How to reinstall Linux on encrypted LVM

How to reinstall Linux on encrypted LVM

Reinstalling system leaving home intact

ยท

5 min read

Please note that following approach works only when Linux was installed previously with a separate /home partition

This guide assumes you know how to install the Linux already. If not, please refer to previous article.

I'm using the Kali installer but steps should be same regardless the Linux flavour

Background

Story starts when I tried to get my CUDA working with a hashcat. I have installed video card drivers and tools with apt get install nvidia-driver nvidia-cuda-tools which leads to some serious issues that prevent me from logging into my installation.

I haven't found the complete guide on how to reinstall the system, leaving the /home (or simply any other) partition intact. So, whoever may want to do the same, here is what I did.

Unlock the LVM

  1. Boot the system with Live CD Kali installation. image.png

    Verify the checksum of downloaded file with the one presented on the download page

  2. Boot into Rescue mode. kali-rescue.gif
  3. Follow through the installation the usual way.

    Can't confirm if you have to choose the same values as it was on original installation, but it shouldn't matter. Let me know in the comments if that causes some issues on you

  4. On Detecting disks step, installer should detect the encrypted volume and ask you for the passphrase. Enter it.

Partitioning

  1. When asked to choose root do not use any, instead click Go Back to display the installation steps. image.png
  2. Skip the Enter rescue mode and select the Partition disks step. image.png
  3. Choose the manual partitioning. Now configure mounting points as it was done before. To not lose the /home data, leave the volumes size as it is. Choose to format every partition, but do not format home. kali-lvm-root.gif
  4. Mount home partition as /home, make double sure you are not formatting it. kali-lvm-home.gif
  5. Select boot partition, choose Ext4 and /boot mount point. image.png

    You can keep the existing data, because the encrypted volume itself does not change, only the LVM it contains.

This is how the partitioning schema looks like before changes are committed. image.png image.png Now continue with the installation.

Update crypttable

After the booting on fresh system, Grub won't recognize/discover the encrypted volume, and it fails booting. It can show that device is not available or simply show initramfs prompt. Reason is that installer is not updating the /etc/crypttab file - probably because during the partitioning step, we actually didn't configure the encrypted partition; it was unlocked already before we entered the partitioning screen. To fix that, perform the following steps. Original author of this is Halacs from superuser.com.

  1. Boot the Live CD again, but this time actually start the Live System.

    At the time of writing default credentials are kali/kali.

  2. Open terminal. Enter root shell by typing sudo su.
  3. Find out what is the volume path for /boot and encrypted LVM. You will recognize file system by its size. image.png
  4. Unlock the encrypted volume.
    $ cryptsetup luksOpen /dev/sda6 gabor2-crypt
    

    If you care of naming your encrypted volume (it will be visible on passphrase prompt each boot) change the gabor2-crypt to your liking and use that name consistently during further steps.

  5. After decryption, LVM content should be visible in both fdisk -l and lsblk image.png
  6. Use /mnt to mount all new system and boot partitions. You will be switching root to the /mnt later, so it is important to keep all mount points in the single folder.
    mount /dev/mapper/kali--vg-root /mnt
    mount /dev/mapper/kali--vg-home /mnt/home
    mount /dev/mapper/kali--vg-var /mnt/var
    mount /dev/mapper/kali--vg-tmp /mnt/tmp
    mount /dev/sda5 /mnt/boot
    
  7. Verify that mount points are correct using lsblk image.png
  8. Now mount other critical directories, without this further commands will fail.
    mount --bind /dev /mnt/dev
    mount --bind /run /mnt/run
    mount --bind /proc /mnt/proc
    mount --bind /sys /mnt/sys
    
  9. Switch the root to /mnt.
    chroot /mnt
    
    From now on, until leaving the chrooted scope, all commands are performed on the newly installed system
  10. Get the UUID of the encrypted volume to write to crypttab.
    blkid /dev/sda6
    
    image.png
  11. Place these in the crypttab.
    $ nano /etc/crypttab
    gabor2-crypt UUID="f8da3b2d-c0d4-4d02-b45d-9917adf31931" none luks
    

    Please note that this is not copy-paste from previous step.

  12. Update initramfs and grub.
    update-initramfs -u
    update-grub
    

    Watch out for warning messages, when device label in /etc/crypttab does not match current label of decoded LUKS. If that happen, please ensure the name in /etc/crypttab and name of encrypted volume are the same. image.png

  13. Now exit chroot scope, unmount all devices and close LUKS.
    exit
    umount -R /mnt
    vgchange -a n
    cryptsetup luksClose gabor2-crypt
    
  14. Restart.

Now your system should show passphrase prompt and boot to login screen. Unfortunately, you can't login to your user because it does not exist yet on the new system.

If you are using the system that doesn't block root account password login, you can skip the next section.

Boot into root shell

  1. Boot the system. Stop on GRUB loader. Highlight the "Kali" entry. image.png
  2. Press E. Search for the line starting with linux. image.png
  3. Change the ending to rw quiet init=/bin/bash. Press F10. image.png
  4. Unlock the LUKS.

Add user back

  1. Add user, add to sudoers.
    useradd --no-create-home -d /home/asentinn -s /bin/bash asentinn 
    chown -R asentinn:asentinn /home/asentinn
    sudo -l -U asentinn
    passwd asentinn
    
  2. Reboot. Now you can login as sudo user with your old home partition. image.png

Additional readings

Did you find this article valuable?

Support Kamil Gierach-Pacanek by becoming a sponsor. Any amount is appreciated!

ย