cryptsetup-reencrypt is included with the cryptsetup package and is the tool that is needed to remove encryption. For encrypting a device that already has data on it, you will need to install the luksipc package.
Encrypting Existing Data
Normally the only way to encrypt existing data is to create a new encrypted volume and restore the data from a backup. Using
luksipc will allow you to save yourself the time and hassle of copying the data to another location and then copying it back or restoring it from a backup. No matter what you should create a backup first. Resize the file system by decreasing it by 10MiB even though the LUKS header is only 2048 bytes. The extra space is safety precaution.
Encrypting Existing Data
e2fsck -f /dev/md1 resize2fs -p /dev/md1 999990M
resize2fs -p /dev/mapper/vg00-data 999990M
luksipc -d /dev/md1 luksipc -k /root/temp-luks.key --resume-file /root/luks-md1.rsm --luksparam="--cipher,aes-xts-plain64,--key-size,512,--hash,sha512" -d /dev/md1 WARNING! luksipc will perform the following actions: => Normal LUKSification of plain device /dev/md1 -> luksFormat will be performed on /dev/md1 Please confirm you have completed the checklist:  You have resized the contained filesystem(s) appropriately  You have unmounted any contained filesystem(s)  You will ensure secure storage of the keyfile that will be generated at /root/temp-luks.key  Power conditions are satisfied (i.e. your laptop is not running off battery)  You have a backup of all important data on /dev/md1 /dev/md1: 12295472 MiB = 12007.3 GiB Chunk size: 10485760 bytes = 10.0 MiB Keyfile: /root/temp-luks.key LUKS format parameters: --cipher,aes-xts-plain64,--key-size,512,--hash,sha512 Are all these conditions satisfied, then answer uppercase yes: YES [I]: Created raw device alias: /dev/md1 -> /dev/mapper/alias_luksipc_raw_575d1cd2 [I]: Size of reading device /dev/md1 is 12892736847872 bytes (12295472 MiB + 0 bytes) [I]: Backing up physical disk /dev/md1 header to backup file header_backup.img [I]: Performing luksFormat of /dev/md1 [I]: Performing luksOpen of /dev/md1 (opening as mapper name luksipc_ebe91fbe) [I]: Size of luksOpened writing device is 12892732129280 bytes (12295467 MiB + 524288 bytes) [I]: Write disk smaller than read disk by 4718592 bytes (4608 kiB + 0 bytes, occupied by LUKS header) [I]: Starting copying of data, read offset 10485760, write offset 0 [I]: 0:00: 0.0% 2080 MiB / 12295467 MiB 414.5 MiB/s Left: 12293387 MiB 8:14 h:m
Important Do NOT use
lvresizefor resizing. This will resize the volume along with the file system when you just want to resize the file system and will not give you the extra space for the LUKS header.
Line 7 is the bare minimum whereas line 8 specifies where to store the temporary key and resume file along with any cryptsetup parameters. The time it's going to take to encrypt the data depends on the amount of data and the speed of the device. When I did encrypted my data that was on a 10 disk RAID 5 it took about between 1 and 1 hour and 15 minutes per TiB.
Decrypting Existing Data
Removing encryption from a device is easy:
cryptsetup-reencrypt --decrypt /dev/md1