[dm-crypt] question

Matthias Schniedermeyer ms at citd.de
Fri Dec 12 13:59:10 CET 2014


On 12.12.2014 13:11, Arno Wagner wrote:
> On Thu, Dec 11, 2014 at 23:04:53 CET, Matthias Schniedermeyer wrote:
> > On 11.12.2014 18:30, Sayler, Craig A. (AFRC-MI)[InuTeq, LLC] wrote:
> > > Is there a way to decrypt a drive permanently with out reinstalling?
> > 
> > Yes.
> > 
> > But the much safer way is:
> > Backup, make a new filesystem on the previous backing-device & Restore 
> > from backup.
> > 
> > 
> > The unsafe(!) 'inplace' method (that as an advantage doesn't need 
> > additional storage):
> > Just open the container normally, 'dd' the mapped container over the 
> > backing device and pray that process isn't interruped. Because it will 
> > be a huge PITA if it gets interruped.
> > 
> > 
> > But don't risk it, Backup & Restore is the way this should be done.
> 
> Interesting approach! Should work though. But you are right that this
> is very high risk.

Standard Unix methodology, i would say.

I did something similar, in reverse (unencrypred -> encrypted), some 
years ago.
Altough i wrote me a script that did the work in steps, so i could 
resume it if it ever got interrupted. (Better safe than sorry. In the 
end it wasn't interupted. But that's Murphy's Law: If you are prepared, 
nothing will happen.)

The script did something like this:

for each block
do
  copy source to other stable storage
  fsync
  update state information
  fsync
  copy block from other stable storage to target
  fsync
  update state information
  fsync
done

The detour is necessary to recover from a partial copy in the last step, 
otherwise you would need to determine the exact spot (and hope the HDD 
didn't do a partial sector write) to restart the process.





-- 

Matthias


More information about the dm-crypt mailing list