This article describes the steps necessary to recover data from a LUKS encrypted filesystem under Ubuntu 16.04. We needed to also move encrypted user home directories.

Mount the old encrypted disk:

1. Identify the LUKS encrypted volume
2. Open device/decrypt
3. Mount the decrypted filesystem
4. Copy data from source to destination

Mount Encrypted LVM Logical Volume

Identify the encrypted device:

sudo fdisk -l

# Follow with:
sudo lsblk -f /dev/sdb

sudo file -s /dev/sdb3

# Output:
/dev/sdb3: LUKS encrypted file, ver 1 [aes, xts-plain64, sha256] UUID: xxxx

Open the Encrypted Device

sudo cryptsetup luksOpen /dev/sdb3 encrypted_device
# This returns:
Enter passphrase for /dev/sdb3:

# Enter the encryption passphrase at this point

You then need to identify the volume group and list logical volumes:

sudo vgdisplay --short

# Typical return:
"ubuntu-vg" 464.78 GiB [464.78 GiB used / 0    free]

# List logical volumes:
sudo lvs -o lv_name,lv_size -S vg_name=ubuntu-vg

# Typical return:
LV     LSize
  root   456.86g
  swap_1   7.91g

At this point, you may hit trouble - if you are working on a Ubuntu logical and trying to mount a Ubuntu logical volume, it’s likely that they’ll have the same volume group name (“ubuntu-vg”).

To fix this, you can rename one of the volumes - but beware - this may prevent that disk from booting without major intervention.

Rename the logical volume:

# Get the UUID
sudo vgdisplay

# Typical return
--- Volume group ---
  VG Name               ubuntu-vg

  System ID
  Format                lvm2
  Metadata Areas        1
  Metadata Sequence No  3
  VG Access             read/write
  VG Status             resizable
  MAX LV                0
  Cur LV                2
  Open LV               2
  Max PV                0
  Cur PV                1
  Act PV                1
  VG Size               464.78 GiB
  PE Size               4.00 MiB
  Total PE              118983
  Alloc PE / Size       118983 / 464.78 GiB
  Free  PE / Size       0 / 0
  VG UUID               xxxx

# Rename by referencing the Volume Group UUID:
sudo vgrename -v XcFAZ7-3iBG-BnQ7-GoS4-egLP-29YY-u8mcXY old-drive

# The volume group is now "old-drive"

You then need to activate the desired volume group - in this case, root on old-drive:

# Check the new volume name
sudo vgdisplay --short

# Check the logical volumes on this volumne
sudo lvs -o lv_name,lv_size -S vg_name=old-drive

# Activate the desired root
sudo lvchange -ay old-drive/root

Mount the Encrypted Filesystem

sudo mkdir /mnt/old-drive
sudo mount /dev/old-drive/root /mnt/old-drive

The decrypted filesystem is now available under /mnt/old-drive.

In our case, this system contains user home directories that are also encrypted. These need to be moved to /home on the destination filesystem.

On the new filesystem, don’t create users. First, move the encrypted directories to the usual location. For example:

# Move a user home directory
sudo rsync -ra --progress /mnt/old-drive/home/rory /home

# Also move the Apache root directory:
sudo mkdir -p /var/www
sudo rsync -ra --progress /mnt/old-drive/var/www/html /var/www

Then create corresponding users. The -m flag on useradd denotes that a home directory will be created if one doesn’t already exist. In our case, we’ve just created the directory by moving the old one into position from the old drive.

# Create the user "rory"
sudo useradd -m rory
sudo passwd rory
sudo adduser rory sudo

The user can now log on using their exisiting passphrase for decryption.

GRUB Problems

I encountered a major problem when completing this - GRUB became borked and the system would not boot - it hung on a initramfs prompt (which was pretty useless - don’t waste time in this limited shell).

The Initramfs prompt suggests that GRUB 2 began the boot process (the initial Ubuntu loading screen was visible) - but couldn’t pass control to the OS.

In our case, I suspect this was related to renaming the logical volume on the old disk.

The solution involved:

1. Booting Ubuntu from a live disk
2. Decrypting and mounting the main volume
3. Downloading and running ‘boot-repair’

Running boot-repair on an encrypted volume requires a bit of work - the volume needs to be properly decrypted and activated. In particular, you need to activate the encrypted drive using the correct name - I determined this by trial and error, with some clues from this useful article.

The procedure:

In the live environment, navigate to /etc/crypttab and take a peek:

cat /etc/crypttab

# Typical output:
sdb3_crypt UUID=xxxxx none luks,discard
cryptswap1 UUID=xxxxx /dev/urandom swap,offset=1024,cipher=aes-xts-plain64

This gives you the name that you need for your cryptsetup - in this case, sdb3_crypt. Decrypt the volume using this name:

cryptsetup luksOpen /dev/sdb3 sdb3_crypt
# Enter decryption passphrase

# Activate:
sudo lvchange -ay sdb3_crypt/root

Then download and run Boot Repair - this should allow you to reinstall GRUB 2:

sudo add-apt-repository ppa:yannubuntu/boot-repair
sudo apt-get update
sudo apt-get install -y boot-repair && boot-repair

References

• Article on mounting encrypted LVM logical volume
• Mount Luks encrypted drive
• Changing the name of volume group
• Create New User, exisiting home directory
• Boot Repair
• GRUB2 Troubleshooting
• Fixing intird