System: Arch Linux with LUKS + LVM
Overview
This guide documents the process of migrating /home from an existing LUKS+LVM setup to a new encrypted drive while maintaining the same security architecture (LVM on LUKS).
System Configuration:
- Arch Linux
- LUKS encryption
- LVM for volume management
- Existing setup:
/dev/sda2→ LUKS → LVM (root, swap, home) - Goal: Move home to new
/dev/sdb1→ LUKS → LVM
Prerequisites
- Root access (SSH as root enabled)
- New disk added to VM/system
- Existing data backed up (recommended)
Step 1: Prepare the New Disk
1.1 Verify New Disk
lsblk
Expected output shows new disk (e.g., /dev/sdb).
1.2 Create Partition
fdisk /dev/sdb
Commands in fdisk:
n- new partitionp- primary1- partition number- Press Enter twice (default start/end)
w- write changes
1.3 Verify Partition
lsblk
Should show /dev/sdb1.
Step 2: Encrypt with LUKS
2.1 Format with LUKS
cryptsetup luksFormat /dev/sdb1
- Type
YES(uppercase) to confirm - Enter a strong passphrase
2.2 Open Encrypted Partition
cryptsetup open /dev/sdb1 crypthome
Enter the passphrase you just set.
Step 3: Setup LVM
3.1 Create Physical Volume
pvcreate /dev/mapper/crypthome
3.2 Create Volume Group
vgcreate vg-home /dev/mapper/crypthome
3.3 Create Logical Volume
lvcreate -l 100%FREE vg-home -n home
3.4 Format with ext4
mkfs.ext4 /dev/vg-home/home
Step 4: Copy Data
4.1 Create Mount Points
mkdir -p /mnt/oldhome
mkdir -p /mnt/newhome
4.2 Mount Old and New Home
mount /dev/mapper/athena-home /mnt/oldhome # Adjust based on your VG name
mount /dev/vg-home/home /mnt/newhome
4.3 Copy Data with rsync
rsync -avxHAX /mnt/oldhome/ /mnt/newhome/
Options explained:
-a- archive mode (preserves permissions, timestamps, etc.)-v- verbose-x- don’t cross filesystem boundaries-H- preserve hard links-A- preserve ACLs-X- preserve extended attributes
4.4 Verify Copy
du -sh /mnt/oldhome
du -sh /mnt/newhome
Both should show the same size.
Step 5: Configure Automatic Decryption
5.1 Generate Keyfile
dd if=/dev/urandom of=/root/crypthome.key bs=1024 count=4
5.2 Secure Keyfile
chmod 000 /root/crypthome.key
5.3 Add Keyfile to LUKS
cryptsetup luksAddKey /dev/sdb1 /root/crypthome.key
Enter your LUKS passphrase when prompted.
Step 6: Update System Configuration
6.1 Get UUID of Encrypted Partition
blkid /dev/sdb1
Copy the UUID value.
6.2 Update /etc/crypttab
nano /etc/crypttab
Add this line (replace with your actual UUID):
crypthome UUID=your-actual-uuid-here /root/crypthome.key luks
6.3 Update /etc/fstab
nano /etc/fstab
Comment out the old home line:
# /dev/mapper/athena-home /home ext4 defaults 0 2
Add new home line:
/dev/vg-home/home /home ext4 defaults 0 2
6.4 Reload systemd
systemctl daemon-reload
Step 7: Test Configuration
7.1 Unmount Everything
umount /mnt/oldhome
umount /mnt/newhome
7.2 Test New Home Mount
mount /dev/vg-home/home /home
ls -la /home
df -h | grep home
Verify your user directory and files are present.
7.3 Test Automatic Decryption
# Unmount home
umount /home
# Deactivate LVM
lvchange -an /dev/vg-home/home
vgchange -an vg-home
# Close encrypted device
cryptsetup close crypthome
# Test automatic opening with crypttab
systemd-cryptsetup attach crypthome /dev/sdb1 /root/crypthome.key luks
# Should open WITHOUT prompting for passphrase
# Activate LVM
vgchange -ay vg-home
# Mount home
mount /home
# Verify
ls -la /home
If this works without asking for a passphrase, configuration is correct!
Step 8: Reboot and Verify
8.1 Reboot System
reboot
8.2 After Reboot Verification
lsblk
df -h | grep home
mount | grep home
ls -la ~
Expected behavior:
- System prompts for passphrase once (for main disk)
- New home decrypts automatically via keyfile
/homeis mounted and accessible- All user data intact
Step 9: Cleanup Old Home (Optional)
WARNING: Only proceed after confirming new home works perfectly for several days!
9.1 Verify New Home Usage
df -h
lsblk
9.2 Remove Old Home LV
umount /dev/mapper/athena-home # If still mounted
lvremove /dev/mapper/athena-home
Type y to confirm.
9.3 Extend Root LV (Optional)
If you want to add the reclaimed space to root:
# Extend logical volume
lvextend -l +100%FREE /dev/mapper/athena-root
# Resize filesystem
resize2fs /dev/mapper/athena-root
# Verify
df -h
Troubleshooting
Emergency Mode on Boot
Symptoms: System boots into emergency mode, home not mounted
Solution:
- Enter root password in emergency mode
- Check logs:
journalctl -xb | grep -i crypt
journalctl -xb | grep -i home
- Check configuration:
cat /etc/crypttab
cat /etc/fstab
- Verify UUID matches:
blkid /dev/sdb1
- Manually decrypt and mount:
cryptsetup open /dev/sdb1 crypthome
vgchange -ay vg-home
mount /dev/vg-home/home /home
- Fix configuration files and reboot
Keyfile Not Working
Verify keyfile permissions and location:
ls -l /root/crypthome.key
Should show: ---------- 1 root root
Test manual decryption with keyfile:
cryptsetup open /dev/sdb1 crypthome --key-file /root/crypthome.key
Security Notes
- Keyfile Security: The keyfile is stored on the encrypted root partition, so it’s only accessible after the main disk is decrypted
- Passphrase: Keep a secure backup of your LUKS passphrase - the keyfile is for convenience, but passphrase recovery is the fallback
- Root SSH: Disable root SSH after completing migration:
nano /etc/ssh/sshd_config
# Change: PermitRootLogin no
systemctl restart sshd
Summary
This process successfully migrates /home to a new encrypted drive while:
- ✅ Maintaining LUKS encryption
- ✅ Using LVM for flexibility
- ✅ Automatic decryption via keyfile
- ✅ Single passphrase prompt at boot
- ✅ All data integrity preserved
- ✅ Proper permissions and ownership maintained
Related Commands Reference
Check Encryption Status
cryptsetup status <device-name>
cryptsetup luksDump /dev/sdX
LVM Commands
pvs # List physical volumes
vgs # List volume groups
lvs # List logical volumes
pvdisplay # Detailed PV info
vgdisplay # Detailed VG info
lvdisplay # Detailed LV info
Mount Information
lsblk -f # Show filesystems
findmnt # Show all mounts
df -h # Disk space usage