Re: Installing bullseye into previously existing encrypted disk with buster
On Sat, Feb 12, 2022 at 09:36:45AM +1100, David wrote:
> On Sat, 12 Feb 2022 at 02:54, Nitebirdz <nitebirdz@sacredchaos.com> wrote:
> > On Thu, Feb 10, 2022 at 04:37:55PM -0500, Dan Ritter wrote:
> > > Nitebirdz wrote:
>
> > > > I currently have a laptop running buster on an encrypted disk that boots
> > > > via EFI. The filesystems look like this:
> > > >
> > > > /dev/mapper/tangier--vg-root /
> > > > /dev/mapper/tangier--vg-home /home
> > > > /dev/sda1 /boot/efi
> > > > /dev/sda2 /boot
> > > >
> > > > I know I can easily upgrade to bullseye from the running system. However,
> > > > what I usually do when it's time to upgrade Debian on a laptop is to start
> > > > from a clean slate. It's my chance to clean up and remove old cruft (well,
> > > > with the exception of my own home partition, of course). So, instead of
> > > > upgrading, I just install the new version of Debian.
> > > >
> > > > Now, my problem is that, whenever I launch the installer, it wants to
> > > > partition the disk. Is there a way to tell the installer to leave the
> > > > existing partitioning scheme alone? Also, I'd need the installer to leave
> > > > the home partition alone, and format and install over the other
> > > > partitions. Is this possible? If so, how? I've been trying different
> > > > approaches, and I don't seem to be able to find the way to do it.
> > >
> > > Yes. Tell the installer you want to partition the disks
> > > manually, and then select each one and assign it to the role
> > > that you want. For /home, either don't assign it or make sure
> > > that you mark it as "leave the contents alone".
> >
> > Thanks. But it doesn't appear to work. The disk partitioning tool
> > only shows the actual partitions, but no trace of the already existing
> > encrypted volumes. See the screenshot attached.
> >
> > I'm testing this using QEMU. No matter what entry I select on that
> > screen, it wants me to continue partitioning, and ends up destroying the
> > previous setup. I cannot see a way to just get it to notice the already
> > existing layout. That does work for more simple setups, but not for
> > encrypted volumes, it seems.
>
> Hi Nitebirdz,
>
> For people quickly scanning through a lot of messages that they aren't
> heavily interested in, I suspect it was easy to overlook the crucial
> word "encrypted" in your first message. I know I didn't notice that
> until your second message, which used that word a few more times.
>
Yep. I totally understand. It happens to me all the time. :)
> I'm not really paying attention to the latest capabilites that the
> installer might have, or to what any other distros are doing, but when
> I have attempted this in the past it appeared to me that the Debian
> installer does not directly support installing a fresh installation
> into a previously created LUKS encrypted volume.
>
> However it is certainly "possible" with some complicated tricks, and
> if you are prepared to risk accidentally destroying the whole
> encrypted volume if you make a mistake. That's what happened to me the
> first time I tried it. But I have adequate backups and alternative
> machines, so that didn't bother me.
>
> It is possible to trick the installer into opening the existing
> encrypted volume. Then (with numerous fiddly steps and using great
> caution not to make a mistake) the installer can then install into a
> new partition inside that, in the usual way.
>
> However the installation it creates will be broken and likely not
> bootable. Because we have tricked the installer beyond what it
> understands, it makes many mistakes. There will be problems with grub,
> with the cryptsetup configuration, and with the initramfs. That all
> then needs to be fixed by rebooting into an alternative environment
> that has cryptsetup tools available. Maybe the installer rescue system
> is capable of doing that, but I'm not sure because ...
>
Indeed. I did some further searching (it's not an easy thing to search
for), and ended up finding the following document:
https://consolematt.wordpress.com/2013/06/19/reinstalling-debian-on-existing-lukslvm-partition/
I tested it on a VM inside QEMU, and it worked.
So, basically, once we reach the point where we detect the hard drive,
we need to drop to the shell, install additional software into the
installation environment, and then run the commands to configure the
already existing volume group and logical volumes. After that, we can
return to the installer, and partman will see everything. We can then
configure the proper mounts, and go on with the rest of the standard
installation steps.
However, as you explained, the installation is not bootable, it fails to
recognize the encrypted volume group, and it just drops to the initramfs
prompt. However, from there, we can run the commands documented in that
blog entry, and it all works.
--
Nitebirdz
Reply to: