Gain local root access on an encrypted HDD (FDE) in Linux

Disclaimer: The following information is to be used for educational purposes only. I am not responsible if you do something weird with your encrypted drive and it fails to boot! And doing this stuff on other’s computers (i.e. computers, HDD, etc. which are not owned by you) might land you into legal troubles and no pointing fingers to me.

Now with all that bla bla out of the way, we can start with the real meat. Running Linux on your local machine is fun. Running Linux on a machine connected to the network is more fun (and not funnier!). And getting Linux installed on your work machine and doing everything with it (and not looking back to WinBlows anymore) is much more fun (and not funniest!). Anyways, after having such loads of fun, of course we run into people known as system admins. And these people are real bottlenecks for productivity. If you are a sysadmin reading this, then yes it is you who is hampering productivity and utility on our Linux systems because of your stupid decisions and mis-configurations.

Anyways, now, if you have a laptop running Linux, why in the name of "<insert whoever you love/hate>" will you not get root privileges on the local machine? I mean you are the owner of the system and you don’t want to call support (read sysadmins) for every little thing that you need to do! In my case, my local installation had a Thunderbird version 3.xx something. And the latest was 16.xx. I asked the sysadmins to update my Thunderbird and the usual answer was that they would look into the possibility. Of course the possibility probability is always 0.01. So the next best thing is to do it yourself but then of course you are not allowed to do that because of the restrictive access rights. And it seriously destroys my productivity working with older versions and trying to solve bugs which are already solved in newer versions.

And for the sysadmins, what better way to defer people from rooting then by encrypting the whole hard drive! Any noob can be stopped from doing such devious acts right. Well, wrong! Now, I am not exactly a noob but I do not consider myself a guru as well. So below is how you get root access on your encrypted HDD. Now with my rant out of the way, we start with the real thing.

Follow the procedure below and ask questions in the comments if you have doubts. First of all, boot the machine through a live CD. I used the Ubuntu live CD but you can use anything. If the bios settings do not allow to boot from the CD, use another machine to boot into a Linux machine (on which you have root access or from which you can boot a live CD), remove the HDD from the current machine and attach it as a secondary HDD on the machine with root access. Now if you do a fdisk or use the partition viewer, you should basically see 2 partitions. One is an ext3/ext4 based partition which will contain a minimal kernel and secret keys for the Luks encrypted partition. This partition will be very small (close to 200MB). Another partition will be an unrecognized file system and it will be the big partition spanning the entire disk.

Now go to the command line and install lvm2. i.e. execute sudo apt-get install lvm2. In the ubuntu live CD, lvm2 is not a part of the default install. Hence you need to install it. On others, it might be included. Use the package manager as provided by your live CD to install lvm2. Don’t worry, all the changes are happening in RAM, so there is no way you will write to the encrypted HDD or mess with the partition schemes. Now you should run a command known as vgs. This command will read information about the volume groups and provide you with the needed information like volume group name (quite important to remember/write down). You should also run a sudo vgscan if needed which will scan the HDD for LVM encrypted volumes and rebuild the caches. Now run lvs to report the information about the logical volumes if needed (i.e. if vgscan does not show proper information). Also do a modprobe dm-mod if the device manager module is not loaded in the kernel. For the live CD I was using, I had to it. Now that you have got the group name, change the attributes of the volume to allow changes and modifications. Use the command: sudo vgchange -ay <volume group name>.

If you reached here, the rest is a piece of cake. Mount the volume now and make the changes. But before mounting, you need to decrypt it. Use the following command. Please make sure you are using the proper mount point (look into the kernel logs dmesg if you need information on what block device is the volume pointing to).

sudo cryptsetup luksOpen /dev/<sda1> <any_name_for_recognition>

It will now ask for the password. And of course you have one since you are able to login. If not, you will have to get the keys from the root volume. That is a thing for another article! Once you give the correct password, it will show something along the lines that the volume is decrypted successfully. Now it is just a matter of mounting the volume as a normal volume.

sudo mkdir /media/<mount_point>
sudo mount /dev/mapper/<any_name_for_recognition> /media/<mount_point>

Remember that in the above command, the decrypted volume is available at /dev/mapper. If you want to know why, google for LVM and full disk encryption using Luks. There are detailed explanations available on how Full Disk Encryption (FDE) works under Linux.

Okay, now you have achieved what you wanted to. The root account in most such cases is disabled. You can enable it and change the root password to anything you like. You can also add your normal account/user id to the local root group. That will give you local root access. Now all you need to do is flush the changes back to the encrypted HDD. For that, you unmount the device using sudo umount /media/<mount_point>. And then we close and lock the container. Use the command: sudo cryptsetup luksClose <any_name_for_recognition>.

Thats it, now shutdown the system and boot it normally. Enter your encryption password and go into the system. Open a terminal window and do su -l. It asks you for a password, enter the same one that you have given above while enabling/changing password for the root account. You should be in with root access to local system. This is much useful to fix your system instead of making calls to the admins/help and wait for them to fix stuff for you. You can also install printers and do everything that makes you more productive. On networked computers, usually the access is monitored using /etc/sudoers. It might happen that the file is being reset every now and then. So if you find a message that your normal user account cannot execute certain functions, make sure you log in as local root and change the sudoers file. Then it won’t cause any problems.

Last and not the least, if you don’t know what to do with root access, please don’t enable it. You can mess with your system. ENJOY and help people find peace and liberation!