Adding and Removing Encryption without Data Loss

By Paulus, 4 September, 2018


The cryptsetup-reencrypt is included with the cryptsetup package and is the tool that is needed to remove encryption. For encrypting a device that already has data on it, you will need to install the luksipc package.

Encrypting Existing Data

Normally the only way to encrypt existing data is to create a new encrypted volume and restore the data from a backup. Using luksipc will allow you to save yourself the time and hassle of copying the data to another location and then copying it back or restoring it from a backup. No matter what you should create a backup first. Resize the file system by decreasing it by 10MiB even though the LUKS header is only 2048 bytes. The extra space is safety precaution.

Encrypting Existing Data

e2fsck -f /dev/md1
resize2fs -p /dev/md1 999990M 


resize2fs -p /dev/mapper/vg00-data 999990M


luksipc -d /dev/md1
luksipc -k /root/temp-luks.key --resume-file /root/luks-md1.rsm --luksparam="--cipher,aes-xts-plain64,--key-size,512,--hash,sha512" -d /dev/md1
WARNING! luksipc will perform the following actions:
   => Normal LUKSification of plain device /dev/md1
   -> luksFormat will be performed on /dev/md1

Please confirm you have completed the checklist:
    [1] You have resized the contained filesystem(s) appropriately
    [2] You have unmounted any contained filesystem(s)
    [3] You will ensure secure storage of the keyfile that will be generated at /root/temp-luks.key
    [4] Power conditions are satisfied (i.e. your laptop is not running off battery)
    [5] You have a backup of all important data on /dev/md1

    /dev/md1: 12295472 MiB = 12007.3 GiB
    Chunk size: 10485760 bytes = 10.0 MiB
    Keyfile: /root/temp-luks.key
    LUKS format parameters: --cipher,aes-xts-plain64,--key-size,512,--hash,sha512

Are all these conditions satisfied, then answer uppercase yes: YES
[I]: Created raw device alias: /dev/md1 -> /dev/mapper/alias_luksipc_raw_575d1cd2
[I]: Size of reading device /dev/md1 is 12892736847872 bytes (12295472 MiB + 0 bytes)
[I]: Backing up physical disk /dev/md1 header to backup file header_backup.img
[I]: Performing luksFormat of /dev/md1
[I]: Performing luksOpen of /dev/md1 (opening as mapper name luksipc_ebe91fbe)
[I]: Size of luksOpened writing device is 12892732129280 bytes (12295467 MiB + 524288 bytes)
[I]: Write disk smaller than read disk by 4718592 bytes (4608 kiB + 0 bytes, occupied by LUKS header)
[I]: Starting copying of data, read offset 10485760, write offset 0
[I]:  0:00:   0.0%      2080 MiB / 12295467 MiB   414.5 MiB/s   Left: 12293387 MiB  8:14 h:m
Important Do NOT use lvresize for resizing. This will resize the volume along with the file system when you just want to resize the file system and will not give you the extra space for the LUKS header.

Line 7 is the bare minimum whereas line 8 specifies where to store the temporary key and resume file along with any cryptsetup parameters. The time it's going to take to encrypt the data depends on the amount of data and the speed of the device. When I did encrypted my data that was on a 10 disk RAID 5 it took about between 1 and 1 hour and 15 minutes per TiB.

Decrypting Existing Data

Removing encryption from a device is easy:

cryptsetup-reencrypt --decrypt /dev/md1