I pulled a stupid and typed my Qubes password into a website and hit enter. I thought this was a terrible compromise, but now I’m thinking unless the owners of that website can get physical access to my Qubes laptop, there isn’t anything they can do with the password. Please correct this if I’m wrong and there is some ability for them to ssh using it (makes no sense to me because that password shouldn’t apply to the net qube, right?).
Well then I pulled another stupid and changed my password in a hurry and forgot it. But when I rebooted I noticed I could still decrypt the hard drive (that password didn’t get changed apparently). So I figured I should be able to look at it by booting from the installation USB I used to install Qubes in the first place, but it says: “You don’t have any Linux partitions. Rebooting” (but then doesn’t reboot, probably because that process was running within tmux).
So I just dd’ed my entire (non-boot) partition to an iso on a thumbdrive and I will probably wipe and reinstall, but is there any way for me to get my data out of that iso file?
You changed your user password right?
If that’s the only thing you did, you can boot a live system like Ubuntu and mount the disk to get access to your data. Something like this can help you do it:
If I remember correctly, you even have a rescue entry in the Qubes ISO if you still have it.
If you can’t do what I said above and you only have the image left, you can mount it with sudo losetup -f <path to your image> and then open the LUKS volume with sudo cryptsetup luksOpen /dev/loopXX qubes (Where XX is the assigned loop device, should be 0).
You can then follow the guide I provided for LUKS above.
That really helps. In a new install of Qubes, I was able to mount my external drive (with the ISO), then do the two commands you gave. After I typed in the password my drive was encrypted with, I got a TON of different devices showing up in the little dropdown thing Qubes uses.
Now is the next step to create a qube for each qube I want to rescue and attach the relevant “device” to that new qube? It is hard for me to tell what qube settings I should use for each…
Everything you see appearing are lvm logical volumes. Both private (Everything in /home and /rw) and root volumes (Template or StandaloneVM system files) will be available.
First, make sure that lvm2 is installed in your qube, as it will be needed for the next steps.
Get the volume group name with sudo vgs, it should be qubes_dom0 by default.
Enable all volumes in that group: sudo vgchange -ay qubes_dom0
Now you are able to mount any logical volume that you want. For example, if you have a qube named Personal, you have to do the following commands to mount it:
Create a directory for future mount command: sudo mkdir /mnt/tmp
Mount the Personal private volume to the created directory: sudo mount /dev/qubes_dom0/vm-Personal-private /mnt/tmp
cd to that directory and you’ll have access to your data.
Replace “Personal” with any qube you want, check with sudo lvs for all names.
When you are fully done with your data recovery, here are the commands to unmount everything properly:
Actually what I was really looking for was to somehow convert all these drives to a Qubes backup file or something that is easily bulk-imported into new Qubes, if at all possible. If not, I’ll do the data forensics version you are thinking of where I dig through and find the most important files.
But I’d rather import entire qubes because, like I hinted, I don’t know off the top of my head qube settings like how big each qube should be and whether it is HVM and which firewall rules and so on…