mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-12-26 15:59:24 -05:00
98 lines
5.7 KiB
Markdown
98 lines
5.7 KiB
Markdown
---
|
|
layout: doc
|
|
title: Mounting and Decrypting Qubes Partitions from Outside Qubes
|
|
permalink: /doc/mount-from-other-os/
|
|
redirect_from:
|
|
- /en/doc/mount-from-other-os/
|
|
- /doc/MountFromOtherOs/
|
|
- /wiki/MountFromOtherOs/
|
|
---
|
|
|
|
Mount and Decrypt Qubes Partition from Outside Qubes
|
|
====================================================
|
|
|
|
When a QubesOS install is unbootable or booting it is otherwise undesirable, this process allows for the recovery of files stored within the system.
|
|
|
|
These functions are manual and do not require any Qubes specific tools. All steps assume the default Qubes install with the following components:
|
|
- LUKS encrypted disk
|
|
- LVM based VM storage
|
|
|
|
Before beginning, if attempting to access one Qubes system from another, it is recommended to pass the entire encrypted Qubes disk to an isolated AppVM.
|
|
This can be done with the command `qvm-block attach <isolated vm> dom0:<disk>` in dom0.
|
|
|
|
Decrypting the Disk
|
|
-----------------
|
|
|
|
1. Find the disk to be accessed:
|
|
1. Open a Linux terminal in either dom0 or the AppVM the disk was passed through to and enter `lsblk`, which will result in an output similar to the following.
|
|
In this example, the currently booted Qubes system is installed on `sda` and the qubes system to be accessed is on `nvme0n1p2`.
|
|
```
|
|
sda 8:0 0 111.8G 0 disk
|
|
├─sda1 8:1 0 200M 0 part /boot/efi
|
|
├─sda2 8:2 0 1G 0 part /boot
|
|
└─sda3 8:3 0 110.6G 0 part
|
|
└─luks-fed62fc2-2674-266d-2667-2667259cbdec 253:0 0 110.6G 0 crypt
|
|
├─qubes_dom0-pool00_tmeta 253:1 0 88M 0 lvm
|
|
│ └─qubes_dom0-pool00-tpool 253:3 0 84.4G 0 lvm
|
|
│ ├─qubes_dom0-root 253:4 0 84.4G 0 lvm /
|
|
│ ├─qubes_dom0-pool00 253:6 0 84.4G 0 lvm
|
|
│ ├─qubes_dom0-vm--fedora--30--dvm--private--1576749131--back 253:7 0 2G 0 lvm
|
|
├─qubes_dom0-pool00_tdata 253:2 0 84.4G 0 lvm
|
|
│ └─qubes_dom0-pool00-tpool 253:3 0 84.4G 0 lvm
|
|
│ ├─qubes_dom0-root 253:4 0 84.4G 0 lvm /
|
|
│ ├─qubes_dom0-pool00 253:6 0 84.4G 0 lvm
|
|
│ ├─qubes_dom0-vm--fedora--30--dvm--private--1576749131--back 253:7 0 2G 0 lvm
|
|
└─qubes_dom0-swap 253:5 0 4G 0 lvm [SWAP]
|
|
sdb 8:16 0 447.1G 0 disk
|
|
├─sdb1 8:17 0 549M 0 part
|
|
└─sdb2 8:18 0 446.6G 0 part
|
|
sr0 11:0 1 1024M 0 rom
|
|
nvme0n1 259:0 0 465.8G 0 disk
|
|
├─nvme0n1p1 259:1 0 1G 0 part
|
|
└─nvme0n1p2 259:2 0 464.8G 0 part
|
|
|
|
```
|
|
2. Decrypt the disk using the command `cryptsetup luksOpen /dev/<disk>`.
|
|
|
|
Accessing LVM Logical Volumes
|
|
-----------------------------
|
|
|
|
3. If using an AppVM or standard Linux, LVM should automatically discover the Qubes LVM configuration. In this case, continue to step 4.
|
|
1. Qubes uses the default name `qubes_dom0` for it's LVM VG.
|
|
This will conflict with the name of the VG of the currently installed system.
|
|
To read both, you will have to rename the VG.
|
|
*Note:* If this is not reversed, the Qubes install being accessed will not be bootable.
|
|
2. Find the UUID of the vg to be accessed using the command `vgdisplay`.
|
|
This will be the VG named `qubes_dom0` which is not marked active.
|
|
3. The command `vgrename <UUID> other_install` will rename the VG.
|
|
4. Run the command `vgscan` to add any new VGs to the device list.
|
|
|
|
Mounting the disk
|
|
-----------------
|
|
|
|
5. Find the disk to be accessed. The `lsblk` command above may be of use. The following rules apply by default:
|
|
|
|
| Disk name | Data type | Explination |
|
|
| ----------------------------- | ----------------- | ------------------------------------------- |
|
|
| other\_install/root | dom0 root | The root partition of dom0. |
|
|
| other\_install/<vm>-private | VM | The /rw partition of the named VM. |
|
|
| other\_install/<vm>-root | templateVM root | The root partition of the named TemplateVM. |
|
|
| other\_install/pool00\_tmeta | LVM Metadata | The metadata LV of this disk. |
|
|
|
|
6. Mount the disk using the command `mount /dev/other_install/<lv name> <mountpoint>`.
|
|
*Note:* Any compromised data which exists in the volume to be mounted will be accessible here.
|
|
Do not mount untrusted partitions in dom0.
|
|
|
|
At this point, all files are available in the chosen mountpoint.
|
|
|
|
Reverting Changes
|
|
-----------------------------------------
|
|
Any changes which were made to the system in the above steps will need to be reverted before the disk will properly boot.
|
|
However, LVM will not allow an VG to be renamed to a name already in use.
|
|
Thes steps must occur either in an AppVM or using recovery media.
|
|
|
|
1. Unmount any disks that were accessed.
|
|
2. Rename the VG back to qubes\_dom0 using the command `vgrename other_install qubes_dom0`.
|
|
|
|
|