How to use an existing and encrypted /home partition with a fresh encrypted installation of Manjaro?

Newbie Corner
, , ,
#1

I’m trying to make a fresh install of KDE and use my existing /home partition.

I followed the instructions in the first paragraph here:

https://help.ubuntu.com/community/Partitioning/Home/Moving

My previous installation used all encrypted partitions. I am using the same name and username and I’m 95% sure that I’m using the same computer name. Just like my previous installation I’m using the same password for the encryption and also enabling:
“Log in automatically without asking for the password.”
“Use the same password for the administrator account.”

In the graphical installation I’ve tried doing the manual partitioning.

OS drive
/dev/sde
Partition type: GPT
All new partitions
300 mib, fat32, /boot/efi mount point, boot flag
96556 mib, ext4 luks, / mount point, n/a flags, encryption enabled
17616 mib, ext4 luks, swap hidden flag, encryption enabled

Drive for the existing /home partition
/dev/sdb1
Existing partition
Edit /dev/sdb1
Change mount point from no mount point to /home
Content: keep

About midway through the installation I got an error message saying:

Error
Installation failed
Encrypted rootfs setup error
Could not configure LUKS key file on partition /dev/sdb1

In my second attempt I tried installing Manjaro without marking the old /home partition as the actual /home mount point.

Rebooted into the live Manjaro.
Followed the steps here:


Edited the fstab following the “Preparing fstab for the switch” paragraph from:
https://help.ubuntu.com/community/Partitioning/Home/Moving
Uncommented GRUB_ENABLE_CRYPTODISK=y from /etc/default/grub
Rebooted

[FAILED] Failed to mount /home.
[DEPEND] Dependency failed for Local File Systems.
Please enter passphrase for disk INTEL_SSDSC2CW120A3 (luks-a9c48091-5f0d-42fa-9235-0bb25ec7cd2c): (press TAB for no echo)

Looks like uncommenting GRUB_ENABLE_CRYPTODISK=y from /etc/default/grub did not prevent me from having to enter the passphrase twice.

All the information below was taken while chroot into the encrypted root partition.

/etc/fstab

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a device; this may
# be used with UUID= as a more robust way to name devices that works even if
# disks are added and removed. See fstab(5).
#
# <file system>             <mount point>  <type>  <options>  <dump>  <pass>
UUID=944C-5EBD                            /boot/efi      vfat    umask=0077 0 2
/dev/mapper/luks-2215d7ec-d7e5-45bb-a804-b29d8ce3128a /              ext4    defaults,noatime 0 1
tmpfs                                     /tmp           tmpfs   defaults,noatime,mode=1777 0 0

UUID=b98b7c10-be38-4ad2-9386-db4c85e08436   /home    ext4          defaults       0       2

lsblk

# lsblk
NAME            MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
loop0             7:0    0  20.9M  1 loop  
loop1             7:1    0 565.6M  1 loop  
loop2             7:2    0   1.7G  1 loop  
loop3             7:3    0 596.1M  1 loop  
sda               8:0    0 931.5G  0 disk  
└─sda1            8:1    0 931.5G  0 part  
sdb               8:16   0 465.8G  0 disk  
└─sdb1            8:17   0 465.8G  0 part  
sdc               8:32   0 119.2G  0 disk  
└─sdc1            8:33   0 119.2G  0 part  
sdd               8:48   0 111.8G  0 disk  
├─sdd1            8:49   0    16M  0 part  
└─sdd2            8:50   0 111.8G  0 part  
sde               8:64   0 111.8G  0 disk  
├─sde1            8:65   0   300M  0 part  /boot/efi
├─sde2            8:66   0  94.3G  0 part  
│ └─crypto_LUKS 254:0    0  94.3G  0 crypt /
└─sde3            8:67   0  17.2G  0 part  
sdf               8:80   1  29.5G  0 disk  
├─sdf1            8:81   1   2.9G  0 part  
└─sdf2            8:82   1     4M  0 part  
nvme0n1         259:0    0 953.9G  0 disk  
└─nvme0n1p1     259:1    0 953.9G  0 part

/etc/crypttab

# /etc/crypttab: mappings for encrypted partitions.
#
# Each mapped device will be created in /dev/mapper, so your /etc/fstab
# should use the /dev/mapper/<name> paths for encrypted devices.
#
# See crypttab(5) for the supported syntax.
#
# NOTE: Do not list your root (/) partition here, it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf). The same applies
#       to encrypted swap, which should be set up with mkinitcpio-openswap
#       for resume support.
#
# <name>               <device>                         <password> <options>
luks-2215d7ec-d7e5-45bb-a804-b29d8ce3128a UUID=2215d7ec-d7e5-45bb-a804-b29d8ce3128a     /crypto_keyfile.bin luks
luks-a9c48091-5f0d-42fa-9235-0bb25ec7cd2c UUID=a9c48091-5f0d-42fa-9235-0bb25ec7cd2c     /crypto_keyfile.bin luks

/etc/default/grub

GRUB_DEFAULT=saved
GRUB_TIMEOUT=10
GRUB_TIMEOUT_STYLE=hidden
GRUB_DISTRIBUTOR="Manjaro"
GRUB_CMDLINE_LINUX_DEFAULT="quiet cryptdevice=UUID=2215d7ec-d7e5-45bb-a804-b29d8ce3128a:luks-2215d7ec-d7e5-45bb-a804-b29d8ce3128a root=/dev/mapper/luks-2215d7ec-d7e5-45bb-a804-b29d8ce3128a>
GRUB_CMDLINE_LINUX=""

# If you want to enable the save default function, uncomment the following
# line, and set GRUB_DEFAULT to saved.
GRUB_SAVEDEFAULT=true

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y

# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console

# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command 'videoinfo'
GRUB_GFXMODE=auto

# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep

# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true

# Uncomment and set to the desired menu colors.  Used by normal and wallpaper
# modes only.  Entries specified as foreground/background.
GRUB_COLOR_NORMAL="light-gray/black"
GRUB_COLOR_HIGHLIGHT="green/black"


# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/usr/share/grub/background.png"
GRUB_THEME="/usr/share/grub/themes/manjaro/theme.txt"

# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"
GRUB_ENABLE_CRYPTODISK=y

/etc/mkinitcpio.conf

# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES=(piix ide_disk reiserfs)
MODULES=""

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES="/crypto_keyfile.bin"

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
##   This setup specifies all modules in the MODULES setting above.
##   No raid, lvm2, or encrypted root is needed.
#    HOOKS=(base)
#
##   This setup will autodetect all modules for your system and should
##   work as a sane default
#    HOOKS=(base udev autodetect block filesystems)
#
##   This setup will generate a 'full' image which supports most systems.
##   No autodetection is done.
#    HOOKS=(base udev block filesystems)
#
##   This setup assembles a pata mdadm array with an encrypted root FS.
##   Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
#    HOOKS=(base udev block mdadm encrypt filesystems)
#
##   This setup loads an lvm2 volume group on a usb device.
#    HOOKS=(base udev block lvm2 filesystems)
#
##   NOTE: If you have /usr on a separate partition, you MUST include the
#    usr, fsck and shutdown hooks.
HOOKS="base udev autodetect modconf block keyboard keymap encrypt filesystems"

# COMPRESSION
# Use this to compress the initramfs image. By default, gzip compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"

# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()
#2

bumpy

#3

This is a question which above the pay grade of most of people here. I also don't want to spend the time to understand and write differently what is already written in the Arch Wiki. https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_a_non-root_file_system#Automated_unlocking_and_mounting

If I were you I would open the encrypted device, copy the data and reinstall the way you want to have it. Then copy the data back.

#4

If I were you I would open the encrypted device, copy the data and reinstall the way you want to have it. Then copy the data back.

I tried doing that with rsync by copying the files to an external drive but I kept on getting freezes and if the computer responded again it caused all my libreoffice files to be fake corrupted and unrecoverable. Restarting the computer made libreoffice and its files work again.
When I searched for solutions almost all forums and articles kept recommending rsync to copy files. Some places said that using cp would slow to a crawl.
Do you have a recommendation on how to copy the files?

#5

rsync is usually fine and pretty robust. It could be an issue with the drive or the cable.
cp -a is a good way to copy.
There are also numerous archive commands.

#6

So what did work for you now?

#7

I ran cp -av for my home partition with no issues, did a fresh install, and transferred most things from the old home partition.
My first attempt at copying over the old /home partition files taught me that I really shouldn't copy over everything. Even though I used KDE again for the new installation, I think the old personal settings caused a bunch of graphical errors for icons in the new installation.
On my second attempt I copied over only the .local and .config folders for programs that I was familiar with and for the most part did not come pre-installed, but not before I updated the system and rebooted. Firefox complained that using an old version of Firefox would corrupt? my files/profile. An update solved the Firefox issue.
I wish I hadn't bothered to transfer the .cache folder. If I remember correctly the .cache folder made up 15 millions out of a total of 16 millions files in the /home. That was really unnecessary wear and tear on my drives.
cp -av finished transferring overnight so I don't know if it really was that slow as I had read.
If I don't forget to do it, tonight I'll run clonezilla to clone / and /home by following the steps from this article:
https://medium.com/ethical-hacking-blog/backups-to-an-encrypted-volume-using-clonezilla-442d01db949f

1 Like
#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by