[dm-crypt] Cryptsetup-reencrypt failing with error with option --new reduce-device-size

Ondrej Kozina okozina at redhat.com
Fri Jun 20 15:29:48 CEST 2014

On 06/20/2014 02:36 PM, Abhrajyoti Kirtania wrote:
> HI,
> I able to build the crypt setup-reencrypt binary and trying to enable
> encryption on a particular partition with this tool, build failing with
> error like:
> *Cannot wipe header on device /dev/loop0. if i pass
> *--reduce-device-size as 1024. But if i pass this size as 4096 then
> getting the error as "Device /dev/loop0 is too small."
> Not sure what might be the root cause of this error. Truly appreciate
> your kind support?
> cryptsetup-reencrypt /dev/sda8 --new --reduce-device-size 1024 --debug
> WARNING: this is experimental code, it can completely break your data.
> # cryptsetup 1.6.4 processing "./abhra_new/sbin/cryptsetup-reencrypt
> /dev/sda8 --new --reduce-device-size 1024 --debug"

Hi Abhrajyoti,

you have to create enough space to fit new LUKS header during 
reencryption of not yet encrypted device. The LUKS header is 
approximately 1MiB in size (it differs and depends also on other 
parameters). The default unit for --reduce-device-size is a byte. Try to 
use --reduce-device-size 2048S (where 'S' stands for sectors). If I 
recall correctly --reduce-device-size must be aligned to 512B (dm-crypt 
sector size) or maybe even to page size (4 KiB).

Be extremely careful with the --new option! You have to create unused 
space at the end of the original device which is equal in size to 
--reduce-device-size option. By term unused  I mean there are no real 
filesystem data or any data important to you. Otherwise you will you 
loose this data. The best to achieve this would be to actually extend 
the partion or LV at its end exactly by intended --redude-device-size 
parameter first.

Kind regards

More information about the dm-crypt mailing list