proc

You should now be able to do sudo chroot /mnt in your Terminal to launch a shell inside your system’s filesystem and do whatever maintenance you need to do there.

If you’re going to be doing stuff in the chroot that requires networking, you may need to copy the contents of the install boot’s /etc/resolv.conf into /mnt/etc/resolv.conf so name resolution works inside the chroot. If you do this remember to restore the original contents of /mnt/etc/resolv.conf when you’re done.

When you’re done you can simply reboot.

Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published. Required fields are marked *