# LUKS Filesystems When setting up a new Linux installation, I decided to take advantage of LUKS (Linux Unified Key System) to encrypt the data on my device. The setup is pretty turn-key, most Linux distributions offer an option for guided LUKS setup during installating. When rebooting my device you get a prompt to enter a password and the storage is decrypted. I recently decided to retire my internal SSD to use it as external storage instead. Before formatting the SSD, I had hoped to mount it to a new Kubuntu 22.04 installation and copy over any files I wanted to keep. This was the first time I had ever tried mounting a LUKS filesystem manually, and it took a bit of messing around. Mostly I think this was because both SSDs were full installations of Kubuntu, so the partitions happened to be named the same - they were both created with guided setup for LUKS. For some context, here's output of `vgdisplay` and all currently mapped devices on my system before making any modifications. It may be useful to compare this against later output to help see what's happening. ```bash sudo vgdisplay [sudo] password for kapper: --- Volume group --- VG Name vgkubuntu System ID Format lvm2 Metadata Areas 1 Metadata Sequence No 3 VG Access read/write VG Status resizable MAX LV 0 Cur LV 2 Open LV 2 Max PV 0 Cur PV 1 Act PV 1 VG Size <1.82 TiB PE Size 4.00 MiB Total PE 476372 Alloc PE / Size 476372 / <1.82 TiB Free PE / Size 0 / 0 VG UUID uACwRN-syEc-S99E-tznk-3hYD-062d-oWVbKv ls /dev/mapper/ control nvme0n1p3_crypt vgkubuntu-root vgkubuntu-swap_1 ``` When initially plugging the device in, we run `lsblk` and check the output to find the name of the device we want to access is `sda3`. My system automatically mounted `sda2` which is `/boot` - not what we want, but understandable since the other partition was encrypted and not immediately available for mounting. ```bash lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS loop0 7:0 0 4K 1 loop /snap/bare/5 loop1 7:1 0 61.9M 1 loop /snap/core20/1405 loop2 7:2 0 55.6M 1 loop /snap/core18/2538 loop3 7:3 0 62M 1 loop /snap/core20/1587 loop4 7:4 0 163.3M 1 loop /snap/firefox/1635 loop5 7:5 0 163.3M 1 loop /snap/firefox/1670 loop6 7:6 0 400.8M 1 loop /snap/gnome-3-38-2004/112 loop7 7:7 0 164.8M 1 loop /snap/gnome-3-28-1804/161 loop8 7:8 0 248.8M 1 loop /snap/gnome-3-38-2004/99 loop9 7:9 0 81.3M 1 loop /snap/gtk-common-themes/1534 loop10 7:10 0 91.7M 1 loop /snap/gtk-common-themes/1535 loop11 7:11 0 43.6M 1 loop /snap/snapd/15177 loop12 7:12 0 47M 1 loop /snap/snapd/16292 loop13 7:13 0 169.4M 1 loop /snap/spotify/60 sda 8:0 0 931.5G 0 disk ├─sda1 8:1 0 512M 0 part ├─sda2 8:2 0 732M 0 part /media/kapper/20e58d66-eaa7-4c73-b40f-b293f9a468da └─sda3 8:3 0 930.3G 0 part └─luks-f08f6bfc-fd1f-49cc-8882-c566f19189a3 253:3 0 930.3G 0 crypt mmcblk0 179:0 0 3.7G 0 disk └─mmcblk0p1 179:1 0 3.7G 0 part nvme0n1 259:0 0 1.8T 0 disk ├─nvme0n1p1 259:1 0 512M 0 part /boot/efi ├─nvme0n1p2 259:2 0 1.7G 0 part /boot └─nvme0n1p3 259:3 0 1.8T 0 part └─nvme0n1p3_crypt 253:0 0 1.8T 0 crypt ├─vgkubuntu-root 253:1 0 1.8T 0 lvm / └─vgkubuntu-swap_1 253:2 0 976M 0 lvm [SWAP] ``` Now we can use `cryptsetup` to open the LUKS device and map the unencrypted data to a device. We choose the name of the mapped device - so you can change the `ssd` name below to be anything you want. The mapped device will be created in `/dev/mapper/`. ```bash sudo cryptsetup luksOpen /dev/sda3 ssd-kubuntu Enter passphrase for /dev/sda3: ``` Note that if your current system is using LUKS, some mappings may already exist - you should provide unique names for each device. ```bash ls /dev/mapper/ control nvme0n1p3_crypt ssd-kubuntu ssd--kubuntu-root ssd--kubuntu-swap_1 vgkubuntu-root vgkubuntu-swap_1 ``` If you did not provide a unique name or if the devices default name happened to collide with an existing mapped device, you can change it with `vgrename`. This command needs to reference a UUID to rename the mapped device though, so we first use `vgdisplay` to get this information. ```bash sudo vgdisplay [sudo] password for kapper: WARNING: VG name vgkubuntu is used by VGs 3Ab6YC-AsQ0-BKfF-F5QA-OXb3-HvIu-hsLuyX and uACwRN-syEc-S99E-tznk-3hYD-062d-oWVbKv. Fix duplicate VG names with vgrename uuid, a device filter, or system IDs. --- Volume group --- VG Name vgkubuntu System ID Format lvm2 Metadata Areas 1 Metadata Sequence No 3 VG Access read/write VG Status resizable MAX LV 0 Cur LV 2 Open LV 0 Max PV 0 Cur PV 1 Act PV 1 VG Size <930.28 GiB PE Size 4.00 MiB Total PE 238151 Alloc PE / Size 238151 / <930.28 GiB Free PE / Size 0 / 0 VG UUID 3Ab6YC-AsQ0-BKfF-F5QA-OXb3-HvIu-hsLuyX --- Volume group --- VG Name vgkubuntu System ID Format lvm2 Metadata Areas 1 Metadata Sequence No 3 VG Access read/write VG Status resizable MAX LV 0 Cur LV 2 Open LV 2 Max PV 0 Cur PV 1 Act PV 1 VG Size <1.82 TiB PE Size 4.00 MiB Total PE 476372 Alloc PE / Size 476372 / <1.82 TiB Free PE / Size 0 / 0 VG UUID uACwRN-syEc-S99E-tznk-3hYD-062d-oWVbKv ``` The two devices above may have the same name but they provide unique UUIDs. The device I want to rename is 1TB, so here I'll use the `3Ab6YC-AsQ0-BKfF-F5QA-OXb3-HvIu-hsLuyX` UUID to rename it. You may get a warning here. The warning is referring to the device we just renamed - notice the matching UUIDs. We just need to update our VG devices with the new name, which we will do in the next step. ```bash sudo vgrename 3Ab6YC-AsQ0-BKfF-F5QA-OXb3-HvIu-hsLuyX ssd-kubuntu WARNING: VG name vgkubuntu is used by VGs 3Ab6YC-AsQ0-BKfF-F5QA-OXb3-HvIu-hsLuyX and uACwRN-syEc-S99E-tznk-3hYD-062d-oWVbKv. Fix duplicate VG names with vgrename uuid, a device filter, or system IDs. Processing VG vgkubuntu because of matching UUID 3Ab6YC-AsQ0-BKfF-F5QA-OXb3-HvIu-hsLuyX Volume group "3Ab6YC-AsQ0-BKfF-F5QA-OXb3-HvIu-hsLuyX" successfully renamed to "ssd-kubuntu" ``` Activate the devices - this will resolve the warning from the previous step. If you still get a warning here, you do have two devices with the same name. Check the output of `vgdisplay` to determine which device needs to be renamed. ```bash sudo vgchange -ay 2 logical volume(s) in volume group "ssd-kubuntu" now active 2 logical volume(s) in volume group "vgkubuntu" now active ``` Check the devices were activated successfully ```bash sudo lvscan ACTIVE '/dev/ssd-kubuntu/root' [929.32 GiB] inherit ACTIVE '/dev/ssd-kubuntu/swap_1' [976.00 MiB] inherit ACTIVE '/dev/vgkubuntu/root' [<1.82 TiB] inherit ACTIVE '/dev/vgkubuntu/swap_1' [976.00 MiB] inherit ``` See information for the activated VG devices - ```bash sudo lvdisplay --- Logical volume --- LV Path /dev/ssd-kubuntu/root LV Name root VG Name ssd-kubuntu LV UUID VgiJki-nRap-tE3q-etn0-HKJz-2g6V-9TXg19 LV Write Access read/write LV Creation host, time kubuntu, 2021-12-06 09:26:51 -0500 LV Status available # open 0 LV Size 929.32 GiB Current LE 237907 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 253:4 --- Logical volume --- LV Path /dev/ssd-kubuntu/swap_1 LV Name swap_1 VG Name ssd-kubuntu LV UUID feQi9r-QVBH-ukjv-sE6P-jgzX-x46p-ahxPz9 LV Write Access read/write LV Creation host, time kubuntu, 2021-12-06 09:26:52 -0500 LV Status available # open 0 LV Size 976.00 MiB Current LE 244 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 253:5 --- Logical volume --- LV Path /dev/vgkubuntu/root LV Name root VG Name vgkubuntu LV UUID 00Zi9e-JF5h-WNZn-527p-Tfqq-RGc2-kRdtds LV Write Access read/write LV Creation host, time kubuntu, 2022-07-29 19:47:38 -0400 LV Status available # open 1 LV Size <1.82 TiB Current LE 476128 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 253:1 --- Logical volume --- LV Path /dev/vgkubuntu/swap_1 LV Name swap_1 VG Name vgkubuntu LV UUID ATtx1E-9CDY-R349-pzqJ-f6id-RGd0-Zz136a LV Write Access read/write LV Creation host, time kubuntu, 2022-07-29 19:47:38 -0400 LV Status available # open 2 LV Size 976.00 MiB Current LE 244 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 253:2 ``` Finally, create the directory where you want to mount the device if it doesn't exist already, then mount the device.

It's likely that you can skip this step. If for some reason your device isn't automatically mounted, this is an example of how to mount a mapped device. On Kubuntu 22.04, my device was automatically mounted at /media/kapper/174fdc5d-0e9b-4be2-aeea-1c2fbfd65c28 and avaialble to browse in Dolphin.

```bash mkdir /mnt/ssd sudo mount /dev/ssd-kubuntu/root /mnt/ssd/ ls /mnt/ssd/ bin cdrom etc lib lib64 lost+found mnt proc run snap swapfile tmp var boot dev home lib32 libx32 media opt root sbin srv sys usr ``` Done! You can now access the filesystem from your last LUKS installation and transfer any files you want to keep.