LVM – How to Migrate an Encrypted LVM Install to a New Disk

encryptiongrub2lvmpartitioning

I have a somewhat customised laptop install I want to move to a SSD directly, without having to reinstall Ubuntu, reinstall all the apps and make all the other changes again. The SSD is smaller, so I can't just do dd.

The original install was done with the Ubuntu alternate installer, selecting the full disk encryption with LVM option.

What steps are required and how do I do them? I expect to have to:

set up the disk partitions, encryption etc
copy the data across
install grub and get it working with new UUID values etc.

Best Answer

Partitioning and file copy - while running

I did this by starting with the running system. I plugged the new SSD into a USB SATA adapter and partitioned it, set up LVM and copied the files across.

# confirm disk size is as expected for sdc
sudo fdisk -l /dev/sdc
# now partition - 500 MB partition as boot, the rest as a single (logical) partition
sudo cfdisk /dev/sdc

Your disk should now look like:

sudo fdisk -l /dev/sdc
Disk /dev/sda: 120.0 GB, 120034123776 bytes
255 heads, 63 sectors/track, 14593 cylinders, total 234441648 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *          63      979964      489951   83  Linux
/dev/sda2          979965   234441647   116730841+   5  Extended
/dev/sda5          980028   234441647   116730810   82  Linux swap / Solaris

The next step is to put encryption on the partition and LVM on top of the encryption.

sudo cryptsetup -y luksFormat /dev/sdc5
sudo cryptsetup luksOpen /dev/sdc5 crypt
sudo vgcreate crypt-lvm /dev/mapper/crypt
sudo lvcreate -L4G -nswap crypt-lvm
sudo lvcreate -l100%FREE -nroot crypt-lvm

Now make the filesystems and mount them and copy your system across.

sudo mkfs.ext2 /dev/sdc1
# you do ls /dev/mapper to check the name if different
sudo mkfs.ext4 /dev/mapper/crypt-root
sudo mkdir /mnt/boot
sudo mkdir /mnt/root
sudo mount -t ext2 /dev/sdc1 /mnt/boot
sudo mount -t ext4 /dev/mapper/crypt-root /mnt/root

# rsync files
sudo rsync -a /boot/* /mnt/boot/
sudo rsync -aHAX --devices --specials --delete --one-file-system --exclude proc --exclude run --exclude boot --exclude sys --exclude tmp /* /mnt/root/

Up to this point you can keep the system running and use it. Now you need to shutdown and boot into a live CD/USB so you can get the system in a shutdown state.

Partitioning and file copy - live CD/USB

Once you have booted, open a terminal and:

sudo apt-get install lvm2

# mount old hard drive
sudo cryptsetup luksOpen /dev/sda5 sda5_crypt
sudo mkdir /mnt/sdaroot
# you can do ls /dev/mapper to check the name if it is different
sudo mount -t ext4 /dev/mapper/sda5_crypt--root /mnt/sdaroot

# mount new hard drive (over USB)
sudo cryptsetup luksOpen /dev/sdc5 sdc5_crypt
sudo mkdir /mnt/sdcroot
sudo mount -t ext4 /dev/mapper/sdc5_crypt--root /mnt/sdcroot

# final rsync
sudo rsync -aHAX --devices --specials --delete --one-file-system --exclude proc --exclude run --exclude boot --exclude sys --exclude tmp /mnt/sdaroot/* /mnt/sdcroot/

chroot

# prepare chroot
cd /mnt/sdcroot
sudo mkdir boot

# these directories are set up by the system and we need them inside the chroot
sudo mount -t proc proc /mnt/sdcroot/proc
sudo mount -t sysfs sys /mnt/sdcroot/sys
sudo mount -o bind /dev /mnt/sdcroot/dev

# now enter the chroot
sudo chroot /mnt/root/

Changing UUIDs

Now we are root inside the chroot and run the following commands:

# inside chroot, as root
mount -t ext2 /dev/sdc1 /boot
blkid

Now you will see all the UUIDs for the various disk in the system. You will need to edit the UUIDs in /etc/fstab and /etc/crypttab to match the values for /dev/sdc?

In /etc/fstab you need to use the UUID for the boot disk - /dev/sdc1 if your disks have the same letter as me.

In /etc/crypttab you need to use the UUID for the other (big) partition - /dev/sdc5 if your disks have the same letter as me.

initramfs and grub

# now update initramfs for all installed kernels
update-initramfs -u -k all

# install grub and ensure it is up to date
grub-install /dev/sdc      # NOTE sdc NOT sdc1
update-grub

# hit Ctrl-D to exit chroot
sudo umount /mnt/root

Now shutdown, put the SSD inside your laptop, cross your fingers and boot up.

Useful links

Good guide for the cryptsetup stuff at http://www.debian-administration.org/articles/577

For installing grub on an external partition: https://stackoverflow.com/questions/247030/how-to-set-up-grub-in-a-cloned-hard-disk

https://help.ubuntu.com/community/UsingUUID

HOWTO Encrypt an Ubuntu 18.04 LTS Installation with TWO Drives: OS on the primary SSD, /home on your secondary HDD

This is a guide to FULL DISK ENCRYPTION of an Ubuntu 18.04 LTS install. Not to be confused with the encryption of just the /home directory, which I believe has been removed as an option during install. These instructions are for Ubuntu 18.04 LTS, but should work with 16.04 LTS.

This guide assumes that you are familiar with Ubuntu (Linux) and can install the OS from a USB key, or at least understand how to do this procedure – if you can’t, find someone who can and the both of you go through it. This guide also assumes that you have backed up ALL your data prior to beginning this procedure as you will destroy all DATA on ALL drives during this procedure.

YOU HAVE BEEN WARNED!

This guide is largely a meld of the two procedures from here (David Yates’ blog post) (https://davidyat.es/2015/04/03/encrypting-a-second-hard-drive-on-ubuntu-14-10-post-install/) and the Ask Ubuntu post (Move home folder to second drive).

First things first, why do we wish to do this? Because if you own a laptop, or other sensitive data on a computer and it gets stolen or lost, it is necessary to be able to protect the data. You may be legally responsible to have protected the data. Secondly, many (most) systems now come with a small SSD (fast) for the OS and larger HDD (slow) for the data. Thirdly, encrypting just the /home directory is now recognised as a bad idea as it exposes you to the potential of /home being hacked (don't ask me how to do it, I couldn't), AND partial encryption slows down the system to a large degree. FDE requires less overhead and therefore has minimal impact on the performance of the system.

PART I: Install Ubuntu 18.04 LTS on the primary drive (usually the SSD)

Install Ubuntu 18.04 LTS onto your smaller (usually the SSD) and check (i) erase the disk, (ii) encrypt the installation, and (iii) LVM management.

This will result in an encrypted SSD, but will not touch the second (usually HDD) drive. I'm assuming that your second drive is a new, unformatted drive, but it doesn't really matter what's on the drive prior to this procedure. We are going to destroy all the data on this drive. We are going to use a software package from within Ubuntu to prep the drive (not sure whether or not this preparation is strictly necessary, but it's what I've tested). To prepare this for your soon-to-be moved /home partition (folder), you should format it using the GUI tool called gParted.

sudo apt install gparted

Open gParted and navigate to your second HDD (carefully check the /dev/sd?X) and delete any & all existing partitions, then create a new PRIMARY PARTITION using the ext4 file system. You could also label it, but that’s not necessary. Choose "Apply". One gParted is finished, close gParted and now you're ready to install the LUKS container on the second drive and then format it. In the following commands, replace sd?X with the name of your SECONDARY drive (not your primary drive), for example sda1.

sudo cryptsetup -y -v luksFormat /dev/sd?X

Then you’ll need to decrypt the new partition so that you can format it with ext4, the modern Linux file system preferred by Ubuntu.

sudo cryptsetup luksOpen /dev/sd?X sd?X_crypt
sudo mkfs.ext4 /dev/mapper/sd?X_crypt

If you want to use your second HDD as a regular, frequently accessed hard drive (as in moving your /home partition to it, which is the point of Part II), there’s a way to automatically mount and decrypt your second drive on startup, when your computer prompts you for the primary hard drive decryption password. Aside: I use the same passphrase for BOTH my drives, as I'm superstitious and envision more issues with two different passphrases.

First you’ll need to create a keyfile, which acts as a password for your secondary drive, and so that you don’t have to type in every time you start up (like your primary hard drive encryption password).

sudo dd if=/dev/urandom of=/root/.keyfile bs=1024 count=4
sudo chmod 0400 /root/.keyfile
sudo cryptsetup luksAddKey /dev/sd?X /root/.keyfile

Once the keyfile has been created, add the following lines to /etc/crypttab using nano

sudo nano /etc/crypttab

Add this line, save & close the file (/etc/crypttab).

sd?X_crypt UUID=<device UUID> /root/.keyfile luks,discard

To get your parition’s UUID to enter into the /etc/crypttab file, use this command (you need to use sudo it so that all of your partitions show up):

sudo blkid

The value you want is the UUID of /dev/sd?X, not dev/mapper/sd?X_crypt. Also make sure to copy the UUID, not the PARTUUID.

Okay, at this point (closed & saved /etc/crypttab file), you should be able to login to your Ubuntu install (entering your primary drive decryption password) and it should decrypt BOTH your primary and secondary drives. You should check to see if this happens otherwise STOP; and solve the issue(s). If you don't have this working and you've move your /home, you will have a non-working system.

Reboot and check to see if this (daisy-chain decrypt) is in fact is the case. If the secondary drive is automatically decrypted, when you choose “Other Locations” the second drive should show up in the list and have a lock icon on it, but the icon should be unlocked.

If the second drive automatically decrypts (as it should), then move on to Part II, designating the second drive as the the default location of your /home folder (with the larger amount of space).

Part II: Move your /home partition to your secondary drive (i.e. HDD)

We need to make a mount point for the secondary drive, temporarily mount the new partition (secondary HDD) and move /home to it:

sudo mkdir /mnt/tmp
sudo mount /dev/mapper/sd?X_crypt /mnt/tmp

assuming /sd?X is the new partition for /home (as per above)

Now we copy your /home folder to the new /home location from the primary drive (SSD) to the secondary drive (HDD).

sudo rsync -avx /home/ /mnt/tmp

We then may mount the new partition as /home with

sudo mount /dev/mapper/sd?X_crypt /home

to make sure all the folders (data) are present.

ls

Now, we want to make the new /home location on the secondary drive permanent, we need edit the fstab entry to automatically mount your moved /home on the secondary decrypted HDD.

sudo nano /etc/fstab

and add the following line at the end:

/dev/mapper/sd?X_crypt /home ext4 defaults 0 2

Save & close the file.

Reboot. After a reboot, your /home should reside on the new secondary drive and you should have plenty of space for your DATA.