From 9d2055f23cef8864a9c17fee1716074bafaa1404 Mon Sep 17 00:00:00 2001 From: Jarrah Date: Fri, 20 Dec 2019 12:44:58 +1100 Subject: [PATCH] Add documentation for decrypting and mounting a QubesOS disk This should solve https://github.com/QubesOS/qubes-issues/issues/5399. --- user/common-tasks/mount-from-other-os.md | 96 ++++++++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 user/common-tasks/mount-from-other-os.md diff --git a/user/common-tasks/mount-from-other-os.md b/user/common-tasks/mount-from-other-os.md new file mode 100644 index 00000000..515dbd6a --- /dev/null +++ b/user/common-tasks/mount-from-other-os.md @@ -0,0 +1,96 @@ +--- +layout: doc +title: Mount and Decrypt Qubes Partition from Outside Qubes +permalink: /doc/mount-from-other-os/ +redirect_from: +- /en/doc/mount-from-other-os/ +- /doc/MountFromOtherOs/ +- /wiki/MountFromOtherOs/ +--- + +Mount and Decrypt Qubes Partition from Outside Qubes +==================================================== + +When a QubesOS install is unbootable or booting it is otherwise undesirable, this process allows for the recovery of files stored within the system. + +These functions are manual and do not require any Qubes specific tools. All steps assume the default Qubes install with the following components: +- LUKS encrypted disk +- LVM based VM storage + +Before beginning, if attempting to access one Qubes system from another, it is recommended to pass the entire encrypted Qubes disk to an isolated AppVM. +This can be done with the command `qvm-block attach dom0:` in dom0. + +Decrypting the Disk +----------------- + +1. Find the disk to be accessed: + 1. Open a Linux terminal in either dom0 or the AppVM the disk was passed through to and enter `lsblk`, which will result in an output similar to the following. + In this example, the currently booted Qubes system is installed on `sda` and the qubes system to be accessed is on `nvme0n1p2`. + ``` + sda 8:0 0 111.8G 0 disk + ├─sda1 8:1 0 200M 0 part /boot/efi + ├─sda2 8:2 0 1G 0 part /boot + └─sda3 8:3 0 110.6G 0 part + └─luks-fed62fc2-2674-266d-2667-2667259cbdec 253:0 0 110.6G 0 crypt + ├─qubes_dom0-pool00_tmeta 253:1 0 88M 0 lvm + │ └─qubes_dom0-pool00-tpool 253:3 0 84.4G 0 lvm + │ ├─qubes_dom0-root 253:4 0 84.4G 0 lvm / + │ ├─qubes_dom0-pool00 253:6 0 84.4G 0 lvm + │ ├─qubes_dom0-vm--fedora--30--dvm--private--1576749131--back 253:7 0 2G 0 lvm + ├─qubes_dom0-pool00_tdata 253:2 0 84.4G 0 lvm + │ └─qubes_dom0-pool00-tpool 253:3 0 84.4G 0 lvm + │ ├─qubes_dom0-root 253:4 0 84.4G 0 lvm / + │ ├─qubes_dom0-pool00 253:6 0 84.4G 0 lvm + │ ├─qubes_dom0-vm--fedora--30--dvm--private--1576749131--back 253:7 0 2G 0 lvm + └─qubes_dom0-swap 253:5 0 4G 0 lvm [SWAP] + sdb 8:16 0 447.1G 0 disk + ├─sdb1 8:17 0 549M 0 part + └─sdb2 8:18 0 446.6G 0 part + sr0 11:0 1 1024M 0 rom + nvme0n1 259:0 0 465.8G 0 disk + ├─nvme0n1p1 259:1 0 1G 0 part + └─nvme0n1p2 259:2 0 464.8G 0 part + + ``` +2. Decrypt the disk using the command `cryptsetup luksOpen /dev/`. + +Accessing LVM Logical Volumes +----------------------------- + +3. If using an AppVM or standard Linux, LVM should automatically discover the Qubes LVM configuration. In this case, continue to step 4. + 1. Qubes uses the default name `qubes_dom0` for it's LVM LV. + This will conflict with the name of the LV of the currently installed system. + To read both, you will have to rename the VG. + *Note:* If this is not reversed, the Qubes install being accessed will not be bootable. + 2. Find the UUID of the LV to be accessed using the command `lvdisplay`. + This will be the LV named `qubes_dom0` which is not marked active. + 3. The command `lvrename other_install` will rename the LV. +4. Run the command `lvscan` to add any new LVs to the device list. + +Mounting the disk +----------------- + +5. Find the disk to be accessed. The `lsblk` command above may be of use. The following rules apply by default: +| Disk name | Data type | Explination | +| ----------------------------- | ----------------- | ------------------------------------------- | +| other\_install-root | dom0 root | The root partition of dom0. | +| other\_install--private | VM | The /rw partition of the named VM. | +| other\_install--root | templateVM root | The root partition of the named TemplateVM. | +| other\_install\_tmeta | LVM Metadata | The metadata LV of this disk. | + +6. Mount the disk using the command `mount /dev/mapper/other_install- `. + *Note:* Any compromised data which exists in the volume to be mounted will be accessible here. + Do not mount untrusted partitions in dom0. + +At this point, all files are available in the chosen mountpoint. + +Reverting Changes +----------------------------------------- +Any changes which were made to the system in the above steps will need to be reverted before the disk will properly boot. +However, LVM will not allow an LV to be renamed to a name already in use. +Thes steps must occur either in an AppVM or using recovery media. + +1. Unmount any disks that were accessed. +2. Rename the LV back to qubes\_dom0 using the command `lvrename other_install qubes_dom0`. + +