Replace my LUKS encrypted disk of my Thinkpad T400.

Intro

Since my employer has a policy that all systems must have their disks encrypted, two years ago I decided to install Ubuntu 10.04 with LUKS encrypted LVM on my Thinkpad. But since I have one 500GB disk spare and the Thinkpad has only 160GB in it, I decided to prevent storage problems in the future and to replace the disk.

 

But that was not as simple as it seems. Because I had to encrypt my “new” disk also.

In this document I describe what I did. And I know it also didn’t go well in one time. But there is always a way to fix it if you do not destroy it.

Backup

First of all, backup your stuff!!!!

Make your second disk available

This was actually very simple. I had an USB2 case which supports 2,5″ SATA disks. So  I connected this disk to the USB port of the Thinkpad

Partitioning

I deleted the partitions on the USB2 drive with fdisk and created 2 new partitions

  1. sdb1 of type linux with the size of 512MB
  2. sdb2 of type linux with the rest size

Encrypt the LUKS partition

Check out the way the original is encrypted with:

# cryptsetup status /dev/sda2

also:

# cat /etc/crypttab

# <target name>    <source device>        <key file>    <options>
lvm_crypt UUID=656e713e-a26f-45b0-a462-c06091a76f5c none luks

So this file I have to change later on. But for safety I will put my new encrypted disk also in it. See the following commands:

# cryptsetup luksFormat /dev/sdb2  -c aes-xts-plain -s 512

# cryptsetup luksOpen /dev/sdb2 crypt-sys

So now I have a device called /dev/mapper/crypt-sys which is going to be the PV for the volumegroup. But first put the udid in the /etc/crypttab.

# blkid | grep LUKS

/dev/sdb2: UUID=”dafd290d-e1c0-41a3-8df9-4619c62dfcde” TYPE=”crypto_LUKS”

Now create an extra entry in the /etc/crypttab

crypt-sys UUID=dafd290d-e1c0-41a3-8df9-4619c62dfcde none luks

This is very import information which we have to get some way in the initrd boot image.

 Start the MOVE

From this point it is better not to reboot until you are finished. Otherwise you probably need an live cd to get it up again.

# pvcreate  /dev/mapper/crypt-sys

# vgextend ubuntu /dev/mapper/crypt-sys

# pvmove /dev/mapper/lvm_cypt /dev/mapper/crypt-sys

Take a break because this will take some time.

When finished successfully

# vgreduce ubuntu /dev/mapper/crypt_lvm

# vgscan

# vgcfgbackup

Ok the LVM data is now move to the new disk.

Still do not reboot!!!!

Remove the old entry from the /etc/crypttab by placing a # for it.

vi /etc/crypttab

# <target name>    <source device>        <key file>    <options>
crypt-sys UUID=dafd290d-e1c0-41a3-8df9-4619c62dfcde none luks
#lvm_crypt UUID=656e713e-a26f-45b0-a462-c06091a76f5c none luks

Now very crutial:

# update-initramfs -u -k all

And before the reboot remember the mapper name you gave it for eventual recovery.

Also make sure if you can’t boot from USB you can still boot from both disks.

# grub-install /dev/sdb

Replace positions.

At this point I replaced positions of the disk. So the new disk become internal and the old disk became the USB2 disk.

PITFALL: Remove disk password from BIOS first!!!

 Move the boot parition

Boot up again. This should work and it does not make a difference in booting from the /dev/sda or /dev/sdb because they are both bootable.

Now come a tricky part where I made a mistake but this should work. Anyhow a livecd of Ubuntu will help you out if it does not go well.

First of all check the disks.

The new disk in my case is now /dev/sda and the old one the /dev/sdb

# mkfs.ext4 /dev/sda1

# mount /dev/sda1 /mnt

# cd /boot

# rsync -av . /mnt/

# blkid | grep /dev/sda1

Replace the udid of /dev/sda1 in the /etc/fstab with the new one.

# unmount /boot

# mount /boot

Should be mounted to the new boot partition /dev/sda1 now.

Remove the USB2 disk!!!!

Next reconfigure GRUB2.

# grub-install /dev/sda

# grub-mkdevice

# update-grub2

Now it should be ok but in my case it was not.

You can check it out with:

# blkid | grep sda1
/dev/sda1: UUID=”a0f0f7a4-061b-4657-ab33-fa039d3293e6″ TYPE=”ext4″

# grep a0f0f7a4-061b-4657-ab33-fa039d3293e6 /boot/grub/grub.cfg

This should be something like:

grep a0f0f7a4-061b-4657-ab33-fa039d3293e6 /boot/grub/grub.cfg
search –no-floppy –fs-uuid –set a0f0f7a4-061b-4657-ab33-fa039d3293e6
search –no-floppy –fs-uuid –set a0f0f7a4-061b-4657-ab33-fa039d3293e6
search –no-floppy –fs-uuid –set a0f0f7a4-061b-4657-ab33-fa039d3293e6
search –no-floppy –fs-uuid –set a0f0f7a4-061b-4657-ab33-fa039d3293e6
search –no-floppy –fs-uuid –set a0f0f7a4-061b-4657-ab33-fa039d3293e6
search –no-floppy –fs-uuid –set a0f0f7a4-061b-4657-ab33-fa039d3293e6
search –no-floppy –fs-uuid –set a0f0f7a4-061b-4657-ab33-fa039d3293e6
search –no-floppy –fs-uuid –set a0f0f7a4-061b-4657-ab33-fa039d3293e6
search –no-floppy –fs-uuid –set a0f0f7a4-061b-4657-ab33-fa039d3293e6
search –no-floppy –fs-uuid –set a0f0f7a4-061b-4657-ab33-fa039d3293e6
search –no-floppy –fs-uuid –set a0f0f7a4-061b-4657-ab33-fa039d3293e6
search –no-floppy –fs-uuid –set a0f0f7a4-061b-4657-ab33-fa039d3293e6

Otherwise search for the search options and replace the udid with the correct one and after the next reboot do update-grub2 again.

 

Reboot and see if everything is OK! Otherwise see next chapter. Boot from livecd to recover boot for Ubuntu with LUKS lvm.

Recover boot for Ubuntu with LUKS lvm

First boot of LiveCD and choose “try without installing”

Open a terminal from Menu Accessoires

$ sudo -i

# apt-get install lvm2

# cryptsetup luksOpen /dev/sda2 crypt-sys

# pvscan

# vgscan

# vgchange -ay

# cd /mnt

# mkdir root

# mount /dev/ubuntu/rootfs root

# mount /dev/sda1 root/boot

# chroot /mnt/root

# mount -t proc proc /proc

# mount -t sysfs sys /sys

# mount -t devtmpfs devtmpfs /dev

# mount -t devpts devptr /dev/pts

# update-initramfs -u

# grub-mkdevice

# update-grub2

# sync;sync;exit

# reboot

 

Now it should boot!

Copyright © 2012-2021 Dutch Ronaldo All rights reserved.
This site is using the Desk Mess Mirrored theme, v2.5, from BuyNowShop.com.