Recovering data from unbootable Qubes install
116 views
Skip to first unread message
Zeko
Nov 10, 2019, 1:02:29 AM11/10/19
to qubes...@googlegroups.com
Hello
I managed to screw up my Qubes install and it fails at boot, resetting every time. However, that happens after the partition gets mounted and I screwed it up without having my /boot partition (a USB pendrive, since I multiboot) mounted, so I expect I'll be able to mount the Qubes encrypted partition somehow based on the data on the boot pendrive and the disk password.
I've tried simply unlocking the partition with a Linux recovery live CD by inputting the disk password as the LUKS passphrase but I get the reply: "No key available with this passphrase."
What do I need to do on the /boot filesystem to get to the LUKS passphrase? I need these files :(
Sent with ProtonMail Secure Email.
Claudia
Nov 11, 2019, 8:25:51 AM11/11/19
to qubes...@googlegroups.com
'Zeko' via qubes-users:
> Sent with [ProtonMail](https://protonmail.com) Secure Email.
>
Interesting. As a matter of fact I had to do this yesterday to reset my
user password. All I had to do was boot the Qubes installation CD,
switch to a shell, and unlock the dm-crypt container. It should be that
simple. I didn't have to mount /boot or anything like that. You should
be able to do it from any recovery CD, but have you tried doing it from
the Qubes installation media? Are you sure you're using the same
keyboard layout? Are you sure you're typing the passphrase correctly
(try `echo "mypassphrase" | cryptsetup open --key-file - /dev/sdX1
root`)? Have you tried `cryptsetup --verbose`? Did you use any custom
cryptsetup options when you created the container?
-------------------------------------------------
This free account was provided by VFEmail.net - report spam to ab...@vfemail.net
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
>
Interesting. As a matter of fact I had to do this yesterday to reset my
user password. All I had to do was boot the Qubes installation CD,
switch to a shell, and unlock the dm-crypt container. It should be that
simple. I didn't have to mount /boot or anything like that. You should
be able to do it from any recovery CD, but have you tried doing it from
the Qubes installation media? Are you sure you're using the same
keyboard layout? Are you sure you're typing the passphrase correctly
(try `echo "mypassphrase" | cryptsetup open --key-file - /dev/sdX1
root`)? Have you tried `cryptsetup --verbose`? Did you use any custom
cryptsetup options when you created the container?
-------------------------------------------------
This free account was provided by VFEmail.net - report spam to ab...@vfemail.net
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
Zeko
Nov 11, 2019, 7:23:06 PM11/11/19
to qubes...@googlegroups.com
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dbf3915a-6c92-d572-daa2-d370685b4ea2%40vfemail.net.
Thanks Claudia, it was only the keyboard layout. Should've thought of that myself *facepalm*
Do you know if there's a documented way to turn the /dev/dm-* volumes into
something the Qubes backup/restore utility understands? I have over 100 VMs and I'd prefer not to open each one up and copy the contents manually
On Saturday, November 9, 2019 4:54 PM, Claudia <csp...@vfemail.net> wrote:
> 'Zeko' via qubes-users:
>
> > Hello
> > I managed to screw up my Qubes install and it fails at boot, resetting every time. However, that happens after the partition gets mounted and I screwed it up without having my /boot partition (a USB pendrive, since I multiboot) mounted, so I expect I'll be able to mount the Qubes encrypted partition somehow based on the data on the boot pendrive and the disk password.
> > I've tried simply unlocking the partition with a Linux recovery live CD by inputting the disk password as the LUKS passphrase but I get the reply: "No key available with this passphrase."
> > What do I need to do on the /boot filesystem to get to the LUKS passphrase? I need these files :(
> > Sent with ProtonMail Secure Email.
> 'Zeko' via qubes-users:
>
> > Hello
> > I managed to screw up my Qubes install and it fails at boot, resetting every time. However, that happens after the partition gets mounted and I screwed it up without having my /boot partition (a USB pendrive, since I multiboot) mounted, so I expect I'll be able to mount the Qubes encrypted partition somehow based on the data on the boot pendrive and the disk password.
> > I've tried simply unlocking the partition with a Linux recovery live CD by inputting the disk password as the LUKS passphrase but I get the reply: "No key available with this passphrase."
> > What do I need to do on the /boot filesystem to get to the LUKS passphrase? I need these files :(
>
> Interesting. As a matter of fact I had to do this yesterday to reset my
> user password. All I had to do was boot the Qubes installation CD,
> switch to a shell, and unlock the dm-crypt container. It should be that
> simple. I didn't have to mount /boot or anything like that. You should
> be able to do it from any recovery CD, but have you tried doing it from
> the Qubes installation media? Are you sure you're using the same
> keyboard layout? Are you sure you're typing the passphrase correctly
> (try `echo "mypassphrase" | cryptsetup open --key-file - /dev/sdX1 root`)? Have you tried `cryptsetup --verbose`? Did you use any custom
> cryptsetup options when you created the container?
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> Interesting. As a matter of fact I had to do this yesterday to reset my
> user password. All I had to do was boot the Qubes installation CD,
> switch to a shell, and unlock the dm-crypt container. It should be that
> simple. I didn't have to mount /boot or anything like that. You should
> be able to do it from any recovery CD, but have you tried doing it from
> the Qubes installation media? Are you sure you're using the same
> keyboard layout? Are you sure you're typing the passphrase correctly
> (try `echo "mypassphrase" | cryptsetup open --key-file - /dev/sdX1 root`)? Have you tried `cryptsetup --verbose`? Did you use any custom
> cryptsetup options when you created the container?
>
>
> This free account was provided by VFEmail.net - report spam to ab...@vfemail.net
>
> ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
> $24.95 ONETIME Lifetime accounts with Privacy Features!
> 15GB disk! No bandwidth quotas!
> Commercial and Bulk Mail Options!
>
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> This free account was provided by VFEmail.net - report spam to ab...@vfemail.net
>
> ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
> $24.95 ONETIME Lifetime accounts with Privacy Features!
> 15GB disk! No bandwidth quotas!
> Commercial and Bulk Mail Options!
>
>
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dbf3915a-6c92-d572-daa2-d370685b4ea2%40vfemail.net.
Thanks Claudia, it was only the keyboard layout. Should've thought of that myself *facepalm*
Do you know if there's a documented way to turn the /dev/dm-* volumes into
something the Qubes backup/restore utility understands? I have over 100 VMs and I'd prefer not to open each one up and copy the contents manually
Claudia
Nov 12, 2019, 10:51:19 AM11/12/19
to qubes...@googlegroups.com
'Zeko' via qubes-users:
You mean that so that the on-disk VMs are recognized by qvm-backup as if
they were installed in the live environment? I'm afraid I have no idea.
I'm not seeing anything in the manpages about offline qvm-backup or any
way to change the root directory / working directory of qvm-backup.
Maybe you could literally run qvm-backup in a chroot, but I have no idea
if it would work.
It is a very good question though. And having to run an offline
qvm-backup seems to me like it would be a rather common scenario. It
might be worth starting a new thread about this specifically. e.g. "How
to run qvm-backup from a live recovery environment?"
If you really want to get down and dirty, maybe you could migrate your
existing VMs from /var/lib/qubes (and all the various metadata) into a
fresh install. But it would probably involve doing some serious surgery
on the filesystem and would be totally undocumented.
I'm assuming you've already seen these, but just for completeness:
https://www.qubes-os.org/doc/backup-restore/
https://www.qubes-os.org/doc/backup-emergency-restore-v4/
https://dev.qubes-os.org/projects/core-admin-client/en/latest/manpages/qvm-backup.html
https://dev.qubes-os.org/projects/core-admin-client/en/latest/manpages/qvm-backup-restore.html
PS: I took another look at your other thread - I wouldn't give up on it
quite yet.
they were installed in the live environment? I'm afraid I have no idea.
I'm not seeing anything in the manpages about offline qvm-backup or any
way to change the root directory / working directory of qvm-backup.
Maybe you could literally run qvm-backup in a chroot, but I have no idea
if it would work.
It is a very good question though. And having to run an offline
qvm-backup seems to me like it would be a rather common scenario. It
might be worth starting a new thread about this specifically. e.g. "How
to run qvm-backup from a live recovery environment?"
If you really want to get down and dirty, maybe you could migrate your
existing VMs from /var/lib/qubes (and all the various metadata) into a
fresh install. But it would probably involve doing some serious surgery
on the filesystem and would be totally undocumented.
I'm assuming you've already seen these, but just for completeness:
https://www.qubes-os.org/doc/backup-restore/
https://www.qubes-os.org/doc/backup-emergency-restore-v4/
https://dev.qubes-os.org/projects/core-admin-client/en/latest/manpages/qvm-backup.html
https://dev.qubes-os.org/projects/core-admin-client/en/latest/manpages/qvm-backup-restore.html
PS: I took another look at your other thread - I wouldn't give up on it
quite yet.
Reply all
Reply to author
Forward
0 new messages