These are the steps I took to migrate a Debian installation from an old computer to a new one. I took out the old SSD, and connected it via an external enclosure to the new computer, and booted via a live USB.
The next step is to copy over the entire disk from the old SSD to the new one. Because we will copy everything, even the partitions’ UUIDs will remain the same and no extra steps should be necessary apart from adjusting some partition sizes. Be very careful with the output and input devices. In my case the old SSD is connected as the external drive /dev/sdb and the new one is /dev/nvme0n1.
$ sudo dd if=/dev/sdb of=/dev/nvme0n1 bs=4K status=progress
Refresh the partition table:
$ sudo partprobe
Grow /dev/nvme0n1p3to fill the entire partition using gparted.
$ sudo cryptsetup --token-only open /dev/nvme0n1p3 new-root
$ sudo cryptsetup resize --token-only new-root
(you can omit --token-only if you don’t use a Yubikey to unlock the drive).
Mount the btrfs root file system and resize it:
$ sudo mount -t btrfs /dev/mapper/new-root /mnt
$ sudo btrfs filesystem resize max /mnt
Now you are ready to reboot into the new system.
Reencrypt the LUKS partition
Moving to a new SSD is also a good opportunity to rotate the master key of the LUKS encrypted root partition. This can be done while the disk is online and mounted, and takes some time.
The reencryption implementation doesn’t properly support FIDO2 keys for unlocking. We would have to delete those and re-register the keys afterwards. Select a key slot with a passphrase and pass it using the --key-slot parameter. You can check which key-slot is in use using cryptsetup luksDump
$ sudo cryptsetup reencrypt /dev/nvme0n1p3 --key-slot 1
Once done, re-enroll any FIDO2 keys you have by running the following command for each key:
$ sudo systemd-cryptenroll /dev/nvme0n1p3 --fido2-device=auto --fido2-with-client-pin=yes
Enabling Secure Boot
Initially, I had problems with Secure Boot refusing to boot the new installation. They were resolved by reinstalling shim-signed and grub-efi-amd64-signed. Additionally, I had to enable “Allow Microsoft 3rd Party UEFI CA” in the Secure Boot settings of the UEFI:
