Mounting a LUKS-encrypted filesystem that's part of a Xen domU with LVM-backed storage
the starting premises
- You run Xen virtual Linux machine domU on hypervisor host dom0.
- domU's virtual disk takes the form of a LVM2 logical volume on storage accessible to dom0.
- domU's virtual disk is partitioned in a straightforward fashion: partion 1 is an EXT3 filesystem, mounted at /boot; partition 2 is swap; partition 3 is the root filesystem
- the swap and root partitions are encrypted using the LUKS framework
- You have root access to dom0.
- You need access to that root filesystem outside of the booted OS contained therein.
Thank you CentOS folks for the helpful EncryptedFilesystem HOWTO.
the bullet list
- get dom0's kernel to recognize the partition table in domU's backing store
- unlock the encrypted partition you need
- mount the now-unlocked partition in dom0
the full procedure
[root@dom0 ~]# kpartx -a /dev/mapper/vg00-domU
[root@dom0 ~]# ls /dev/mapper/vg00-domUp*
/dev/mapper/vg00-domUp1 /dev/mapper/vg00-domUp2 /dev/mapper/vg00-domUp3
[root@dom0 ~]# file -s /dev/mapper/vg00-domUp*
/dev/mapper/vg00-domUp1: Linux rev 1.0 ext3 filesystem data
/dev/mapper/vg00-domUp2: data
/dev/mapper/vg00-domUp3: data
[root@dom0 ~]# cryptsetup luksOpen /dev/mapper/domUp3 p3unlocked
Enter LUKS passphrase for /dev/mapper/domUp3: ************************
key slot 0 unlocked.
Command successful.
[root@dom0 ~]# mount /dev/mapper/p3unlocked /mnt/tmp/
[root@dom0 ~]# df -h /mnt/tmp/
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/p3unlocked 5.8G 5.1G 401M 93% /mnt/tmp
[root@dom0 ~]# umount /mnt/tmp/
[root@dom0 ~]# cryptsetup luksClose p3unlocked
[root@dom0 ~]# kpartx -d /dev/mapper/vg00-domU