Skip to content

System fails to boot and fallsback to an initramfs shell

Issue

A user reports that after a recent system kernel upgrade his Linux machine fails the boot sequence and fallsback to an initramfs shell.

Example output:

Volume groupe Crypt not found
/dev/mapper/crypt-root does not exist
(initramfs)

Solution

Info

This issue originates from the problem that under currently unknown circumstances the yubikey-luks and yubikey-luks-ovh packages must have coexisted at a certain point of time and a later removal of yubikey-luks-ovh might have triggered the deletion of /usr/share/yubikey-luks/ykluks-keyscript which is installed by both packages.

`/usr/share/yubikey-luks/ykluks-keyscript` is indispensable because without it the `cryptsetup` utility, which is used to unlock a LUKS device,
cannot complete its task correctly and the system fails to boot.

Two situations are possible for this issue, one is that the user can choose an older kernel and boot the system with it and the other one is where none of the installed kernels boot.

Follow the steps below for your identified situation to resolve the issue accordingly.

Situation 1

Given that the system has booted up and you have access to a terminal, you can run the below command to ensure that yubikey-luks-ovh has been properly removed and yubikey-luks is installed correctly.

sudo apt purge yubikey-luks-ovh -y && sudo apt install yubikey-luks -y

Once that is done make sure that the /usr/share/yubikey-luks/ykluks-keyscript is present and if it isn't run the above command again.

ls /usr/share/yubikey-luks/ykluks-keyscript

Finally, you can generate the new initramfs images for all installed kernel versions.

Warning

This command can only be executed by the helpdesk, ctop and root users

sudo update-initramfs -u -k all

Reboot the system and confirm that the LUKS unlock prompt is appearing again.

Situation 2

Warning

Please get the LUKS masterkey at hand before continuing

In the unfortunate situation where no kernel version boots successfully you can attempt to unlock the LUKS disk manually before proceeding with the steps in Situation 1.

First you will have to identify the disk partition used as the LUKS device. Normally it is /dev/nvme0n1p4, however you may verify that with the command here:

(initramfs) cryptsetup isLuks /dev/nvme0n1p4 && echo $?

If the output is 0 everything is fine and you can proceed and unlock the LUKS device like below. The command will prompt you for the LUKS masterkey, so type it in carefully and hit Enter.

(initramfs) cryptsetup luksOpen /dev/nvme0n1p4 nvme0n1p4_crypt

If no error message has been returned the unlocking of the disk was successful and you can now resume the boot sequence with the key combination Ctrl + D and wait for the system to boot up before continuing with the steps in Situation 1.