Manually Mount LUKS Encrypted Logical Volumes

Introduction

This post explains how you can manually open a LUKS encrypted logical volume, which can be useful if your encrypted system does not properly boot and you are trying to fix it from a live Linux or if you want to access an encrypted disk from another system.

The following steps were performed using the live Linux Grml ¹ on a system with LUKS full disk encryption that contains one volume group and several logical volumes. More information can be found in the manpages of the used tools ² ³ ⁴ ⁵ ⁶.

Decrypting the Disk

First, you have to decrypt the disk. Get name of the encrypted disk:

# fdisk -l
Disk /dev/nvme0n1: 953.87 GiB, 1024209543168 bytes, 2000409264 sectors
Disk model: WD PC SN810 SDCQNRY-1T00-1001           
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 31EE653B-CDD1-D749-A097-990970E2745D
 
Device           Start        End    Sectors   Size Type
/dev/nvme0n1p1    2048    1026047    1024000   500M EFI System
/dev/nvme0n1p2 1026048 2000408575 1999382528 953.4G Linux filesystem

[...]

In this case, the /dev/nvme0n1p2 device is the encrypted disk.

Decrypt the disk and give it a name like luks:

# cryptsetup open /dev/nvme0n1p2 luks
Enter passphrase for /dev/nvme0n1p2: 
cryptsetup open /dev/nvme0n1p2 luks  8.23s user 0.23s system 108% cpu 8.197 total

The decrypted device is now available in /dev/mapper/luks:

# fdisk -l
[...]
 
Disk /dev/mapper/luks: 953.36 GiB, 1023667077120 bytes, 1999349760 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

Accessing the Logical Volumes

The volume group and their logical volumes are now visible to your system. List the volume groups and logical volumes:

# vgs
  VG     #PV #LV #SN Attr   VSize   VFree
  rootvg   1   4   0 wz--n- 953.36g    0 

# lvs
  LV   VG     Attr       LSize   Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  home rootvg -wi------- 869.36g                                                    
  root rootvg -wi-------  50.00g                                                    
  swap rootvg -wc-------   4.00g                                                    
  var  rootvg -wi-------  30.00g

The volume group is called rootvg and contains 4 logical volumes.

Activate the volume group, to make the logical volumes accessible to the system:

# vgchange -ay rootvg
  4 logical volume(s) in volume group "rootvg" now active

The logical volumes are now activated. This can be seen on the a attribute of the logical volumes:

# lvs
  LV   VG     Attr       LSize   Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  home rootvg -wi-a----- 869.36g                                                    
  root rootvg -wi-a-----  50.00g                                                    
  swap rootvg -wc-a-----   4.00g                                                    
  var  rootvg -wi-a-----  30.00g

The system now sees these logical volumes as block devices:

# lsblk
NAME              MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
[...]
nvme0n1           259:0    0 953.9G  0 disk  
├─nvme0n1p1       259:1    0   500M  0 part  
└─nvme0n1p2       259:2    0 953.4G  0 part  
  └─luks          253:0    0 953.4G  0 crypt 
    ├─rootvg-swap 253:1    0     4G  0 lvm   
    ├─rootvg-root 253:2    0    50G  0 lvm   
    ├─rootvg-var  253:3    0    30G  0 lvm

These are now accessible in /dev/mapper/:

# ls -l /dev/mapper/
[...]
lrwxrwxrwx 1 root root       7 Dec 18 10:23 rootvg-home -> ../dm-4
lrwxrwxrwx 1 root root       7 Dec 18 10:23 rootvg-root -> ../dm-2
lrwxrwxrwx 1 root root       7 Dec 18 10:23 rootvg-swap -> ../dm-1
lrwxrwxrwx 1 root root       7 Dec 18 10:23 rootvg-var -> ../dm-3

Alternatively, these are also accessible in /dev/rootvg/{home,root,swap,var}.

Mounting the Logical Volumes

The logical volumes can now be mounted:

# mkdir /tmp/home
# mount /dev/mapper/rootvg-home /tmp/home

You can now access the files:

# ls /tmp/home 
emanuel  lost+found

Clean Unmount

Ummount after you are done:

# umount /tmp/home

Deactivate the volume group:

# vgchange -an rootvg
  0 logical volume(s) in volume group "rootvg" now active

⚠️ You should not export the volume group using vgexport ⁷, because the encrypted system will then not be able to open the volume group during boot. If you did so, you have to import the volume group again using vgimport rootvg ⁸.

Close the encrypted disk:

# cryptsetup close luks

You can now reboot your system.

Grml Live Linux: https://grml.org/ ↩︎
cryptsetup(8): https://manpages.debian.org/trixie/cryptsetup-bin/cryptsetup.8.en.html ↩︎
vgs(8): https://manpages.debian.org/trixie/lvm2/vgs.8.en.html ↩︎
lvs(8): https://manpages.debian.org/trixie/lvm2/lvs.8.en.html ↩︎
vgchange(8): https://manpages.debian.org/trixie/lvm2/vgchange.8.en.html ↩︎
lsblk(8): https://manpages.debian.org/trixie/util-linux-locales/lsblk.8.de.html ↩︎
vgexport(8): https://manpages.debian.org/trixie/lvm2/vgexport.8.en.html ↩︎
vgimport(8): https://manpages.debian.org/trixie/lvm2/vgimport.8.en.html ↩︎

Introduction#

Decrypting the Disk#

Accessing the Logical Volumes#

Mounting the Logical Volumes#

Clean Unmount#

Comments

Introduction

Decrypting the Disk

Accessing the Logical Volumes

Mounting the Logical Volumes

Clean Unmount