Ubuntu – Update grub in a chroot environment with root on a luks encrypted volume

chrootgrub2luks

I want to move a system (all systems I am using are Ubuntu 16.04 based) from an unencrypted partition to a luks encrypted one (on the same disk).

To this end, I created a LUKS encrypted logical volume that contains a root and a swap partition. Then I copied the content of the existing partition to the new root partition using dd.
I have checked that this new root contains the proper directory structure and performed a disk scan of the partition.

The plan was to chroot to the new system and to update grub from there.

In detail, I am trying the following (which is a combination from Ubuntu help pages and How to reinstall grub from a liveUSB if the / partition is encrypted and there is a separate /boot partition? ):

# Unlock crypto file system
sudo cryptsetup luksOpen /dev/sda2 lukslvm 

sudo vgscan 
sudo vgchange -ay
sudo svscan

# Mount root file system
sudo mount /dev/mapper/vgubuntu-root /mnt
# Mount boot filesystem
sudo mount /dev/sda1 /mnt/boot
# Mount required internal file systems
sudo mount -o rbind /dev /mnt/dev
sudo mount -t proc proc /mnt/proc
sudo mount -t sysfs sys /mnt/sys
## Additional LVM directories (for older systems)
sudo mount -o rbind /run/lvm /mnt/run/lvm
sudo mount -o rbind /run/lock/lvm /mnt/run/lock/lvm
# Enable DNS resolution
sudo cp /etc/resolv.conf /mnt/etc/resolv.conf
# Change to the encrypted system
sudo chroot /mnt /bin/bash

# Install required software
sudo apt-get install cryptsetup lvm2

# Edit /etc/crypttab
sudo printf "lukslvm\tUUID=%s\tnone\tluks\n" "$(cryptsetup luksUUID /dev/sda2)" | tee -a /etc/crypttab

# /etc/modules editieren
sudo echo "dm-crypt" >> /etc/modules

# Update kernel initramfs
sudo update-initramfs -u -k all

echo "Edit /etc/default/grub as GRUB_CMDLINE_LINUX_DEFAULT=\"kopt=root=/dev/mapper/vgubuntu-root\""
sudo vi /etc/default/grub

sudo update-grub

# Leave chroot environment
exit
# Write buffers to disk
sudo sync
# Unmount file systems
sudo umount /mnt/run/lvm
sudo umount /mnt/run/lock/lvm
sudo umount /mnt/sys
sudo umount /mnt/proc
sudo umount /mnt/boot
#
sudo swapoff -a

Unfortunately, it does not work out that way as update-grub does not seem to find the system installed on the encrypted partition.
It only find the existing installation on a different partition /dev/sda3.

What am I missing?

Best Answer

I looks like you forgot to create a proper /etc/mtap file

sudo cp /proc/mounts /mnt/etc/mtab

See https://wiki.sabayon.org/index.php?title=HOWTO:_Restore_Grub2

Related Solutions

Ubuntu – Mount LUKS encrypted hard drive at boot

A key file in the /boot directory can be read by any other operation system booted on your machine that is able to mount the filesystem on that /boot is located. Thus, encryption is not really effective. This argument applies to all key file locations on unencrypted file systems.

To avoid key files on unencrypted file systems a password can be used for decryption. Create a strong password for the device. Then, change the line in /etc/crypttab to

hddencrypted UUID=b3024cc1-93d1-439f-80ce-1b1ceeafda1e none luks

and keep the entry in /etc/fstab unmodified. Ubuntu 14.04/16.04/18.04 asks you for the password on startup.

Ubuntu – LVM & LUKS manual partitioned but issues with loader/init/grub

I found a way to setup LUKS and LVM while manually partitioning! I tested this on Ubuntu 16.04.2

Boot Ubuntu from a Live OS and select the option to try Ubuntu without installing. Follow the steps I've outlined below.

Partition the drive with your tool of choice: I used fdisk to set mine up on an msdos partition table as follows :
- sda1: /boot (1G)
- sda2: LUKS partition (the rest of the disk)
Setup LUKS
- sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/sda2
- sudo cryptsetup luksOpen /dev/sda2 CryptDisk
- While not necessary, it is a good idea to fill your LUKS partition with zeros so that the partition, in an encrypted state, is filled with random data. sudo dd if=/dev/zero of=/dev/mapper/CryptDisk bs=4M BEWARE, this could take a really long time!
Setup LVM on /dev/mapper/CryptDisk
- sudo pvcreate /dev/mapper/CryptDisk
- sudo vgcreate vg0 /dev/mapper/CryptDisk
- sudo lvcreate -n swap -L 2G vg0
- sudo lvcreate -n root -L 10G vg0
- sudo lvcreate -n home -l +100%FREE vg0
Now you're ready to install. When you get to the "Installation type" portion of the install, choose the "Something else" option. Then manually assign the /dev/mapper/vg0-* partitions as you would like to have the configured. Don't forget to set /dev/sda1 as /boot. the /boot partition must not be encrypted. If it is, we won't be able to boot. Change the "Device for boot loader installation" to /dev/sda, and continue with installation.
When installation is complete, don't reboot! Choose the option to "Continue Testing".
In a terminal, type the following and look for the UUID of /dev/sda2. Take note of that UUID for later.
- sudo blkid
- The important line on my machine reads /dev/sda2: UUID="bd3b598d-88fc-476e-92bb-e4363c98f81d" TYPE="crypto_LUKS" PARTUUID="50d86889-02"
Next lets get the newly installed system mounted again so we can make some more changes.
- sudo mount /dev/vg0/root /mnt
- sudo mount /dev/vg0/home /mnt/home # this is probably not necessary
- sudo mount /dev/sda1 /mnt/boot
- If you have an EFI partition, mount it at /mnt/boot/efi
- sudo mount --bind /dev /mnt/dev # I'm not entirely sure this is necessary
- sudo mount --bind /run/lvm /mnt/run/lvm
Now run sudo chroot /mnt to access the installed system
From the chroot, mount a couple more things
- mount -t proc proc /proc
- mount -t sysfs sys /sys
- mount -t devpts devpts /dev/pts
Setup crypttab. Using your favorite text editor, create the file /etc/crypttab and add the following line, changing out the UUID with the UUID of your disk.
- CryptDisk UUID=bd3b598d-88fc-476e-92bb-e4363c98f81d none luks,discard
Lastly, rebuild some boot files.
- update-initramfs -k all -c
- update-grub
Reboot, and the system should ask for a password to decrypt on boot!

Special thanks go to Martin Eve, EGIDIO DOCILE, and the folks at blog.botux.fr for tutorials they posted. By pulling pieces from their posts and doing a little extra trouble shooting, I was finally able to figure this out.

I tried this a number of times and failed over and over. The bit that I had to work out for myself based on error messages was sudo mount --bind /run/lvm /mnt/run/lvm

Best Answer

Related Solutions

Ubuntu – Mount LUKS encrypted hard drive at boot

Ubuntu – LVM & LUKS manual partitioned but issues with loader/init/grub

Related Question