Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

[SOLVED] If you're using full-disk encryption, can you re-install the OS, while keeping /home intact?

Ask for help with issues regarding the Installations of the Debian O/S.
Post Reply
Message
Author
maxb
Posts: 52
Joined: 2021-10-19 05:26
Has thanked: 2 times
Been thanked: 2 times

[SOLVED] If you're using full-disk encryption, can you re-install the OS, while keeping /home intact?

#1 Post by maxb »

I know how to install Debian with separate /, swap, /var, /tmp and /home logical volumes, all of which being encrypted. But I don't see how one could re-install the OS in this situation without nuking /home.

I'd settle for just encrypting /home, instead of all 5 -- this way stuff that should be preserved is on its own partition.
Last edited by maxb on 2021-10-21 01:42, edited 1 time in total.

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: If you're using full-disk encryption, can you re-install the OS, while keeping /home intact?

#2 Post by p.H »

maxb wrote: 2021-10-19 06:12 I know how to install Debian with separate /, swap, /var, /tmp and /home logical volumes, all of which being encrypted. But I don't see how one could re-install the OS in this situation without nuking /home.
Indeed. A known missing feature of the Debian installer is that it cannot open and use existing LUKS encrypted devices. Maybe you could open the encrypted device by hand from an installer shell, but then you would also need to set up the new system (cryptsetup* packages, /etc/crypttab) by hand to use it.
maxb wrote: 2021-10-19 06:12 I'd settle for just encrypting /home, instead of all 5 -- this way stuff that should be preserved is on its own partition.
Because of the above, you cannot mount an encrypted /home during installation and you will have to manually set up the new system to use it.

maxb
Posts: 52
Joined: 2021-10-19 05:26
Has thanked: 2 times
Been thanked: 2 times

Re: If you're using full-disk encryption, can you re-install the OS, while keeping /home intact?

#3 Post by maxb »

p.H wrote: 2021-10-19 13:59 existing
Thanks for that! A critical keyword to add to search queries. Without it, my search results on this topic were much worse.

maxb
Posts: 52
Joined: 2021-10-19 05:26
Has thanked: 2 times
Been thanked: 2 times

Re: If you're using full-disk encryption, can you re-install the OS, while keeping /home intact?

#4 Post by maxb »

I found this very excellent guide, in case anyone else finds this thread looking for a solution: https://www.blakehartshorn.com/installi ... ypted-lvm/

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: [SOLVED] If you're using full-disk encryption, can you re-install the OS, while keeping /home intact?

#5 Post by p.H »

I read it. IMO it contains a huge mistake : its says to create /target/etc/crypttab just before installing GRUB.
If you do so, the generated initramfs wil contain an empty crypttab and won't be able to open the encrypted volume at boot time. You may be lucky and a further installation step may trigger an initramfs update after you eventually created crypttab, but better create it before installing the base system if you want to be on the safe side.

maxb
Posts: 52
Joined: 2021-10-19 05:26
Has thanked: 2 times
Been thanked: 2 times

Re: [SOLVED] If you're using full-disk encryption, can you re-install the OS, while keeping /home intact?

#6 Post by maxb »

p.H wrote: 2021-10-21 18:11You may be lucky and a further installation step may trigger an initramfs update after you eventually created crypttab, but better create it before installing the base system if you want to be on the safe side.
Isn't that deterministic rather than luck-dependent? He writes:
Continue to the end of the installation. When the generating initramfs step appears, the image will be built using the crypttab file you just modified.
Anyway, I used these instructions. The only thing that I'd add is that "blkid" is ambiguous (it prints many UUIDs, and it's not clear if you are supposed to use the one that's "crypt" or the one "crypt" uses). "cryptsetup luksUUID /dev/sda5" (or whatever your partition is) is better.

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: [SOLVED] If you're using full-disk encryption, can you re-install the OS, while keeping /home intact?

#7 Post by p.H »

The initramfs step appears during the installation of the base system, just after partitioning and long before GRUB installation, so at best it is luck-dependent and at worst it deterministically fails.
.
maxb wrote: 2021-10-21 18:32 it prints many UUIDs, and it's not clear if you are supposed to use the one that's "crypt" or the one "crypt" uses
The one with the LUKS type.

maxb
Posts: 52
Joined: 2021-10-19 05:26
Has thanked: 2 times
Been thanked: 2 times

Re: [SOLVED] If you're using full-disk encryption, can you re-install the OS, while keeping /home intact?

#8 Post by maxb »

I'm no expert, but this:
so at best it is luck-dependent and at worst it deterministically fails.
does not follow from this:
p.H wrote: 2021-10-21 18:41 The initramfs step appears during the installation of the base system, just after partitioning and long before GRUB installation,
it could run twice (deterministically), couldn't it?

Anyway, it worked for me. I actually remember "initramfs" blinking briefly where it was supposed to. I also don't see why some important step would be done non-deterministically.

I thank you for using the word "existing". That helped. I wasn't being funny.

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: [SOLVED] If you're using full-disk encryption, can you re-install the OS, while keeping /home intact?

#9 Post by p.H »

Indeed the installer updates the initramfs during the last step "finish the installation", after installing GRUB. I did not remember that (or actually never paid attention).
Sorry for the noise.

Post Reply