Activating encrypted LV from previous Linux installation
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I shouldn't matter whether you plug that PV into a new system or the old one. It should still look like a PV with part of its volume group missing.
I just set up a volume group with one of its 2 PVs on a USB flash drive, shut the volume group down with "vgchange -an testvg1", and plugged that flash drive into a different system. Running pvs there shows that device and another "unknown device" as making up a VG with that name. I can activate that partial VG just fine. I don't know why you're seeing something different. Did you perhaps take some action to remove the VG when shutting down the old system?
If we consider the VG, I initially used the same VG name for both the setups on pv0 and pv1. I set up an encrypted container of two logical volumes on pv0. Then I created another encrypted container of one logical volume on pv1 and then used vgextend to add the container on pv1 to the initial VG. Thus, one volume group spanning two physical volumes and three logical volumes.
One other thing I don't understand is why isn't the container on pv1 identifying itself with some sort of encryption using Luks or otherwise? Because it was encrypted.
What I fear has happened is that something has set up /dev/sda3 as an LVM PV. That could have been done by either pvcreate or vgcreate since the latter will perform an default pvcreate if told to use a device that is not already set up as a PV. If that's the case, I'm sorry to say your data is lost forever unless you happen to have a backup of that LUKS header. With that header overwritten, data essential to generating the master key has been destroyed and there is no recovery.
You can try using hexedit (or another hex editor) on the whole drive and search for a 512-byte sector beginning with the ASCII characters "LUKS" followed by the hex bytes 0xBA and 0xBE. (That whole thing is the hex sequence "4c 55 4b 53 ba be".) If you find that in a reasonable location (somewhere near the beginning of the disk), then there is a chance for recovery. Without that, it's "Game Over".
If we consider the VG, I initially used the same VG name for both the setups on pv0 and pv1. I set up an encrypted container of two logical volumes on pv0. Then I created another encrypted container of one logical volume on pv1 and then used vgextend to add the container on pv1 to the initial VG. Thus, one volume group spanning two physical volumes and three logical volumes.
Your language here is extremely confusing and inconsistent with the "device" hint in that LVM backup file.
Code:
device = "/dev/mapper/sda3_crypt"
That suggests that the partition was first decrypted to create the /dev/mapper/sda3_crypt device (Else, where did that device come from?), and then the PV was set up inside that device.
When you say "I created another encrypted container of one logical volume on pv1", that is saying you had a PV and created an encrypted container inside it. No, you didn't, and that sort of inattention to detail can be fatal to encrypted data.
I apologize for any confusion caused. I've been trying a few different things over the course of the thread and have mixed the communications up a little.
1. After initially trying to open the device with cryptsetup luksOpen it reported not a Luks device.
Though, I did specifically LUKS encrypt the entire partition first (/dev/sda3) and then set up one logical volume inside it in ext4 format.
2. After trying to set this encrypted partition up again and it having reported that it's not a LUKS device, I proceeded to recreated the encrypted partition but this time without using the luksFormat option in cryptsetup. I then proceeded to recreate the single logical volume inside it consisting of the entire container.
The data in the encrypted volume is still there. But the partition header is now showing this:
I am attempting to search other ares of the partition for any semblance of a LUKS string.
An important point to note where I may have gone wrong in the initial setup of the encrypted volume on pv1. Mind, it was all working well in the Debian system that it was initially setup in until I changed the system to Ubuntu and then back again to Debian. I initially made a mistake to add the logical volume in the encrypted partition to the same VG as the others on pv0. Thereafter the logical volumes on pv0 were recreated and pv1 got lost. It's not clear to me why this was originally a mistake and why the disk was not showing up with a LUKS structure to begin with. Without understanding this I fear to make the same mistake again.
I apologize for any confusion caused. I've been trying a few different things over the course of the thread and have mixed the communications up a little.
1. After initially trying to open the device with cryptsetup luksOpen it reported not a Luks device.
Though, I did specifically LUKS encrypt the entire partition first (/dev/sda3) and then set up one logical volume inside it in ext4 format.
If you had the entire sda3 partition set up as a LUKS container ("cryptsetup luksFormat /dev/sda3"), then the start of that partition (offset 00000000) would contain the ASCII string "LUKS" followed by the bytes 0xBA and 0xBE. Since those are no longer present, any data that was stored in that container is now permanently unrecoverable, and there is no point in proceeding further.
Quote:
The data in the encrypted volume is still there. But the partition header is now showing this:
There's nothing in your description thus far that I can point to as the culprit, but if at any point you did a "pvcreate ... /dev/sda3" or "vgcreate ... /dev/sda3" it would have replaced that crtitcal LUKS header with the LVM header you see now.
Yes, the data is still there, but it's encrypted, and you have destroyed the key. There is no way to fix that. The way LUKS works is by generating a random key (completely unrelated to your passphrase) and then storing that key in a safe that is unlocked by your passphrase. You have obliterated that safe and its contents. While you can of course create a new safe that is unlocked by that same passphrase, it won't contain that original key, and it won't be able to decrypt your data.
Without that LUKS header, it's "Game over, thank you for playing." I'm sure it's little consolation right now, but anyone who has played with encryption has at some point lost data to it. Welcome to the club.
Last edited by rknichols; 01-03-2016 at 03:03 PM.
Reason: typo
There's nothing in your description thus far that I can point to as the cuplrit, but if at any point you did a "pvcreate ... /dev/sda3" or "vgcreate ... /dev/sda3" it would have replaced that crtitcal LUKS header with the LVM header you see now.
# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 465.8G 0 disk
\├─sda1 8:1 0 100M 0 part
\├─sda2 8:2 0 72.7G 0 part
\└─sda3 8:3 0 393G 0 part
sdb 8:16 0 232.9G 0 disk
\├─sdb1 8:17 0 28G 0 part /
\├─sdb2 8:18 0 1K 0 part
\└─sdb5 8:21 0 205G 0 part
\└─sdb5_crypt 254:0 0 205G 0 crypt
\├─debian--vg-swap 254:1 0 29.8G 0 lvm [SWAP]
\├─debian--vg-var 254:2 0 23.3G 0 lvm /var
\└─debian--vg-home 254:3 0 151.9G 0 lvm /home
I want to encrypt /dev/sda3 to create a container (sda3_crypt say) for one logical volume using all of the available space. Preferably: I would like to add this volume to the same volume group as the others (debian-vg) for simplicity. I would like to use the same passphrase to unlock all volumes since the data will essentially be mirrored to both volumes. I would like to issue the passphrase once to unlock both volumes at once.
What additional precautions do I need to take or be aware of should one of the two physical volumes fail or get compromised?
Last edited by linuxbawks; 01-03-2016 at 03:14 PM.
Basically do what you did originally, but I recommend not using the same volume group name. There is some added complexity to activating a VG when one volume is missing, and you really don't want to have any LV that spans both volumes if you want to use it with one volume missing.
You might consider using some name other than "sda3_crypt" there. It's just too easy to leave off the "_crypt" part, and that can be fatal, as you've seen. Something like "crypt_a3" should keep you thinking in the right direction.
In many (most??) systems, any passphrase you enter at boot time will be tried for any LUKS volumes that are present.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.