- sort keys - remove permalink from redirects
6.0 KiB
layout | permalink | redirect_from | title | |||
---|---|---|---|---|---|---|
doc | /doc/mount-from-other-os/ |
|
Mounting and Decrypting Qubes Partitions from Outside Qubes |
Mount and Decrypt Qubes Partition from Outside Qubes
When a QubesOS install is unbootable or booting it is otherwise undesirable, this process allows for the recovery of files stored within the system.
These functions are manual and do not require any Qubes specific tools. All steps assume the default Qubes install with the following components:
- LUKS encrypted disk
- LVM based VM storage
Before beginning, if attempting to access one Qubes system from another, it is recommended to pass the entire encrypted Qubes disk to an isolated AppVM.
This can be done with the command qvm-block attach <isolated vm> dom0:<disk>
in dom0.
Decrypting the Disk
-
Find the disk to be accessed:
-
Open a Linux terminal in either dom0 or the AppVM the disk was passed through to and enter
lsblk
, which will result in an output similar to the following. In this example, the currently booted Qubes system is installed onsda
and the qubes system to be accessed is onnvme0n1p2
.sda 8:0 0 111.8G 0 disk ├─sda1 8:1 0 200M 0 part /boot/efi ├─sda2 8:2 0 1G 0 part /boot └─sda3 8:3 0 110.6G 0 part └─luks-fed62fc2-2674-266d-2667-2667259cbdec 253:0 0 110.6G 0 crypt ├─qubes_dom0-pool00_tmeta 253:1 0 88M 0 lvm │ └─qubes_dom0-pool00-tpool 253:3 0 84.4G 0 lvm │ ├─qubes_dom0-root 253:4 0 84.4G 0 lvm / │ ├─qubes_dom0-pool00 253:6 0 84.4G 0 lvm ├─qubes_dom0-vm--fedora--30--dvm--private--1576749131--back 253:7 0 2G 0 lvm ├─qubes_dom0-pool00_tdata 253:2 0 84.4G 0 lvm │ └─qubes_dom0-pool00-tpool 253:3 0 84.4G 0 lvm │ ├─qubes_dom0-root 253:4 0 84.4G 0 lvm / │ ├─qubes_dom0-pool00 253:6 0 84.4G 0 lvm │ ├─qubes_dom0-vm--fedora--30--dvm--private--1576749131--back 253:7 0 2G 0 lvm └─qubes_dom0-swap 253:5 0 4G 0 lvm [SWAP] sdb 8:16 0 447.1G 0 disk ├─sdb1 8:17 0 549M 0 part └─sdb2 8:18 0 446.6G 0 part sr0 11:0 1 1024M 0 rom nvme0n1 259:0 0 465.8G 0 disk ├─nvme0n1p1 259:1 0 1G 0 part └─nvme0n1p2 259:2 0 464.8G 0 part
-
-
Decrypt the disk using the command
cryptsetup luksOpen /dev/<disk>
.
Accessing LVM Logical Volumes
- If using an AppVM or standard Linux, LVM should automatically discover the Qubes LVM configuration. In this case, continue to step 4.
- Qubes uses the default name
qubes_dom0
for it's LVM VG. This will conflict with the name of the VG of the currently installed system. To read both, you will have to rename the VG. Note: If this is not reversed, the Qubes install being accessed will not be bootable. - Find the UUID of the vg to be accessed using the command
vgdisplay
. This will be the VG namedqubes_dom0
which is not marked active. - The command
vgrename <UUID> other_install
will rename the VG.
- Qubes uses the default name
- Run the command
vgscan
to add any new VGs to the device list.
Mounting the disk
- Find the disk to be accessed. The
lsblk
command above may be of use. The following rules apply by default:
Disk name | Data type | Explanation |
---|---|---|
other_install/root | dom0 root | The root partition of dom0. |
other_install/-private | VM | The /rw partition of the named VM. |
other_install/-root | templateVM root | The root partition of the named TemplateVM. |
other_install/pool00_tmeta | LVM Metadata | The metadata LV of this disk. |
- Mount the disk using the command
mount /dev/other_install/<lv name> <mountpoint>
. Note: Any compromised data which exists in the volume to be mounted will be accessible here. Do not mount untrusted partitions in dom0.
At this point, all files are available in the chosen mountpoint.
Reverting Changes
Any changes which were made to the system in the above steps will need to be reverted before the disk will properly boot. However, LVM will not allow an VG to be renamed to a name already in use. Thes steps must occur either in an AppVM or using recovery media.
- Unmount any disks that were accessed.
- Rename the VG back to qubes_dom0 using the command
vgrename other_install qubes_dom0
.