www/content/blog/debian/ovh-rescue.md

---
title: 'Fixing an encrypted Debian system boot'
description: 'From booting in UEFI mode to legacy BIOS mode'
date: '2024-09-19'
tags:
- Debian
---

## Introduction

Some time ago, I reinstalled one of my OVH vps instances. I used a virtual machine image of a Debian Linux that I initially prepared for a GCP host a few months ago. It was setup to boot with UEFI, and I discovered that OVH does not offer it (at least on its small VPS offering).

It is a problem because this is a system with an encrypted root partition. In order to boot with an encrypted partition in BIOS mode, grub needs some extra space than it does not when in UEFI mode.

I could rebuild an image from scratch, or I could hop onto an OVH rescue image and fix it. I took the later approach in order to refresh my rescue skills.

## Mounting the partitions from the rescue image

This system has an encrypted block device holding an LVM set of volumes. Since the rescue image does not have the necessary tools, I installed them with:
``` shell
apt update -qq
apt install -y cryptsetup lvm2
```

I refreshed my knowledge of the layout with
``` shell
blkid
fdisk -l /dev/sdb
```

Opening the encrypted block device is done with:
``` shell
cryptsetup luksOpen /dev/sdb3 sda3_crypt
```

Note that I am mounting a sdb device because we are in OVH rescue, but it was known as sda during the installation. I need to use the same name otherwise grub will mess up when I regenerate its configuration and the system will not reboot properly.

The LVM subsystem now needs to be activated with:
``` shell
vgchange -ay vg
```

Now to mount the partitions and chroot into our system:

``` shell
mount /dev/vg/root /mnt
cd /mnt
mount -R /dev dev
mount -R /proc proc
mount -R /sys sys
chroot ./
mount /boot
```

## Replacing the EFI partition with a BIOS boot partition

My system had an EFI partition in /dev/sdb1: this is not suitable for booting a grub2 system to an encrypted volume directly from BIOS. I replaced it with a BIOS boot partition with:
``` shell
fdisk /dev/sdb
Command (m for help): d
Partition number (1-3, default 3): 1
Partition 1 has been deleted.

Command (m for help): n
Partition number (1,4-128, default 1): 1
First sector (34-41943006, default 2048):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-1050623, default 1050623):

Created a new partition 1 of type 'Linux filesystem' and of size 512 MiB.

Command (m for help): t
Partition number (1-3, default 3): 1
Partition type or alias (type L to list all): 4
w
```

Reinstalling grub was a matter of:
``` shell
apt install grub-pc
update-grub
grub-install /dev/sdb
```

I am not sure whether it was necessary or not but I rebuilt the initramfs in case the set of modules needed by the kernel would be different:
``` shell
update-initramfs -u
```

## Cleanup

Close the chroot session with either `C-d` or the `exit` command. Then umount all partitions with:
``` shell
cd /
umount -R -l /mnt
```

Deactivate the LVM subsystem with:
``` shell
vgchange -an
```

Close the luks volume with:
``` shell
cryptsetup luksClose sda3_crypt
```

Sync all data to disks just in case:
``` shell
sync
```

Then reboot in normal mode from the OVH management webui.

## Conclusion

This was a fun repair operation!
added ovh rescue blog article 2024-09-19 22:39:59 +02:00			`---`
			`title: 'Fixing an encrypted Debian system boot'`
			`description: 'From booting in UEFI mode to legacy BIOS mode'`
			`date: '2024-09-19'`
			`tags:`
			`- Debian`
			`---`

			`## Introduction`

			`Some time ago, I reinstalled one of my OVH vps instances. I used a virtual machine image of a Debian Linux that I initially prepared for a GCP host a few months ago. It was setup to boot with UEFI, and I discovered that OVH does not offer it (at least on its small VPS offering).`

			`It is a problem because this is a system with an encrypted root partition. In order to boot with an encrypted partition in BIOS mode, grub needs some extra space than it does not when in UEFI mode.`

			`I could rebuild an image from scratch, or I could hop onto an OVH rescue image and fix it. I took the later approach in order to refresh my rescue skills.`

			`## Mounting the partitions from the rescue image`

			`This system has an encrypted block device holding an LVM set of volumes. Since the rescue image does not have the necessary tools, I installed them with:`
			``` shell
			`apt update -qq`
			`apt install -y cryptsetup lvm2`
			```

			`I refreshed my knowledge of the layout with`
			``` shell
			`blkid`
			`fdisk -l /dev/sdb`
			```

			`Opening the encrypted block device is done with:`
			``` shell
			`cryptsetup luksOpen /dev/sdb3 sda3_crypt`
			```

			`Note that I am mounting a sdb device because we are in OVH rescue, but it was known as sda during the installation. I need to use the same name otherwise grub will mess up when I regenerate its configuration and the system will not reboot properly.`

			`The LVM subsystem now needs to be activated with:`
			``` shell
			`vgchange -ay vg`
			```

			`Now to mount the partitions and chroot into our system:`

			``` shell
			`mount /dev/vg/root /mnt`
			`cd /mnt`
			`mount -R /dev dev`
			`mount -R /proc proc`
			`mount -R /sys sys`
			`chroot ./`
			`mount /boot`
			```

			`## Replacing the EFI partition with a BIOS boot partition`

			`My system had an EFI partition in /dev/sdb1: this is not suitable for booting a grub2 system to an encrypted volume directly from BIOS. I replaced it with a BIOS boot partition with:`
			``` shell
			`fdisk /dev/sdb`
			`Command (m for help): d`
			`Partition number (1-3, default 3): 1`
			`Partition 1 has been deleted.`

			`Command (m for help): n`
			`Partition number (1,4-128, default 1): 1`
			`First sector (34-41943006, default 2048):`
			`Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-1050623, default 1050623):`

			`Created a new partition 1 of type 'Linux filesystem' and of size 512 MiB.`

			`Command (m for help): t`
			`Partition number (1-3, default 3): 1`
			`Partition type or alias (type L to list all): 4`
			`w`
			```

			`Reinstalling grub was a matter of:`
			``` shell
			`apt install grub-pc`
			`update-grub`
			`grub-install /dev/sdb`
			```

			`I am not sure whether it was necessary or not but I rebuilt the initramfs in case the set of modules needed by the kernel would be different:`
			``` shell
			`update-initramfs -u`
			```

			`## Cleanup`

			Close the chroot session with either `C-d` or the `exit` command. Then umount all partitions with:
			``` shell
			`cd /`
			`umount -R -l /mnt`
			```

			`Deactivate the LVM subsystem with:`
			``` shell
			`vgchange -an`
			```

			`Close the luks volume with:`
			``` shell
			`cryptsetup luksClose sda3_crypt`
			```

			`Sync all data to disks just in case:`
			``` shell
			`sync`
			```

			`Then reboot in normal mode from the OVH management webui.`

			`## Conclusion`

			`This was a fun repair operation!`