You are not logged in.

#1 2017-03-06 16:48:02

knubee
New Member
Registered: 2017-03-06
Posts: 2

How do I reinstall on an encrypted LUKS/LVM system?

Hi. Long-time Crunchbang and Bunsenlabs user, first time posting here.

I borked my /var directory recently and have been in search of a HOWTO for BunsenLabs analogous to these old ones for Ubuntu:

HOWTO: install and reinstall on an encrypted LUKS/LVM system

HOWTO: re-install / upgrade over existing dm-crypt / LUKS system

My situation is identical to the scenario described in those links: I have an encrypted LUKS/LVM volume, separate /root /boot /home and /data partitions, and I simply want to reinstall BL by overwriting the /boot and /root partitions without overwriting /home or /data.

The link above is from 2009 when Ubuntu distributed an "alternate" installer which seemed to provide more relevant control during the partitioning process. Specifically: it seems like it was possible to actually mount (unlock) the encrypted volume during the installation process and then specify a target partition in that volume for install/reinstall.

Any suggestions for how to do this?

In the worst case, I do have backups of my data and settings, so I could reformat the drive and reinstall from scratch. I would prefer to avoid this for a couple of reasons. First, it it seems like it ought to be straight-forward to do this kind of thing (ie, install over an existing system on an encrypted volume). Second, this is a dual boot machine and I recall this being a bit tricky the last time I did this with BL (encrypted setup tends to assume we are going to partition the entire hard drive).

cheers, k

Offline

#2 2017-03-06 17:22:32

earlybird
ほやほや
Registered: 2015-12-16
Posts: 738
Website

Re: How do I reinstall on an encrypted LUKS/LVM system?

The process should be straightforward. The Debian netinstall CLI/expert installer should support this (but check first :>) I don't think the BL installer has the required expert mode, see https://forums.bunsenlabs.org/viewtopic.php?id=2929.

Use a current Debian netinstall image for the installation, and use the CLI installer. Go through the menus till the partitioning step; and do manual partioning. It should detect the LUKS volume and ask for the passwords, update the view and present you with the LVs from inside the luks container, which you then can select as usual for mount points. For the partitions you want to preserve, obviously, disable formatting. Alternatively, just reformat the current root lv, install the full system onto it, and proceed with adding back your data partitions after the first successful boot.

Backing up irreplacable data (regular backup; lvm snapshot perhaps) before doing the operation should be a given though.

Offline

#3 2017-03-06 18:27:03

martix
Kim Jong-un Stunt Double
Registered: 2016-02-19
Posts: 1,267

Re: How do I reinstall on an encrypted LUKS/LVM system?

@Thanks earlybird, just finished a post but it was not sent because I got logged out. Anyhow I was thinking about this as a straightforward process too.

Btw those links do not work atm (Ubuntuforums.org is undergoing scheduled hardware upgrades). Just for clarification: I guess there is a separate /boot partition, which is probably a non-encrypted grub partition? As it is a dual boot machine, grub should be able to detect the partition with the other OS automatically, if it's on a non-encrypted partition. I'm not sure about the /data partition you mentioned - what is it used for (mostly it is /root, /home and swap)? Somebody correct me if I'm wrong but I would also replace the /boot partition during the install and let grub detect the other OS. After the installation of the new /root partition and a restart it should automatically offer dual boot.

That "encrypted setup tends to assume the entire drive" thing is indeed often true with other installers (at least according to my experiences), however the Debian installer manages this situation rather well (one has to be careful with the correct steps in the installer though).

Offline

#4 2017-03-07 02:23:16

knubee
New Member
Registered: 2017-03-06
Posts: 2

Re: How do I reinstall on an encrypted LUKS/LVM system?

Thanks for the pointer to Debian netinstall.

I see there is a BL netinstall script here intended for people who want to selectively add BL packages to a Debian install. Once I have a working installation of Debian, I want to eventually have a "complete" BL install, so is that the script to use? Or is it just a matter of adding the BL repositories to apt sources and running update/upgrade?

@martix The "/data" partition I mentioned is actually just a partition with my data which I keep separate from /home. Should have been more clear about that (eg, "/my-data")

Last edited by knubee (2017-03-07 03:19:14)

Offline

#5 2017-03-07 07:29:34

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: How do I reinstall on an encrypted LUKS/LVM system?

knubee wrote:

Thanks for the pointer to Debian netinstall.

I see there is a BL netinstall script here intended for people who want to selectively add BL packages to a Debian install. Once I have a working installation of Debian, I want to eventually have a "complete" BL install, so is that the script to use? Or is it just a matter of adding the BL repositories to apt sources and running update/upgrade?

We have an experimental UEFI-capable ISO image that includes the "Advanced" version of the Debian installer and this should accommodate LUKS/LVM with no need to resort to scripts.

https://forums.bunsenlabs.org/viewtopic.php?id=3423


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#6 2021-11-10 03:08:50

johnraff
nullglob
From: Nagoya, Japan
Registered: 2015-09-09
Posts: 8,424
Website

Re: How do I reinstall on an encrypted LUKS/LVM system?

Just in case someone in 2021 finds this via a web search (as I just did) I can report that while the Debian Installer sets up a new LVM-on-LUKS with no problem, with existing encrypted LVM it does not "detect the LUKS volume and ask for the passwords, update the view and present you with the LVs from inside the luks container" as you might hope. There seems to be considerable danger of data loss.

I've been spending some time trying to find how I can put a Beryllium system on my laptop while keeping the existing Lithium and Data encrypted LVM partitions (and suspecting I might have already lost some data). Just dropping these links for now, but if it ever finally works I'll post something, maybe here or on a new thread.

https://bugs.debian.org/cgi-bin/bugrepo … bug=451535
https://www.blakehartshorn.com/installi … ypted-lvm/
https://linuxconfig.org/how-to-install- … -container
https://consolematt.wordpress.com/2013/ … partition/


...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), idle Twitterings and GitStuff )

Introduction to the Bunsenlabs Lithium Desktop

Offline

#7 2021-11-10 09:50:36

johnraff
nullglob
From: Nagoya, Japan
Registered: 2015-09-09
Posts: 8,424
Website

Re: How do I reinstall on an encrypted LUKS/LVM system?

Well, since it's still on-topic and the situation hasn't changed that much since 2017 I'll post the results of today's work here.
I used mostly these two guides to install a basic CLI Debian Bullseye:
https://www.blakehartshorn.com/installi … ypted-lvm/
https://linuxconfig.org/how-to-install- … -container

So please read through those, but anyway, briefly:

0) Don't forget to backup everything, including the partition that's mounted on /boot in the current system.

1) Before starting, don't bother "making life easier" by setting up a new lvm logical volume (lv from now on) to hold the new install. My existing "beryllium" lv - even though I reformatted it - triggered a weird bug in debian-installer (d-i from now on) which caused it to add a false member "beryllium1" to /dev/mapper and use that for the install, even though the LVM tools only recognized the true "beryllium" lv. The resulting grub menu was of course broken, and the installed new system likely lost. neutral Instead, you can invoke the LVM configuration inside d-i to make the new lv. That worked OK for me.

2) However, it is probably worth adding a new boot partition for your new os, outside the encryption. (Whole-disk encryption is still a bit tricky.) I made the mistake of thinking that d-i would detect the old os and do what was necessary for /boot to work for both. Now I know shared /boot is not a good idea. My Lithium install is still intact I think, but has no /boot and is now unbootable. neutral ( I'll leave fixing that till I've got Beryllium set up with a GUI and all the tools like gparted. The LVM/LUKS partition will have to be shrunk a bit to make room, a new 500MB boot made for Lithium, and filled with the necessary vmlinuz, initrd and grub config stuff.) So don't overwrite the existing boot partition, make sure your new os has it's own new boot partition.

3) Download the first DVD iso - it's said to have stuff the netinstall lacks. Some day when I have a day or two free I might check if the netinstall really doesn't work...

4) Best to check the iso contents when you fire up d-i in expert mode, using the "check the CD-ROM's integrity" item in the menu.

5) Follow the installer but at "Load installer components from CD" add crypto-dm-modules and rescue-mode.

6) Before doing "Detect disks" open a new console with Ctrl+Alt+F2, hit enter to get a shell. This is useful to look around: commands like 'mount', 'ls /dev/mapper', and the lvm commands like 'lvs' are at your disposal. Anyway, right now unlock the encrypted partition:

# cryptsetup luksOpen /dev/sda3 debian-crypt
Enter passphrase for /dev/sda3:

/dev/sda3 needs to be changed to the partition where LUKS is, debian-crypt can be any name you like - it will apply only in this system, but remember it because you'll need to put it in /etc/crypttab later. No need to run 'vgchange -ay' unless you want to view the lv's here.

7) Another useful console is at Ctrl+Alt+F4 where you can see d-i log and error messages.

8 ) Back to the regular interface at Ctrl+Alt+F1 and to "Detect disks" and "Partition disks" - choose "manual".
Any lv's you want to use in the new os (I used "data" and "swap") you can set up in the usual way. Make sure there's a dedicated normal partition of ~500MB or so allocated to /boot in the new system, as well as the pre-existing boot partition the old os uses. Then invoke "Configure the Logical Volume Manager" to create the lv(s) that your new system will use. Back in the partition interface, choose file systems and mountpoints as usual.

9) Carry on as normal - if you're planning to install BL later, at the "select software" stage make sure you don't install any of the "desktops", only the standard system utilities.

10) Finally before doing "Install the GRUB bootloader to a hard disk" go back to Ctrl+Alt+2 and there's no need to chroot into the new system, it's still mounted on /target so you can run:

nano /target/etc/crypttab

and add this (again replacing /dev/sda3 and debian-crypt appropriately):

# <target name> <source device>		<key file>	<options>
debian-crypt /dev/sda3 none luks

(Change /dev/sda3 to an entry with UUID=**** some time later when you've got a GUI and can copy/paste from 'blkid'.)

10) Continue to the end of the installation, cross your fingers and hope that the grub menu shows the old os along with the new one. If 'sudo update-grub' doesn't do it, as long as its "boot" partition is intact it should be fixable. smile

Last edited by johnraff (2021-11-20 00:35:48)


...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), idle Twitterings and GitStuff )

Introduction to the Bunsenlabs Lithium Desktop

Offline

Board footer

Powered by FluxBB