[dm-crypt] cryptsetup-reencrypt: Specifying device size

Robert Nichols rnicholsNOSPAM at comcast.net
Thu Jul 23 19:49:42 CEST 2015


On 07/22/2015 08:46 AM, Karol Babioch wrote:
> Hi list,
>
> I'm wondering how safe it is to specify a device size when re-encrypting
> a block device using cryptsetup-reencrypt. In particular I would like to
> know if specifying a size smaller than the underlying block device might
> actually corrupt data?
>
> The man page mentions some warnings in regards to this option. In our
> use case the underlying block device is ~ 100G, while only 11G are
> actually used by filesystems on top of the block device. To speed things
> up we were thinking about a device size, e.g. something like 16G, so not
> the whole device needs to be re-encrypted.

I hope you are NOT saying that you have a filesystem larger than 16G
there but 'du" reports that only 11G are used. If that were the case,
then reencrypting just 16G would mean guaranteed destruction of the
filesystem.

You can test what would happen quite easily. Use "cryptsetup resize ..."
to _temporarily_ limit the active mapping to 16GB. Then see if "fsck"
still reports that all filesystem are OK. If so, then you can safely
reencrypt just the first 16GB. If "fsck" complains about any
filesystems, just close the container ("cryptsetup remove ...") and no
damage is done. LUKS does not permanently record the size of the
container; it will always default to the size of the underlying device
or partition.

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.



More information about the dm-crypt mailing list