Update grub in a chroot environment with root on a luks encrypted volume

I want to move a system (all systems I am using are Ubuntu 16.04 based) from an unencrypted partition to a luks encrypted one (on the same disk).

To this end, I created a LUKS encrypted logical volume that contains a root and a swap partition. Then I copied the content of the existing partition to the new root partition using dd. I have checked that this new root contains the proper directory structure and performed a disk scan of the partition.

The plan was to chroot to the new system and to update grub from there.

In detail, I am trying the following (which is a combination from Ubuntu help pages and How to reinstall grub from a liveUSB if the / partition is encrypted and there is a separate /boot partition? ):

# Unlock crypto file system
sudo cryptsetup luksOpen /dev/sda2 lukslvm 

sudo vgscan 
sudo vgchange -ay
sudo svscan

# Mount root file system
sudo mount /dev/mapper/vgubuntu-root /mnt
# Mount boot filesystem
sudo mount /dev/sda1 /mnt/boot
# Mount required internal file systems
sudo mount -o rbind /dev /mnt/dev
sudo mount -t proc proc /mnt/proc
sudo mount -t sysfs sys /mnt/sys
## Additional LVM directories (for older systems)
sudo mount -o rbind /run/lvm /mnt/run/lvm
sudo mount -o rbind /run/lock/lvm /mnt/run/lock/lvm
# Enable DNS resolution
sudo cp /etc/resolv.conf /mnt/etc/resolv.conf
# Change to the encrypted system
sudo chroot /mnt /bin/bash

# Install required software
sudo apt-get install cryptsetup lvm2

# Edit /etc/crypttab
sudo printf "lukslvm\tUUID=%s\tnone\tluks\n" "$(cryptsetup luksUUID /dev/sda2)" | tee -a /etc/crypttab

# /etc/modules editieren
sudo echo "dm-crypt" >> /etc/modules

# Update kernel initramfs
sudo update-initramfs -u -k all

echo "Edit /etc/default/grub as GRUB_CMDLINE_LINUX_DEFAULT=\"kopt=root=/dev/mapper/vgubuntu-root\""
sudo vi /etc/default/grub

sudo update-grub

# Leave chroot environment
exit
# Write buffers to disk
sudo sync
# Unmount file systems
sudo umount /mnt/run/lvm
sudo umount /mnt/run/lock/lvm
sudo umount /mnt/sys
sudo umount /mnt/proc
sudo umount /mnt/boot
#
sudo swapoff -a

Unfortunately, it does not work out that way as update-grub does not seem to find the system installed on the encrypted partition. It only find the existing installation on a different partition /dev/sda3.

What am I missing?

Thanks. This alone does not seem to fix it, even though the root in /dev/mapper is definitely in the mtab file.

If you are booting into this device, do you see the grub startup screen? If not, try the grub-install /dev/sda

Yes. The grub installation works fine for the unencrypted partition. The installation on the encrypted partition is just not listed.

Could perhaps the problem be that the ubuntu installation on the encrypted partition resides on the same harddisk as the one that I am booting from? There is a Q&A that suggests this here: unix.stackexchange.com/questions/335247/…

I think the problem comes from the fact, that you are re-using the kernels in /dev/sda1 (aka /boot) for both root-filesystems (devmapper and /dev/sdaX). The grub script in /etc/grub.d/10_linux iterates in the function linux_entry() over the kernels found in /boot. I don’t how it behaves in your case… Try adding a “set -x” at the beginning of the linux_entry() function and check what is happening to your kernels. The “set -x” will generate huge amount of output. But without more details of the process, I don’t see how you can solve this issue.

To exclude the idea that the cause are the two systems on /dev/sda, I wiped the unencrypted one now and it still fails.

Can you paste the output of these commands in your chroot env: $ /usr/sbin/grub-probe --target=device / $ /usr/sbin/grub-probe --target=device /boot

Ok, thanks, will do that latter. Meanwhile I managed to boot into the system using SuperGrub2Disk`. Installing grub still fails.

The output of both of the commands is /dev/mapper/vgubuntu-root.

I have tried boot boot-repair (help.ubuntu.com/community/Boot-Repair) which also didn't help me.

I think you found the reason, why grub is not generating the new entries. $ /usr/sbin/grub-probe --target=device /boot should give you /dev/sda1. Since this is the location of the un-encrypted boot device. I'dont now why grup-probe is not working as expected. Calling grub-probe with --verbose might give you some more information.

I am afraid not. Now after I added /boot to /etc/fstab, your command finds /dev/sda1.

Okay, now I don't see any easy way out of this. You need to debug the /etc/grub.d/10_linux script, if you want it to work: Add a "set -x" after the "#! /bin/sh" and watch the output of "sudo grub-mkconfig 2>&1 | less -S"

Thanks for your help. Unfortunately that did not solve it for me either, but I managed to do it by cloning my system again, copying the configuration/partition structure from an installation that was full disk encrypted in the first place.