qubes-doc/user/advanced-configuration/mount-from-other-os.md
Maya 8f8a8e50ea
Normalize frontmatter
- sort keys
- remove permalink from redirects
2021-03-14 16:18:10 +01:00

6.0 KiB

layout permalink redirect_from title
doc /doc/mount-from-other-os/
/en/doc/mount-from-other-os/
/doc/MountFromOtherOs/
/wiki/MountFromOtherOs/
Mounting and Decrypting Qubes Partitions from Outside Qubes

Mount and Decrypt Qubes Partition from Outside Qubes

When a QubesOS install is unbootable or booting it is otherwise undesirable, this process allows for the recovery of files stored within the system.

These functions are manual and do not require any Qubes specific tools. All steps assume the default Qubes install with the following components:

  • LUKS encrypted disk
  • LVM based VM storage

Before beginning, if attempting to access one Qubes system from another, it is recommended to pass the entire encrypted Qubes disk to an isolated AppVM. This can be done with the command qvm-block attach <isolated vm> dom0:<disk> in dom0.

Decrypting the Disk

  1. Find the disk to be accessed:

    1. Open a Linux terminal in either dom0 or the AppVM the disk was passed through to and enter lsblk, which will result in an output similar to the following. In this example, the currently booted Qubes system is installed on sda and the qubes system to be accessed is on nvme0n1p2.

      sda                                                                   8:0    0 111.8G  0 disk
      ├─sda1                                                                8:1    0   200M  0 part  /boot/efi
      ├─sda2                                                                8:2    0     1G  0 part  /boot
      └─sda3                                                                8:3    0 110.6G  0 part
        └─luks-fed62fc2-2674-266d-2667-2667259cbdec                       253:0    0 110.6G  0 crypt
          ├─qubes_dom0-pool00_tmeta                                       253:1    0    88M  0 lvm
          │ └─qubes_dom0-pool00-tpool                                     253:3    0  84.4G  0 lvm
          │   ├─qubes_dom0-root                                           253:4    0  84.4G  0 lvm   /
          │   ├─qubes_dom0-pool00                                         253:6    0  84.4G  0 lvm
          ├─qubes_dom0-vm--fedora--30--dvm--private--1576749131--back 253:7    0     2G  0 lvm
          ├─qubes_dom0-pool00_tdata                                       253:2    0  84.4G  0 lvm
          │ └─qubes_dom0-pool00-tpool                                     253:3    0  84.4G  0 lvm
          │   ├─qubes_dom0-root                                           253:4    0  84.4G  0 lvm   /
          │   ├─qubes_dom0-pool00                                         253:6    0  84.4G  0 lvm
          │   ├─qubes_dom0-vm--fedora--30--dvm--private--1576749131--back 253:7    0     2G  0 lvm
          └─qubes_dom0-swap                                               253:5    0     4G  0 lvm   [SWAP]
      sdb                                                                   8:16   0 447.1G  0 disk
      ├─sdb1                                                                8:17   0   549M  0 part
      └─sdb2                                                                8:18   0 446.6G  0 part
      sr0                                                                  11:0    1  1024M  0 rom
      nvme0n1                                                             259:0    0 465.8G  0 disk
      ├─nvme0n1p1                                                         259:1    0     1G  0 part
      └─nvme0n1p2                                                         259:2    0 464.8G  0 part
      
  2. Decrypt the disk using the command cryptsetup luksOpen /dev/<disk>.

Accessing LVM Logical Volumes

  1. If using an AppVM or standard Linux, LVM should automatically discover the Qubes LVM configuration. In this case, continue to step 4.
    1. Qubes uses the default name qubes_dom0 for it's LVM VG. This will conflict with the name of the VG of the currently installed system. To read both, you will have to rename the VG. Note: If this is not reversed, the Qubes install being accessed will not be bootable.
    2. Find the UUID of the vg to be accessed using the command vgdisplay. This will be the VG named qubes_dom0 which is not marked active.
    3. The command vgrename <UUID> other_install will rename the VG.
  2. Run the command vgscan to add any new VGs to the device list.

Mounting the disk

  1. Find the disk to be accessed. The lsblk command above may be of use. The following rules apply by default:
Disk name Data type Explanation
other_install/root dom0 root The root partition of dom0.
other_install/-private VM The /rw partition of the named VM.
other_install/-root templateVM root The root partition of the named TemplateVM.
other_install/pool00_tmeta LVM Metadata The metadata LV of this disk.
  1. Mount the disk using the command mount /dev/other_install/<lv name> <mountpoint>. Note: Any compromised data which exists in the volume to be mounted will be accessible here. Do not mount untrusted partitions in dom0.

At this point, all files are available in the chosen mountpoint.

Reverting Changes

Any changes which were made to the system in the above steps will need to be reverted before the disk will properly boot. However, LVM will not allow an VG to be renamed to a name already in use. Thes steps must occur either in an AppVM or using recovery media.

  1. Unmount any disks that were accessed.
  2. Rename the VG back to qubes_dom0 using the command vgrename other_install qubes_dom0.