Recover an encrypted Linux boot volume

Use this procedure to restore an encrypted Linux boot volume. This procedure can be used to restore Linux boot volumes encrypted with CloudLink version 5.5 or higher.

Procedure

  1. Shut down the machine (CloudLinkVM-1) with the encrypted Linux boot volume that needs to be recovered.
  2. Deploy a machine (CloudLinkVM-2) that uses a Linux distribution supported by CloudLink.
    NOTE: When you create CloudLinkVM-2, use a template different from the one used for CloudLinkVM-1 to prevent volumes from having the same root volume UUID.
  3. Install CloudLink Agent on the new machine (CloudLinkVM-2).
  4. Connect the new machine (CloudLinkVM-2) to the same CloudLink Center used by the old machine (CloudLinkVM-1).
  5. Move the disk containing the encrypted root volume from the old machine (CloudLinkVM-1) and attach it to the new machine (CloudLinkVM-2).
    NOTE: For a root logical volume on LVM: before attaching the disk to CloudLinkVM-2 for recovery, ensure CloudLinkVM-2 does not have an LVM group with the same name.
  6. Ensure the root volume is detected by the operating system.
    • Newer Linux distributions are configured to automatically detect block devices when attached. If this does not happen, run the following command:
      svm reload
    • If the original machine has the root file system on an LVM volume, you may need to activate the volume so it appears as a block device.
    WARNING: DO NOT restart CloudLinkVM-2 because it can cause a Linux kernel panic.
  7. When the attached root volume is available on CloudLinkVM-2, run the following command:
    svm recover <existing empty directory> <root volume name>
    Example commands for a root file system on LVM:
    svm recover /mnt/recovery /dev/system/root
    svm recover /mnt/recovery /dev/mapper/centos-root
    svm recover /mnt/recovery /dev/ubuntu-vg/root
    Example commands for a regular root partition:
    svm recover /mnt/recovery /dev/sdb2
    svm recover /mnt/recovery /dev/xvdc1
  8. Run the following command to restart the svmd service to recognize and unlock the volume:
    service svmd restart
  9. Verify that the volume's status is locked when you run the following command:
    svm status
  10. Accept the pending volume to release the encryption keys. If the machine is put in the pending state because CloudLink Center cannot release the keys for the recovered volume, you need to manually accept the recovered volume, as follows:
    1. In CloudLink Center, go to Machines.
    2. Select the machine with the recovered volume.
    3. Select Actions > Pending Volumes.
    4. Select the recovered volume and click Accept.
  11. After the volume is accepted in CloudLink Center, verify that the volume's status is encrypted when you run the following command:
    svm status

Results

The data can now be copied from the volume or the volume can be decrypted.