[dm-crypt] cryptsetup-reencode: LUKS-${UUID}.new is too small

Arno Wagner arno at wagner.name
Wed Mar 12 01:54:12 CET 2014


On Wed, Mar 12, 2014 at 00:16:19 CET, PePa wrote:
> I'm a big fan of dm-crypt/luks.
> I'm trying to reencode a crypto_LUKS partition from -c aes-cbc-plain -s 128
> -h sha1
> like this:
> cryptsetup-reencrypt -c twofish-xts-plain64 -s 512 -h sha512 -i 2000 -B 32
> /dev/sda4
> Output I'm getting:
> Device LUKS-71a94fa6-9c84-45d7-80e8-ee61be3887e0.new is too small.
> Creation of LUKS backup headers failed.
> On it is a Physical lvm2-volume that could be shrunken. Is it just a matter
> of doing that? How much more space is needed??

If you look at FAQ Item 6.2, you an see that you go from a herader
size a little over 1MB to one thet is 2MB in size. The difference
does not sound like much and is indeed not much, but it has to 
be available. 

The --reduce-device-size of cryptsetup-reencrypt can be used to 
enlarge the header by what is needed, but will just cut off the 
amount the data-area gets shifted from its endm, thereby likely 
damaging the filesystem in there and destroying data, or, in the
worst case, the while filesystem.
So in theory, you could use some tool to shrink the filesystem 
in the openend container and then use this option to shift and 
cut the data ares.

However, there are several high-risk operations in here that 
you should under no circumstances run without a full, good 
data backup. If you have that, it is a lot easier to just erase 
the old container, create a new one and restore your data into 

FAQ Item 6.4 discusses how to do an encrypted data backup
with tar and GPG. 

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -  Plato

More information about the dm-crypt mailing list