[dm-crypt] Cryptsetup-reencrypt failing with error with option --new reduce-device-size

Abhrajyoti Kirtania abhrajyoti at gmail.com
Wed Jun 25 10:34:17 CEST 2014


Thank you.


On Tue, Jun 24, 2014 at 11:27 PM, Milan Broz <gmazyland at gmail.com> wrote:

> On 06/24/2014 06:53 PM, Abhrajyoti Kirtania wrote:
> > HI Ondrej/ Milan, I have used gparted to resize the partition and
> > able to create a new LUKS enabled partition with --new option using
> > reencrypt tool. Though i had used reencrypt tool, after enabling the
> > encryption, formatting (i.e mkfs.ext4) is needed to mount that
> > volume. So i loss all the data present onto the partition.
>
> Sigh. Mkfs definitely cannot fix anything. too late here.
>
> > *I am wondering, Is there any way to enable encryption (in-place)
> > without losing data from the partition with the help of
> > cryptsetup-reencrypt or any other option?*
>
> Yes, there is a way. But you should really understand what you are doing
> before blindly trying various parameters. All the tools are low level
> tools and mistake means complete data loss.
>
> So simple example how to enable encryption without data copy:
>
> - the only requirement is to have fs which is able to shrink
> for at least 4MB to create space for LUKS header.
>
> 1) Shrink fs. You can use trick to shrink to minimum.
>
> 2) reencrypt with reduce size
>
> 3) luksOpen device
>
> 4) resize fs to maximum
>
> 5) profit :)
>
>
> Here is the example I just run on my VM. The test file is random
> file just to prove data are intact (example is for ext4 fs):
>
> 1) Check test file checksum:
>
>   # mount /dev/sdb1 /mnt/tst
>   # sha256sum /mnt/tst/test
>   ccc803eaf55d9fee5ec4bba9f1ae56c88951ce506124ee25f6d938cc2dd22c7c
>  /mnt/tst/test
>   # umount /mnt/tst
>
> 2) Reduce fs to minimum (I know it will provide at least 4M space I need
> for LUKS)
>
>   # resize2fs -M /dev/sdb1
>   resize2fs 1.42.7 (21-Jan-2013)
>   Resizing the filesystem on /dev/sdb1 to 137435 (1k) blocks.
>   The filesystem on /dev/sdb1 is now 137435 blocks long.
>
> 3) Reencrypt with data shift (4M is enough)
>
>   # cryptsetup-reencrypt --new --reduce-device-size 4M /dev/sdb1
>   WARNING: this is experimental code, it can completely break your data.
>   Enter new passphrase:
>   Progress: 100.0%, ETA 00:00,  199 MiB written, speed  83.6 MiB/s
>
> 4) Mount new LUKS device
>
>   # cryptsetup luksOpen /dev/sdb1 sdb1_crypt
>   Enter passphrase for /dev/sdb1:
>
> 5) Resize fs to maximal size
>
>   # resize2fs /dev/mapper/sdb1_crypt
>   resize2fs 1.42.7 (21-Jan-2013)
>   Resizing the filesystem on /dev/mapper/sdb1_crypt to 203776 (1k) blocks.
>   The filesystem on /dev/mapper/sdb1_crypt is now 203776 blocks long.
>
> 6) Check that data is still there
>   # mount /dev/mapper/sdb1_crypt /mnt/tst
>   # sha256sum /mnt/tst/test
>   ccc803eaf55d9fee5ec4bba9f1ae56c88951ce506124ee25f6d938cc2dd22c7c
>  /mnt/tst/test
>
> If you use exact resize argument in step 2) and 3) you do not need step 5).
> See man page for resize tool.
>
> Milan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20140625/10f11e87/attachment.html>


More information about the dm-crypt mailing list