I know the threads How do I add myself back as a sudo user?, Mounting encrypted LUKS partition from Live CD, ... This thread is about how to add a sudo user back without root and other strict security policies in place in encrypted environment: whole-media encryption, home-folder encryption and empty-space overwrite, but you know the password of the encryption. Still, the mounting of such an encrypted device is not that straight-forward. This is not duplicate!
My whole disk is encrypted. It contains Ubuntu 16.04.
I know the thread How do I add myself back as a sudo user? but it is not for whole disk encryption.
I did sudo usermod -G staff masi by accident (missed option -a there) and logged out.
It removed me from all other groups than staff.
To get back to defaults, I should run
sudo usermod -a -G adm cdrom sudo dip plugdev lpadmin sambashare masi
However, I am not anymore a part of sudo group, so I cannot run it.
You cannot go Ubuntu's Grub > Rescue Mode in Grub > Advanced options because encryption in whole disc; no root is enabled; shift unsuccessful before/after encryption steps; unsuccessful entry to Recovery mode as described here; no Grub start after successful password entry in the encryption step; you cannot change the read-only /etc/default/grub so you cannot add there GRUB_CMDLINE_LINUX_DEFAULT="quiet splash single" for letting Grub work. So you have to have live Ubuntu with ecryptfs-utils schroot.
Persistent Live Ubuntu 16.04 Attempt
Create a persistent Live Ubuntu USB here. I do the following motivated by the sources here and here where no ready solution exists
> sudo apt-get update
...
> sudo apt-get install lvm2 cryptsetup
...
> sudo modprobe dm-crypt
> sudo fdisk -l % find the appropriate disc
sudo: unable to resolve host masi-CM6340: Connection refused
...
> sudo cryptsetup luksOpen /dev/sda5 myvolume % my case sda5 i.e. linux, not extended
sudo: unable to resolve host masi-CM6340: Connection refused
Enter passphrase for /dev/sda5: % which I enter successfully
>
> sudo mkdir /media/test
>
% sudo vgscan not needed to activate the sockets
> sudo vgchange -ay % will make volumes active
sudo: unable to resolve host masi-CM6340: Connection refused
2 logical volume(s) in volume group "ubuntu-vg" now active
% created also /dev/mapper/myvolume which can be mounted
>
> sudo mount /dev/sda5/home /media/test
mount: special device /dev/sda5/home does not exist (a path prefix is not a directory)
>
> % JayEye's 2nd proposal
> sudo mount /dev/mapper/myvolume /media/test
mount: unknown filesystem type 'LVM2_member'
%
% chroot to the mounted device, add masi back to sudoers and work done
Output of sudo parted -l /dev/mapper/myvolume [JayEye]
Model: ATA WDC WD64000AAKS-7 (scsi)
Disk /dev/sda: 640 GB
Sector size (logical/physical): 512B/512B
Partition table: msdos
Disk Flags:
Number Start End Size Type File system Flags
1 1049kB 512MB primary ext2 boot
2 513MB 640GB extended
5 513MB 640GB logical
Model: Kingston HyperX Fury 3.0 (scsi)
Disk /dev/sdb: 31.5GB
Sector size (logical/physical): 512B/512B
Partition table: msdos
Disk Flags
Number Start End Size Type File system Flags
1 27.3MB 30.4GB 30.4GB primary ext4 boot
2 30.4GB 31.5GB 1049MB primary linux-swap(v1)
Model: Linux device-mapper (linear) (dm)
Disk /dev/mapper/ubuntu--vg-swap_1: 34.3GB
Sector size (logical/physical): 512B/512B
Partition table: loop
Disk Flags:
Number Start End Size Type File system Flags
1 0.00B 34.3GB 34.3GB linux-swap(v1)
Model: Linux device-mapper (linear) (dm)
Disk /dev/mapper/ubuntu--vg-root: 605GB
Sector size (logical/physical): 512B/512B
Partition table: loop
Disk Flags:
Number Start End Size Type File system Flags
1 0.00B 605GB 605GB ex4
Error: /dev/mappper/myvolume: unrecognized disk label
Model: Linux device-mapper (crypt) (dm)
Disk /dev/mapper/myvolume: 640GB
Sector size (logical/physical): 512B/512B
Partition Table: unknown
Disk Flags:
I run sudo mount /dev/mapper/myvolume--vg-root /mnt [JayEye] and get
mount: special device /dev/mapper/myvolume--vg-root does not exist
I run sudo mount /dev/mapper/ubuntu--vg-root /mnt [DavidFoester] and get the following output which may still indicate successful mounting
sudo: unable to resolve host masi-CM6340: Connection refused
which is a warning that I get three times before in the script above.
I access successfully the first step of the encrypted device by vi /mnt/home/masi/README.txt
THIS DIRECTORY HAS BEEN UNMOUNTED TO PROTECT YOUR DATA.
From the graphical desktop, click on:
"Access Your Private Data"
From the command line, run:
ecryptfs-mount-private
where Access Your Private Data file is in /mnt/home/masi/Access-Your-Private-Data.desktop, but clicking on it does not lead to any GUI ouput (icon starts but closes automatically). I can find also ecryptfs-mount-private in Terminal, but there is no manpage/help-page of it. I run it in the folder, and I get
ERROR: Encrypted private directory is not setup properly
How to run ecryptfs-mount-private successfully?
Boot to the System - DavidFoerster's proposal (3) without Live System
My system has no root enabled.
I boot to Grub > Advanced Options > Recovery Mode.
I run sudo adduser masi sudo but get error code 1
Adding user 'masi' to group 'sudo' ...
Adding user masi to group sudo
gpasswd: cannot lock /etc/group; try again later
adduser: '/usr/bin/gpasswd -a masi sudo' returned error code 1. Exiting.
Rebooting, logging back again in the system, I do sudo echo "masi" and I get masi is not in the sudoers file. ....
I think problem here is that no mount and chroot.
Ubuntu 16.04 Live System Attempt
I cannot open the encryption in the normal Live system. I run unsuccessfully
> sudo modprobe dm-crypt
> sudo fdisk -l % find the appropriate disc
...
Device Boot Start End Sectors Size Id Type
/dev/sdf1 ... 449.9G ... Linux
/dev/sdf2 ... 15.9G ... Extended
/dev/sdf5 ... 15.9G ... Linux swap / Solaris
> sudo cryptsetup luksOpen /dev/sdf1 myvolume
Device /dev/sdf1 is not a valid LUKS device
> sudo cryptsetup luksOpen /dev/sdf2 myvolume
Device /dev/sdf2 is not a valid LUKS device
I still do the following but notice that the above step has to be completed successfully before proceeding
sudo fdisk -l % find the correct sector
ubuntu@ubuntu:~$ sudo mount /dev/sdf1 /mnt
ubuntu@ubuntu:~$ sudo chroot /mnt
sudo adduser masi sudo
Output
sudo: unable to resolve host ubuntu: Connection refused
The user `masi' is already a member of `sudo'.
TODO I think you need to enter the passphrase for the encryption before doing this. However, it did not ask me it in any stage.
How can you add yourself back in sudo group in Encrypted HDD of 16.04 with Strict Security Policies?
To edit the group membership status and re-add yourself to the
sudogroup you must first access the encrypted, volume-managed file systems. The latter part is the same as for file recovery in such a situation.To summarize the sequence of necessary steps and link each one to more detailed instructions:
Boot from a live DVD/USB an choose "Try Ubuntu".
Mount encrypted volumes from command line? to decrypt the LUKS container.
Mounting encrypted LUKS partition from Live CD to expose the volumes managed by LVM inside the LUKS container.
According to the output of Parted the volume for the root partition of your Ubuntu installation would be
/dev/mapper/ubuntu--vg-rootwhich you can mount withor
How do I add myself back as a sudo user? to fix the group membership on the previously mounted volume. (You don't need to access the home directory for this so no need to decrypt it.)
Bonus:
Boot from installation media and select "Try ubuntu".
Open/decrypt with cryptsetup, Mount the local disk,
chrootto it, and re-add yourself!You are trying to mount
/dev/sda5/home. Given how you have runcryptsetup, you should be trying to mount/dev/mapper/myvolumeImpossible. You cannot add yourself back to the disk because of the strict security policies. Answers here have not made the testing environment for them. They have not managed to test their own answers. Much reproduction what I I have already tested there.