mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2025-01-23 21:21:07 -05:00
Add documentation for decrypting and mounting a QubesOS disk
This should solve https://github.com/QubesOS/qubes-issues/issues/5399.
This commit is contained in:
parent
cb7133d0fd
commit
9d2055f23c
96
user/common-tasks/mount-from-other-os.md
Normal file
96
user/common-tasks/mount-from-other-os.md
Normal file
@ -0,0 +1,96 @@
|
||||
---
|
||||
layout: doc
|
||||
title: Mount and Decrypt Qubes Partition from Outside Qubes
|
||||
permalink: /doc/mount-from-other-os/
|
||||
redirect_from:
|
||||
- /en/doc/mount-from-other-os/
|
||||
- /doc/MountFromOtherOs/
|
||||
- /wiki/MountFromOtherOs/
|
||||
---
|
||||
|
||||
Mount and Decrypt Qubes Partition from Outside Qubes
|
||||
====================================================
|
||||
|
||||
When a QubesOS install is unbootable or booting it is otherwise undesirable, this process allows for the recovery of files stored within the system.
|
||||
|
||||
These functions are manual and do not require any Qubes specific tools. All steps assume the default Qubes install with the following components:
|
||||
- LUKS encrypted disk
|
||||
- LVM based VM storage
|
||||
|
||||
Before beginning, if attempting to access one Qubes system from another, it is recommended to pass the entire encrypted Qubes disk to an isolated AppVM.
|
||||
This can be done with the command `qvm-block attach <isolated vm> dom0:<disk>` in dom0.
|
||||
|
||||
Decrypting the Disk
|
||||
-----------------
|
||||
|
||||
1. Find the disk to be accessed:
|
||||
1. Open a Linux terminal in either dom0 or the AppVM the disk was passed through to and enter `lsblk`, which will result in an output similar to the following.
|
||||
In this example, the currently booted Qubes system is installed on `sda` and the qubes system to be accessed is on `nvme0n1p2`.
|
||||
```
|
||||
sda 8:0 0 111.8G 0 disk
|
||||
├─sda1 8:1 0 200M 0 part /boot/efi
|
||||
├─sda2 8:2 0 1G 0 part /boot
|
||||
└─sda3 8:3 0 110.6G 0 part
|
||||
└─luks-fed62fc2-2674-266d-2667-2667259cbdec 253:0 0 110.6G 0 crypt
|
||||
├─qubes_dom0-pool00_tmeta 253:1 0 88M 0 lvm
|
||||
│ └─qubes_dom0-pool00-tpool 253:3 0 84.4G 0 lvm
|
||||
│ ├─qubes_dom0-root 253:4 0 84.4G 0 lvm /
|
||||
│ ├─qubes_dom0-pool00 253:6 0 84.4G 0 lvm
|
||||
│ ├─qubes_dom0-vm--fedora--30--dvm--private--1576749131--back 253:7 0 2G 0 lvm
|
||||
├─qubes_dom0-pool00_tdata 253:2 0 84.4G 0 lvm
|
||||
│ └─qubes_dom0-pool00-tpool 253:3 0 84.4G 0 lvm
|
||||
│ ├─qubes_dom0-root 253:4 0 84.4G 0 lvm /
|
||||
│ ├─qubes_dom0-pool00 253:6 0 84.4G 0 lvm
|
||||
│ ├─qubes_dom0-vm--fedora--30--dvm--private--1576749131--back 253:7 0 2G 0 lvm
|
||||
└─qubes_dom0-swap 253:5 0 4G 0 lvm [SWAP]
|
||||
sdb 8:16 0 447.1G 0 disk
|
||||
├─sdb1 8:17 0 549M 0 part
|
||||
└─sdb2 8:18 0 446.6G 0 part
|
||||
sr0 11:0 1 1024M 0 rom
|
||||
nvme0n1 259:0 0 465.8G 0 disk
|
||||
├─nvme0n1p1 259:1 0 1G 0 part
|
||||
└─nvme0n1p2 259:2 0 464.8G 0 part
|
||||
|
||||
```
|
||||
2. Decrypt the disk using the command `cryptsetup luksOpen /dev/<disk>`.
|
||||
|
||||
Accessing LVM Logical Volumes
|
||||
-----------------------------
|
||||
|
||||
3. If using an AppVM or standard Linux, LVM should automatically discover the Qubes LVM configuration. In this case, continue to step 4.
|
||||
1. Qubes uses the default name `qubes_dom0` for it's LVM LV.
|
||||
This will conflict with the name of the LV of the currently installed system.
|
||||
To read both, you will have to rename the VG.
|
||||
*Note:* If this is not reversed, the Qubes install being accessed will not be bootable.
|
||||
2. Find the UUID of the LV to be accessed using the command `lvdisplay`.
|
||||
This will be the LV named `qubes_dom0` which is not marked active.
|
||||
3. The command `lvrename <UUID> other_install` will rename the LV.
|
||||
4. Run the command `lvscan` to add any new LVs to the device list.
|
||||
|
||||
Mounting the disk
|
||||
-----------------
|
||||
|
||||
5. Find the disk to be accessed. The `lsblk` command above may be of use. The following rules apply by default:
|
||||
| Disk name | Data type | Explination |
|
||||
| ----------------------------- | ----------------- | ------------------------------------------- |
|
||||
| other\_install-root | dom0 root | The root partition of dom0. |
|
||||
| other\_install-<vm>-private | VM | The /rw partition of the named VM. |
|
||||
| other\_install-<vm>-root | templateVM root | The root partition of the named TemplateVM. |
|
||||
| other\_install\_tmeta | LVM Metadata | The metadata LV of this disk. |
|
||||
|
||||
6. Mount the disk using the command `mount /dev/mapper/other_install-<lv name> <mountpoint>`.
|
||||
*Note:* Any compromised data which exists in the volume to be mounted will be accessible here.
|
||||
Do not mount untrusted partitions in dom0.
|
||||
|
||||
At this point, all files are available in the chosen mountpoint.
|
||||
|
||||
Reverting Changes
|
||||
-----------------------------------------
|
||||
Any changes which were made to the system in the above steps will need to be reverted before the disk will properly boot.
|
||||
However, LVM will not allow an LV to be renamed to a name already in use.
|
||||
Thes steps must occur either in an AppVM or using recovery media.
|
||||
|
||||
1. Unmount any disks that were accessed.
|
||||
2. Rename the LV back to qubes\_dom0 using the command `lvrename other_install qubes_dom0`.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user