This article describes the steps necessary to recover data from a LUKS encrypted filesystem under Ubuntu 16.04. We needed to also move encrypted user home directories.
Mount the old encrypted disk:
- Identify the LUKS encrypted volume
- Open device/decrypt
- Mount the decrypted filesystem
- Copy data from source to destination
Mount Encrypted LVM Logical Volume
Identify the encrypted device:
Open the Encrypted Device
You then need to identify the volume group and list logical volumes:
At this point, you may hit trouble - if you are working on a Ubuntu logical and trying to mount a Ubuntu logical volume, it’s likely that they’ll have the same volume group name (“ubuntu-vg”).
To fix this, you can rename one of the volumes - but beware - this may prevent that disk from booting without major intervention.
Rename the logical volume:
You then need to activate the desired volume group - in this case,
Mount the Encrypted Filesystem
The decrypted filesystem is now available under
In our case, this system contains user home directories that are also encrypted. These need to be moved to
/home on the destination filesystem.
On the new filesystem, don’t create users. First, move the encrypted directories to the usual location. For example:
Then create corresponding users. The
-m flag on
useradd denotes that a home directory will be created if one doesn’t already exist. In our case, we’ve just created the directory by moving the old one into position from the old drive.
The user can now log on using their exisiting passphrase for decryption.
I encountered a major problem when completing this - GRUB became borked and the system would not boot - it hung on a initramfs prompt (which was pretty useless - don’t waste time in this limited shell).
The Initramfs prompt suggests that GRUB 2 began the boot process (the initial Ubuntu loading screen was visible) - but couldn’t pass control to the OS.
In our case, I suspect this was related to renaming the logical volume on the old disk.
The solution involved:
- Booting Ubuntu from a live disk
- Decrypting and mounting the main volume
- Downloading and running ‘boot-repair’
boot-repair on an encrypted volume requires a bit of work - the volume needs to be properly decrypted and activated. In particular, you need to activate the encrypted drive using the correct name - I determined this by trial and error, with some clues from this useful article.
In the live environment, navigate to
/etc/crypttab and take a peek:
This gives you the name that you need for your cryptsetup - in this case,
sdb3_crypt. Decrypt the volume using this name:
Then download and run Boot Repair - this should allow you to reinstall GRUB 2:
comments powered by Disqus