Update grub in a chroot environment with root on a luks encrypted volume
I looks like you forgot to create a proper /etc/mtap file
sudo cp /proc/mounts /mnt/etc/mtab
See https://wiki.sabayon.org/index.php?title=HOWTO:_Restore_Grub2
Related videos on Youtube
Zective
Updated on September 18, 2022Comments
-
Zective over 1 year
I want to move a system (all systems I am using are Ubuntu 16.04 based) from an unencrypted partition to a luks encrypted one (on the same disk).
To this end, I created a LUKS encrypted logical volume that contains a root and a swap partition. Then I copied the content of the existing partition to the new root partition using
dd
. I have checked that this new root contains the proper directory structure and performed a disk scan of the partition.The plan was to chroot to the new system and to update grub from there.
In detail, I am trying the following (which is a combination from Ubuntu help pages and How to reinstall grub from a liveUSB if the / partition is encrypted and there is a separate /boot partition? ):
# Unlock crypto file system sudo cryptsetup luksOpen /dev/sda2 lukslvm sudo vgscan sudo vgchange -ay sudo svscan # Mount root file system sudo mount /dev/mapper/vgubuntu-root /mnt # Mount boot filesystem sudo mount /dev/sda1 /mnt/boot # Mount required internal file systems sudo mount -o rbind /dev /mnt/dev sudo mount -t proc proc /mnt/proc sudo mount -t sysfs sys /mnt/sys ## Additional LVM directories (for older systems) sudo mount -o rbind /run/lvm /mnt/run/lvm sudo mount -o rbind /run/lock/lvm /mnt/run/lock/lvm # Enable DNS resolution sudo cp /etc/resolv.conf /mnt/etc/resolv.conf # Change to the encrypted system sudo chroot /mnt /bin/bash # Install required software sudo apt-get install cryptsetup lvm2 # Edit /etc/crypttab sudo printf "lukslvm\tUUID=%s\tnone\tluks\n" "$(cryptsetup luksUUID /dev/sda2)" | tee -a /etc/crypttab # /etc/modules editieren sudo echo "dm-crypt" >> /etc/modules # Update kernel initramfs sudo update-initramfs -u -k all echo "Edit /etc/default/grub as GRUB_CMDLINE_LINUX_DEFAULT=\"kopt=root=/dev/mapper/vgubuntu-root\"" sudo vi /etc/default/grub sudo update-grub # Leave chroot environment exit # Write buffers to disk sudo sync # Unmount file systems sudo umount /mnt/run/lvm sudo umount /mnt/run/lock/lvm sudo umount /mnt/sys sudo umount /mnt/proc sudo umount /mnt/boot # sudo swapoff -a
Unfortunately, it does not work out that way as
update-grub
does not seem to find the system installed on the encrypted partition. It only find the existing installation on a different partition/dev/sda3
.What am I missing?
-
Zective almost 7 yearsThanks. This alone does not seem to fix it, even though the root in /dev/mapper is definitely in the mtab file.
-
Simon Sudler almost 7 yearsIf you are booting into this device, do you see the grub startup screen? If not, try the grub-install /dev/sda
-
Zective almost 7 yearsYes. The grub installation works fine for the unencrypted partition. The installation on the encrypted partition is just not listed.
-
Zective almost 7 yearsCould perhaps the problem be that the ubuntu installation on the encrypted partition resides on the same harddisk as the one that I am booting from? There is a Q&A that suggests this here: unix.stackexchange.com/questions/335247/…
-
Simon Sudler almost 7 yearsI think the problem comes from the fact, that you are re-using the kernels in /dev/sda1 (aka /boot) for both root-filesystems (devmapper and /dev/sdaX). The grub script in /etc/grub.d/10_linux iterates in the function linux_entry() over the kernels found in /boot. I don’t how it behaves in your case… Try adding a “set -x” at the beginning of the linux_entry() function and check what is happening to your kernels. The “set -x” will generate huge amount of output. But without more details of the process, I don’t see how you can solve this issue.
-
Zective almost 7 yearsTo exclude the idea that the cause are the two systems on
/dev/sda
, I wiped the unencrypted one now and it still fails. -
Simon Sudler almost 7 yearsCan you paste the output of these commands in your chroot env: $ /usr/sbin/grub-probe --target=device / $ /usr/sbin/grub-probe --target=device /boot
-
Zective almost 7 yearsOk, thanks, will do that latter. Meanwhile I managed to boot into the system using SuperGrub2Disk`. Installing grub still fails.
-
Zective almost 7 yearsThe output of both of the commands is
/dev/mapper/vgubuntu-root
. -
Zective almost 7 yearsI have tried boot
boot-repair
(help.ubuntu.com/community/Boot-Repair) which also didn't help me. -
Simon Sudler almost 7 yearsI think you found the reason, why grub is not generating the new entries. $ /usr/sbin/grub-probe --target=device /boot should give you /dev/sda1. Since this is the location of the un-encrypted boot device. I'dont now why grup-probe is not working as expected. Calling grub-probe with --verbose might give you some more information.
-
Zective almost 7 yearsI am afraid not. Now after I added
/boot
to/etc/fstab
, your command finds/dev/sda1
. -
Simon Sudler almost 7 yearsOkay, now I don't see any easy way out of this. You need to debug the /etc/grub.d/10_linux script, if you want it to work: Add a "set -x" after the "#! /bin/sh" and watch the output of "sudo grub-mkconfig 2>&1 | less -S"
-
Zective almost 7 yearsThanks for your help. Unfortunately that did not solve it for me either, but I managed to do it by cloning my system again, copying the configuration/partition structure from an installation that was full disk encrypted in the first place.