[dm-crypt] cryptsetup-reencode: LUKS-${UUID}.new is too small

PePa peter at passchier.net
Wed Mar 12 22:29:09 CET 2014

Arno Wagner <arno at ...> writes:
> On Wed, Mar 12, 2014 at 00:16:19 CET, PePa wrote:
> > I'm a big fan of dm-crypt/luks.
> > I'm trying to reencode a crypto_LUKS partition from -c aes-cbc-plain -s 128
> > -h sha1
> > like this:
> > cryptsetup-reencrypt -c twofish-xts-plain64 -s 512 -h sha512 -i 2000 -B 32
> > /dev/sda4
> > 
> > Output I'm getting:
> > Device LUKS-71a94fa6-9c84-45d7-80e8-ee61be3887e0.new is too small.
> > Creation of LUKS backup headers failed.
> > 
> > On it is a Physical lvm2-volume that could be shrunken. Is it just a matter
> > of doing that? How much more space is needed??
> If you look at FAQ Item 6.2, you an see that you go from a herader
> size a little over 1MB to one thet is 2MB in size. The difference
> does not sound like much and is indeed not much, but it has to 
> be available. 

I shrunk the PV twice by 1 4MB extend, each time, but .new is still too
small. Does that mean that the PV somehow needs to be shifted to the
beginning of the luks partition? I don't want to use --reduce-device-size
before I know that the PV is not occupying that area.

(I do have a backup of all the data, but not of the partition as one block.)

It seems like you're not recommending the use of cryptsetup-reencrypt in
general. I'm happy to give it a try once I have taken all the obvious steps
of doing it right.

> The --reduce-device-size of cryptsetup-reencrypt can be used to 
> enlarge the header by what is needed, but will just cut off the 
> amount the data-area gets shifted from its endm, thereby likely 
> damaging the filesystem in there and destroying data, or, in the
> worst case, the while filesystem.
> So in theory, you could use some tool to shrink the filesystem 
> in the openend container and then use this option to shift and 
> cut the data ares.
> However, there are several high-risk operations in here that 
> you should under no circumstances run without a full, good 
> data backup. If you have that, it is a lot easier to just erase 
> the old container, create a new one and restore your data into 
> that.
> FAQ Item 6.4 discusses how to do an encrypted data backup
> with tar and GPG. 
> Arno

Thanks for pointing to the FAQ.


More information about the dm-crypt mailing list