Hi
Sorry for dunb question, but i am new to incus and incus os.
The machine from which i used to access/manage incus os had a problem and i had to reinstall everything. How to i access/manage incus os now?
Any help,please?
Thank you very much
Do you have any of the following:
- Backup or similar copy of
~/.config/incusfrom the machine you reinstalled or a copy of the client certificate that you used to access IncusOS. - A backup of IncusOS OS data (typically performed with
incus admin os system backup) - A copy of the recovery key that IncusOS prompts you to retrieve and backup.
If not, this is going to be a problem as you’d have done the equivalent of throwing away both your password and encryption key making it basically impossible to get in and reset things.
Thank you for quick answer
Yes. I have a copy of the recovery key of incus os, but do not know how to use it on the reinstalled machine to access incus os. I thought that the recovery key was to use on incus os itself.
Sorry my english, but i am from Portugal and my english is poor.
Yeah, the recovery key is for IncusOS but what it allows to do is access the otherwise encrypted disk of IncusOS.
So with that key, you should be able to:
- Shutdown the IncusOS system
- Disable Secure Boot in the BIOS
- Boot a live media like Ubuntu Desktop
- From that live environment, you can then mount the IncusOS disk using that recovery key
- Then finally you’ll have access to the Incus data itself and can use that to write a one-time database patch (
/var/lib/incus/database/patch.global.sql) which will run when Incus next starts and can be used to add another trusted client certificate
It’s far from the most trivial thing to do, but at least you didn’t fully lock yourself out and there is a way back in there!
@gibmat do you think you could write us a tutorial for the above, call it emergency procedure in case of lost client certificate or something 
Thank you very much.
Going to try it. Fingers crossed
Just for future reference.
If i had copy of the original certificate was just a matter of copy it to the new machine, right?
Yep, that’s right, you’d just put the two files back in .config/incus/ and you’d be good to go.
You can also add additional trusted clients to Incus with incus config trust add (using a token) or incus config trust add-certificate (directly using another certificate).
It wouldn’t be too hard to do, although I think the IncusOS part should only include the first four points. Application-specific details like patching the Incus database should probably belong in the application’s documentation that the IncusOS tutorial could then point to.
Well, the last point is actually pretty specific to IncusOS as on a regular system you’d just get yourself a working local login again and use incus config trust to add/remove entries. So we’d never have a use case for doing it through a DB patch.