During a computer's boot process, you must transition from a firmware (UEFI or BIOS) process to loading a kernel and then finally to the user environment. When booting a POSIX system, you can choose to interrupt the boot process to adjust settings or even to log in using a chroot environment.
This is a useful troubleshooting and maintenance technique, but it's also the reason it's so important to utilize full disk encryption when installing your operating system. When a drive is encrypted, nothing on the drive is accessible without your passphrase, even from a preboot environment. As long as you have the passphrase to decrypt your drive, you can interrupt a Linux system's boot process and access the drive without booting into a full operating system (OS).
The GRUB screen
The hand-off from firmware to bootloader ends in the grand unified bootloader (GRUB) screen. GRUB is a text menu that allows you to select which OS and kernel version you want to boot into. By default, it assumes you want to boot to the latest version of Linux installed on the machine. However, it also allows you to modify how you want to boot the OS.
To prepare your computer to have its boot process interrupted, press e on your keyboard when you see the GRUB startup screen. This reveals the boot parameters assigned to the default menu selection.
load_video set gfx_payload=keep insmod gzio linux ($root)/vmlinuz-x.y.z-aa.el9.x86_64 root=/dev/mapper/rhel-root ro resume=\ /dev/mapper/rhel-swap rd.lvm.lv=rhel/boot rd.lvm.lv=rhel/swap rhgb quiet initrd ($root)/initramfs-x.y.z-aa.el9.x86_64.img $tuned_initrd
After the string
quiet, add the parameter
rd.break, and then press Ctrl+X to exit the parameters editor and continue booting. The
rd.break parameter causes the initial RAM disk containing the parts of the Linux kernel required to boot to "break," in the same sense that a debugger places "breakpoints" in an application to pause its execution. The initial RAM disk (initrd) is likely located within the encrypted portion of your hard drive, so you must enter your passphrase before you can continue to boot.
If your computer continues to boot without prompting you for a passphrase, then you have not activated full disk encryption.
[ Free download: Advanced Linux commands cheat sheet. ]
Enter maintenance mode
Because you've instructed the initrd to break, the boot process stops in an emergency maintenance mode. If you have nothing you need to do, you can press Ctrl+D to continue booting as normal. Otherwise, press Enter for a minimal but interactive shell.
Do disk repair
Once you're at a shell prompt, you're the root user of that machine. Your next actions depend entirely on what kind of maintenance you need to perform.
You might run a disk check on your drive using the
sh# xfs_repair /dev/sda1
Change your active environment with chroot
To recover a password, you might need to remount the drive (it's already mounted in read-only mode to
/sysroot as part of the boot process). The
remount,rw options mount a location on a drive with write permissions. This task can be extremely dangerous: You have full root privileges, no guardrails, and a writable drive. The less time you spend in this mode, the better, and you should use it only in true emergencies.
sh# mount -o remount,rw /sysroot
You must use the
chroot command to make the remounted drive your active environment. This replaces your current
/ partition with
/sysroot, which sets all paths to the ones you're used to when you log into a system.
For instance, before a
sh# which sh which: command not found
After a successful
sh# chroot /sysroot sh# which sh /usr/bin/sh
From here, you're mostly logged into the system. You can run commands, recover files, passwords, and perform whatever maintenance you may need to do. Some conveniences are lacking. For instance, there's no
/sys mounted unless you mount them yourself (
mount -t proc proc /proc, for instance). However, the point isn't to make this session a fully interactive multiuser experience. This is maintenance mode, and it's meant as a temporary environment for emergencies.
When you've finished maintenance, set a flag so that SELinux relabels the system as needed on the next boot. This step isn't always strictly necessary, depending on what kind of maintenance you've done, but it's not a bad idea given that you've likely made changes to the system. Once you've done that, exit the chroot environment and then exit the shell to continue booting:
sh# touch /.autorelabel sh# exit sh# exit
As your computer continues to boot, SELinux relabels the system as required.
The boot process isn't meant to be interrupted, and it's rarely necessary. In times of trouble, though, this is an important troubleshooting technique. Use it wisely, and use full disk encryption to ensure no interactive shell is available without decryption.