2

I want to move a system (all systems I am using are Ubuntu 16.04 based) from an unencrypted partition to a luks encrypted one (on the same disk).

To this end, I created a LUKS encrypted logical volume that contains a root and a swap partition. Then I copied the content of the existing partition to the new root partition using dd. I have checked that this new root contains the proper directory structure and performed a disk scan of the partition.

The plan was to chroot to the new system and to update grub from there.

In detail, I am trying the following (which is a combination from Ubuntu help pages and How to reinstall grub from a liveUSB if the / partition is encrypted and there is a separate /boot partition? ):

# Unlock crypto file system
sudo cryptsetup luksOpen /dev/sda2 lukslvm 

sudo vgscan 
sudo vgchange -ay
sudo svscan

# Mount root file system
sudo mount /dev/mapper/vgubuntu-root /mnt
# Mount boot filesystem
sudo mount /dev/sda1 /mnt/boot
# Mount required internal file systems
sudo mount -o rbind /dev /mnt/dev
sudo mount -t proc proc /mnt/proc
sudo mount -t sysfs sys /mnt/sys
## Additional LVM directories (for older systems)
sudo mount -o rbind /run/lvm /mnt/run/lvm
sudo mount -o rbind /run/lock/lvm /mnt/run/lock/lvm
# Enable DNS resolution
sudo cp /etc/resolv.conf /mnt/etc/resolv.conf
# Change to the encrypted system
sudo chroot /mnt /bin/bash

# Install required software
sudo apt-get install cryptsetup lvm2

# Edit /etc/crypttab
sudo printf "lukslvm\tUUID=%s\tnone\tluks\n" "$(cryptsetup luksUUID /dev/sda2)" | tee -a /etc/crypttab

# /etc/modules editieren
sudo echo "dm-crypt" >> /etc/modules

# Update kernel initramfs
sudo update-initramfs -u -k all

echo "Edit /etc/default/grub as GRUB_CMDLINE_LINUX_DEFAULT=\"kopt=root=/dev/mapper/vgubuntu-root\""
sudo vi /etc/default/grub

sudo update-grub

# Leave chroot environment
exit
# Write buffers to disk
sudo sync
# Unmount file systems
sudo umount /mnt/run/lvm
sudo umount /mnt/run/lock/lvm
sudo umount /mnt/sys
sudo umount /mnt/proc
sudo umount /mnt/boot
#
sudo swapoff -a

Unfortunately, it does not work out that way as update-grub does not seem to find the system installed on the encrypted partition. It only find the existing installation on a different partition /dev/sda3.

What am I missing?

highsciguy
  • 849

1 Answers1

1

I looks like you forgot to create a proper /etc/mtap file

sudo cp /proc/mounts /mnt/etc/mtab

See https://wiki.sabayon.org/index.php?title=HOWTO:_Restore_Grub2

Simon Sudler
  • 3,931
  • 3
  • 21
  • 34
  • Thanks. This alone does not seem to fix it, even though the root in /dev/mapper is definitely in the mtab file. – highsciguy Jun 02 '17 at 13:46
  • If you are booting into this device, do you see the grub startup screen? If not, try the grub-install /dev/sda – Simon Sudler Jun 02 '17 at 13:57
  • Yes. The grub installation works fine for the unencrypted partition. The installation on the encrypted partition is just not listed. – highsciguy Jun 02 '17 at 14:24
  • Could perhaps the problem be that the ubuntu installation on the encrypted partition resides on the same harddisk as the one that I am booting from? There is a Q&A that suggests this here: https://unix.stackexchange.com/questions/335247/two-linux-distributions-grub-does-not-detect-other-one – highsciguy Jun 04 '17 at 19:16
  • I think the problem comes from the fact, that you are re-using the kernels in /dev/sda1 (aka /boot) for both root-filesystems (devmapper and /dev/sdaX). The grub script in /etc/grub.d/10_linux iterates in the function linux_entry() over the kernels found in /boot. I don’t how it behaves in your case… Try adding a “set -x” at the beginning of the linux_entry() function and check what is happening to your kernels. The “set -x” will generate huge amount of output. But without more details of the process, I don’t see how you can solve this issue. – Simon Sudler Jun 06 '17 at 07:42
  • To exclude the idea that the cause are the two systems on /dev/sda, I wiped the unencrypted one now and it still fails. – highsciguy Jun 06 '17 at 08:28
  • Can you paste the output of these commands in your chroot env:

    $ /usr/sbin/grub-probe --target=device / $ /usr/sbin/grub-probe --target=device /boot

     – Simon Sudler Jun 06 '17 at 09:02
  • Ok, thanks, will do that latter. Meanwhile I managed to boot into the system using SuperGrub2Disk`. Installing grub still fails. – highsciguy Jun 06 '17 at 09:37
  • The output of both of the commands is /dev/mapper/vgubuntu-root. – highsciguy Jun 06 '17 at 15:43
  • I have tried boot boot-repair (https://help.ubuntu.com/community/Boot-Repair) which also didn't help me. – highsciguy Jun 06 '17 at 15:47
  • I think you found the reason, why grub is not generating the new entries. $ /usr/sbin/grub-probe --target=device /boot should give you /dev/sda1. Since this is the location of the un-encrypted boot device. I'dont now why grup-probe is not working as expected. Calling grub-probe with --verbose might give you some more information. – Simon Sudler Jun 07 '17 at 06:38
  • I am afraid not. Now after I added /boot to /etc/fstab, your command finds /dev/sda1. – highsciguy Jun 07 '17 at 15:25
  • Okay, now I don't see any easy way out of this. You need to debug the /etc/grub.d/10_linux script, if you want it to work: Add a "set -x" after the "#! /bin/sh" and watch the output of "sudo grub-mkconfig 2>&1 | less -S" – Simon Sudler Jun 08 '17 at 08:07
  • Thanks for your help. Unfortunately that did not solve it for me either, but I managed to do it by cloning my system again, copying the configuration/partition structure from an installation that was full disk encrypted in the first place. – highsciguy Jun 11 '17 at 08:23