[dm-crypt] cryptsetup-reencode: LUKS-${UUID}.new is too small

Arno Wagner arno at wagner.name
Wed Mar 12 23:36:48 CET 2014


On Wed, Mar 12, 2014 at 22:29:09 CET, PePa wrote:
> Arno Wagner <arno at ...> writes:
> > 
> > On Wed, Mar 12, 2014 at 00:16:19 CET, PePa wrote:
> > > I'm a big fan of dm-crypt/luks.
> > > I'm trying to reencode a crypto_LUKS partition from -c aes-cbc-plain -s 128
> > > -h sha1
> > > like this:
> > > cryptsetup-reencrypt -c twofish-xts-plain64 -s 512 -h sha512 -i 2000 -B 32
> > > /dev/sda4
> > > 
> > > Output I'm getting:
> > > Device LUKS-71a94fa6-9c84-45d7-80e8-ee61be3887e0.new is too small.
> > > Creation of LUKS backup headers failed.
> > > 
> > > On it is a Physical lvm2-volume that could be shrunken. Is it just a matter
> > > of doing that? How much more space is needed??
> > 
> > If you look at FAQ Item 6.2, you an see that you go from a herader
> > size a little over 1MB to one thet is 2MB in size. The difference
> > does not sound like much and is indeed not much, but it has to 
> > be available. 
> 
> I shrunk the PV twice by 1 4MB extend, each time, but .new is still too
> small. Does that mean that the PV somehow needs to be shifted to the
> beginning of the luks partition? I don't want to use --reduce-device-size
> before I know that the PV is not occupying that area.

Hehe, LUKS has absolutely no way to tell how large the filesystem
in there is, so shrinking it does not help at all against the 
error message. Give it --reduce-device-size 1M. If your filesystem
is 4M smaller than the container _and_ starts at the beginning
of the data area, that should theoretically result in what you want.

Please report back on success or failure. Thanks! 

> (I do have a backup of all the data, but not of the partition as one block.)
> 
> It seems like you're not recommending the use of cryptsetup-reencrypt in
> general. I'm happy to give it a try once I have taken all the obvious steps
> of doing it right.

No. If your header is the same size (yours is not as you
enlarge the key), reencryption is simple and while you need that 
backup, reencryption can be less work than restoring said backup.

Arno

> > The --reduce-device-size of cryptsetup-reencrypt can be used to 
> > enlarge the header by what is needed, but will just cut off the 
> > amount the data-area gets shifted from its endm, thereby likely 
> > damaging the filesystem in there and destroying data, or, in the
> > worst case, the while filesystem.
> > 
> > So in theory, you could use some tool to shrink the filesystem 
> > in the openend container and then use this option to shift and 
> > cut the data ares.
> > 
> > However, there are several high-risk operations in here that 
> > you should under no circumstances run without a full, good 
> > data backup. If you have that, it is a lot easier to just erase 
> > the old container, create a new one and restore your data into 
> > that.
> > 
> > FAQ Item 6.4 discusses how to do an encrypted data backup
> > with tar and GPG. 
> > 
> > Arno
> 
> Thanks for pointing to the FAQ.
> 
> Peter
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -  Plato


More information about the dm-crypt mailing list