[dm-crypt] question

Matthias Schniedermeyer ms at citd.de
Fri Dec 12 13:59:10 CET 2014

On 12.12.2014 13:11, Arno Wagner wrote:
> On Thu, Dec 11, 2014 at 23:04:53 CET, Matthias Schniedermeyer wrote:
> > On 11.12.2014 18:30, Sayler, Craig A. (AFRC-MI)[InuTeq, LLC] wrote:
> > > Is there a way to decrypt a drive permanently with out reinstalling?
> > 
> > Yes.
> > 
> > But the much safer way is:
> > Backup, make a new filesystem on the previous backing-device & Restore 
> > from backup.
> > 
> > 
> > The unsafe(!) 'inplace' method (that as an advantage doesn't need 
> > additional storage):
> > Just open the container normally, 'dd' the mapped container over the 
> > backing device and pray that process isn't interruped. Because it will 
> > be a huge PITA if it gets interruped.
> > 
> > 
> > But don't risk it, Backup & Restore is the way this should be done.
> Interesting approach! Should work though. But you are right that this
> is very high risk.

Standard Unix methodology, i would say.

I did something similar, in reverse (unencrypred -> encrypted), some 
years ago.
Altough i wrote me a script that did the work in steps, so i could 
resume it if it ever got interrupted. (Better safe than sorry. In the 
end it wasn't interupted. But that's Murphy's Law: If you are prepared, 
nothing will happen.)

The script did something like this:

for each block
  copy source to other stable storage
  update state information
  copy block from other stable storage to target
  update state information

The detour is necessary to recover from a partial copy in the last step, 
otherwise you would need to determine the exact spot (and hope the HDD 
didn't do a partial sector write) to restart the process.



More information about the dm-crypt mailing list