Debian: Upgrade der luks1-Boot-Partition auf luks2

DEVICE                TYPE                            SIZE    MOUNTPOINT
nvme0n1               gpt                                
├─nvme0n1p1             part, vfat (F32)              512M    /boot/efi
├─nvme0n1p2             part, crypt
│ └─crypt_nvme0n1p2       ext4                        2048M   /boot
├─nvme0n1p3             part, crypt
│ ├─crypt_nvme0n1p3       btrfs @sysroot              230G    /
│ ├─crypt_nvme0n1p3       btrfs @syshome                      /home
│ ├─crypt_nvme0n1p3       btrfs @sysswap
│ └─crypt_nvme0n1p3       btrfs @snapshots
└─nvme0n1p4             part, crypt
  └─crypt_nvme0n1p4       swap                        16G    swap

# Install device.
DEV1="/dev/nvme0n1"
# Following could be something like sda, hdb or nvme0n1p.
DEV1PART="nvme0n1p"
DEV1PART1NAME="${DEV1PART}1"
DEV1PART2NAME="${DEV1PART}2"
DEV1PART3NAME="${DEV1PART}3"
DEV1PART4NAME="${DEV1PART}4"

DEV1PART1="/dev/${DEV1PART1NAME}"
DEV1PART2="/dev/${DEV1PART2NAME}"
DEV1PART3="/dev/${DEV1PART3NAME}"
DEV1PART4="/dev/${DEV1PART4NAME}"

DEV1PART1CRYPTNAME="Not_in_use_as_crypt"
DEV1PART2CRYPTNAME="crypt_${DEV1PART2NAME}"
DEV1PART3CRYPTNAME="crypt_${DEV1PART3NAME}"
DEV1PART4CRYPTNAME="crypt_${DEV1PART4NAME}"

DEV1PART1CRYPT="Not_in_use_as_crypt"
DEV1PART2CRYPT="/dev/mapper/${DEV1PART2CRYPTNAME}"
DEV1PART3CRYPT="/dev/mapper/${DEV1PART3CRYPTNAME}"
DEV1PART4CRYPT="/dev/mapper/${DEV1PART4CRYPTNAME}"

# ROOT
cryptsetup luksOpen --allow-discards ${DEV1PART3} ${DEV1PART3CRYPTNAME}
# Mount sysroot into /mnt
mount -t btrfs -o noatime,discard,ssd,space_cache,commit=120,compress=zstd,autodefrag,defaults,subvol=@sysroot ${DEV1PART3CRYPT} /mnt

# BOOT
# Open and mount boot crypto device.
mkdir -p /mnt/boot
cryptsetup luksOpen --allow-discards ${DEV1PART2} ${DEV1PART2CRYPTNAME}
mount -t ext4 -o noatime,discard,defaults ${DEV1PART2CRYPT} /mnt/boot

# BOOT: Old UUIDs.
# We need this for recreation of file system with same uui so 

DEV1PART2CRYPTUUID_OLD=$(blkid -o value -s UUID ${DEV1PART2CRYPT})

# BOOT: Remount and copy content into an archive.
mount -o remount,ro /mnt/boot2
touch /tmp/boot.tar
tar -C /mnt/boot2 --acls --xattrs --one-file-system -cf /tmp/boot.tar .
unmount /mnt/boot2
cryptsetup luksClose ${DEV1PART2CRYPT}

# BOOT: Create new luks formated partition, set filesystem and copy archive back.
cryptsetup luksFormat -y --type luks2 --cipher=aes-xts-plain --key-size=512 --hash=sha512 --use-random ${DEV1PART2}
cryptsetup luksOpen --allow-discards ${DEV1PART2} ${DEV1PART2CRYPTNAME}
mkfs.ext4 -L boot ${DEV1PART2CRYPT}
mount -t ext4 -o noatime,discard,defaults ${DEV1PART2CRYPT} /mnt/boot

# BOOT: New UUIDs.
DEV1PART2UUID_NEW=$(blkid -o value -s UUID ${DEV1PART2})
DEV1PART2CRYPTUUID_NEW=$(blkid -o value -s UUID ${DEV1PART2CRYPT})

# BOOT: Recopy content back into new boot.
tar -C /mnt/boot --acls --xattrs -xf /tmp/boot.tar

# BOOT: Add the existing key file
cryptsetup luksAddKey --key-slot=7 ${DEV1PART2} /mnt/etc/keys/boot.key

# HOME
# Mount the missing partitions. (crypt is already open)
mount -t btrfs -o noatime,discard,ssd,space_cache,commit=120,compress=zstd,autodefrag,defaults,subvol=@syshome ${DEV1PART3CRYPT} /mnt/home

# EFI
mount -t vfat -o noatime,discard,defaults ${DEV1PART1} /mnt/boot/efi

# SWAP
cryptsetup luksOpen --allow-discards ${DEV1PART4} ${DEV1PART4CRYPTNAME}
#swapon -L swap ${DEV1PART4CRYPT}


# Make fstab great again.
cp /mnt/etc/fstab /mnt/etc/fstab.bak
sed -i "s|UUID=${DEV1PART2CRYPTUUID_OLD}|UUID=${DEV1PART2CRYPTUUID_NEW}|" /mnt/etc/fstab
cat /mnt/etc/fstab


# Make crypttab great again.
# Change UUID in /mnt/etc/crypttab
cp /mnt/etc/crypttab /mnt/etc/crypttab.bak
sed -i "s|UUID=${DEV1PART2UUID_OLD}|UUID=${DEV1PART2UUID_NEW}|" /mnt/etc/fstab
cat /mnt/etc/crypttab


# Make Grub EFI great again.
cp /mnt/boot/efi/EFI/grub/grub.cfg /mnt/boot/efi/EFI/grub/grub.cfg.bak
# Get UUID without minus chars.
DEV1PART2UUID_OLD2=$(echo ${DEV1PART2UUID_OLD2} | sed 's|-||g' -) 
DEV1PART2UUID_NEW2=$(blkid -o value -s UUID ${DEV1PART2} | sed 's|-||g' -) 
sed -i "s|UUID=${DEV1PART2UUID_OLD2}|${DEV1PART2UUID_NEW2}|g" /mnt/etc/fstab
sed -i "s|UUID=${DEV1PART2CRYPTUUID_OLD}|${DEV1PART2CRYPTUUID_NEW}|g" /mnt/etc/fstab
cat /mnt/boot/efi/EFI/grub/grub.cfg
#cat > /boot/efi/EFI/grub/grub.cfg <<__EOF__
#cryptomount -u ${DEV1PART2UUID_NEW2}
#search.fs_uuid ${DEV1PART2CRYPTUUID_NEW} root cryptouuid/${DEV1PART2UUID_NEW2}
#set prefix=(\$root)'/grub'
#configfile \$prefix/grub.cfg
#__EOF__


# Make Grub menu great again.
cp /mnt/boot/grub/grub.cfg /mnt/boot/grub/grub.cfg.bak
sed -i "s|UUID=${DEV1PART2UUID_OLD}|${DEV1PART2UUID_NEW}|g" /mnt/boot/grub/grub.cfg
sed -i "s|UUID=${DEV1PART2CRYPTUUID_OLD}|${DEV1PART2CRYPTUUID_NEW}|g" /mnt/boot/grub/grub.cfg
# Verify included insmod cryptodisk and insmod luks into every menuentry! This the point of most failure during boot.
cat /mnt/boot/grub/grub.cfg


# ???
## chroot for grub and initramfs
#CHRDIR=/mnt
#mount --bind /dev ${CHRDIR}/dev
#mount --bind /dev/pts ${CHRDIR}/dev/pts
#mount --bind /proc  ${CHRDIR}/proc
#mount --bind /sys  ${CHRDIR}/sys
#mount --bind /run  ${CHRDIR}/run
#LANG=C chroot ${CHRDIR} /bin/bash
#
## ???
## Make kernels great again.
## Kernels are the same, key files are the same and modules are the same.
## There should be no need.
## Re-generate.
#update-initramfs -u -k all
#
## Check.
#stat -L -c "%A  %n" /initrd.img
#	# → -rw-------  /initrd.img
#lsinitramfs /initrd.img | grep "^cryptroot/"
#	# → cryptroot/crypttab
#	# → cryptroot/keyfiles
#	# → cryptroot/keyfiles/crypt_nvme0n1p3.key
#	# → cryptroot/keyfiles/crypt_nvme0n1p4.key
#	# Different names are OK, 'cause this is initramfs internal naming.
#
## Exit chroot.
#exit
#
## Unmount.
#[ ! -z ${CHRDIR} ] && echo "chroot directory: ${CHRDIR}"
#[ ! -z ${CHRDIR} ] && umount ${CHRDIR}/run
#[ ! -z ${CHRDIR} ] && umount ${CHRDIR}/sys
#[ ! -z ${CHRDIR} ] && umount ${CHRDIR}/proc
#[ ! -z ${CHRDIR} ] && umount ${CHRDIR}/dev/pts
#[ ! -z ${CHRDIR} ] && umount ${CHRDIR}/dev
#
#
## Turn swap off.
#swapoff ${DEV1PART4CRYPT}


reboot