[dm-crypt] Cryptsetup-reencrypt failing with error with option --new reduce-device-size

Milan Broz gmazyland at gmail.com
Tue Jun 24 19:57:16 CEST 2014


On 06/24/2014 06:53 PM, Abhrajyoti Kirtania wrote:
> HI Ondrej/ Milan, I have used gparted to resize the partition and
> able to create a new LUKS enabled partition with --new option using
> reencrypt tool. Though i had used reencrypt tool, after enabling the
> encryption, formatting (i.e mkfs.ext4) is needed to mount that
> volume. So i loss all the data present onto the partition.

Sigh. Mkfs definitely cannot fix anything. too late here.
 
> *I am wondering, Is there any way to enable encryption (in-place)
> without losing data from the partition with the help of
> cryptsetup-reencrypt or any other option?*

Yes, there is a way. But you should really understand what you are doing
before blindly trying various parameters. All the tools are low level
tools and mistake means complete data loss.

So simple example how to enable encryption without data copy:

- the only requirement is to have fs which is able to shrink
for at least 4MB to create space for LUKS header.

1) Shrink fs. You can use trick to shrink to minimum.

2) reencrypt with reduce size

3) luksOpen device

4) resize fs to maximum

5) profit :)


Here is the example I just run on my VM. The test file is random
file just to prove data are intact (example is for ext4 fs):

1) Check test file checksum:

  # mount /dev/sdb1 /mnt/tst
  # sha256sum /mnt/tst/test 
  ccc803eaf55d9fee5ec4bba9f1ae56c88951ce506124ee25f6d938cc2dd22c7c  /mnt/tst/test
  # umount /mnt/tst

2) Reduce fs to minimum (I know it will provide at least 4M space I need for LUKS)

  # resize2fs -M /dev/sdb1
  resize2fs 1.42.7 (21-Jan-2013)
  Resizing the filesystem on /dev/sdb1 to 137435 (1k) blocks.
  The filesystem on /dev/sdb1 is now 137435 blocks long.

3) Reencrypt with data shift (4M is enough)

  # cryptsetup-reencrypt --new --reduce-device-size 4M /dev/sdb1
  WARNING: this is experimental code, it can completely break your data.
  Enter new passphrase: 
  Progress: 100.0%, ETA 00:00,  199 MiB written, speed  83.6 MiB/s

4) Mount new LUKS device

  # cryptsetup luksOpen /dev/sdb1 sdb1_crypt
  Enter passphrase for /dev/sdb1: 

5) Resize fs to maximal size

  # resize2fs /dev/mapper/sdb1_crypt 
  resize2fs 1.42.7 (21-Jan-2013)
  Resizing the filesystem on /dev/mapper/sdb1_crypt to 203776 (1k) blocks.
  The filesystem on /dev/mapper/sdb1_crypt is now 203776 blocks long.

6) Check that data is still there
  # mount /dev/mapper/sdb1_crypt /mnt/tst
  # sha256sum /mnt/tst/test 
  ccc803eaf55d9fee5ec4bba9f1ae56c88951ce506124ee25f6d938cc2dd22c7c  /mnt/tst/test

If you use exact resize argument in step 2) and 3) you do not need step 5).
See man page for resize tool.

Milan


More information about the dm-crypt mailing list