[dm-crypt] Cryptsetup-reencrypt failing with error with option --new reduce-device-size

[dm-crypt] Cryptsetup-reencrypt failing with error with option --new reduce-device-size

[Abhrajyoti Kirtania]

[-- Attachment #1: Type: text/plain, Size: 3521 bytes --]

HI,
I able to build the crypt setup-reencrypt binary and trying to enable
encryption on a particular partition with this tool, build failing with
error like:

*Cannot wipe header on device /dev/loop0. if i pass *--reduce-device-size
as 1024. But if i pass this size as 4096 then getting the error as "Device
/dev/loop0 is too small."

Not sure what might be the root cause of this error. Truly appreciate your
kind support?

cryptsetup-reencrypt /dev/sda8 --new --reduce-device-size 1024 --debug


WARNING: this is experimental code, it can completely break your data.

# cryptsetup 1.6.4 processing "./abhra_new/sbin/cryptsetup-reencrypt
/dev/sda8 --new --reduce-device-size 1024 --debug"

# Initialising reencryption context.

# Initialising UUID.

# Removing headers.

# Allocating crypt device (null) context.

# Initialising device-mapper backend, UDEV is enabled.

# Detected dm-crypt version 1.11.0, dm-ioctl version 4.22.0.

# Deactivating volume LUKS-cafecafe-cafe-cafe-cafe-cafecafeeeee.org.

# dm status LUKS-cafecafe-cafe-cafe-cafe-cafecafeeeee.org  OF   [16384] (*1)

Device LUKS-cafecafe-cafe-cafe-cafe-cafecafeeeee.org is not active.

# Deactivating volume LUKS-cafecafe-cafe-cafe-cafe-cafecafeeeee.new.

# dm status LUKS-cafecafe-cafe-cafe-cafe-cafecafeeeee.new  OF   [16384] (*1)

Device LUKS-cafecafe-cafe-cafe-cafe-cafecafeeeee.new is not active.

# Releasing crypt device (null) context.

# Releasing device-mapper backend.

# Created LUKS reencryption log file
LUKS-cafecafe-cafe-cafe-cafe-cafecafeeeee.log.

# Log: direction = 0

# Log: offset = 0

# Log: shift = 0

# Running reencryption.

# Abhra: opt_new option is set.

# Passhrases initialization.

# Installing SIGINT/SIGTERM handler.

# Unblocking interruption on signal.

# Interactive passphrase entry requested.

Enter new passphrase:

# Blocking interruption on signal.

# Creating fake (cipher_null) header for original device.

# Creating empty file LUKS-cafecafe-cafe-cafe-cafe-cafecafeeeee.org of size
1024.

# Allocating crypt device LUKS-cafecafe-cafe-cafe-cafe-cafecafeeeee.org
context.

# Not a block device, using free loop device /dev/loop0.

# Trying to open and read device /dev/loop0.

# Initialising device-mapper backend, UDEV is enabled.

# Formatting device /dev/loop0 as type LUKS1.

# Crypto backend (gcrypt 1.5.0) initialized.

# Generating LUKS header version 1 using hash sha1, cipher_null, ecb, MK 32
bytes

# PBKDF2: 592305 iterations per second using hash sha1.

# Data offset 0, UUID cafecafe-cafe-cafe-cafe-cafecafeeeee, digest
iterations 72250

*Cannot wipe header on device /dev/loop0.*

# Releasing crypt device /dev/loop0 context.

# Releasing device-mapper backend.

# Abhra: Done with int passphrase and fake header creation.

# Destroying reencryption context.

# Closing LUKS reencryption log file
LUKS-cafecafe-cafe-cafe-cafe-cafecafeeeee.log.

# Removing headers.

# Allocating crypt device (null) context.

# Initialising device-mapper backend, UDEV is enabled.

# Deactivating volume LUKS-cafecafe-cafe-cafe-cafe-cafecafeeeee.org.

# dm status LUKS-cafecafe-cafe-cafe-cafe-cafecafeeeee.org  OF   [16384] (*1)

Device LUKS-cafecafe-cafe-cafe-cafe-cafecafeeeee.org is not active.

# Deactivating volume LUKS-cafecafe-cafe-cafe-cafe-cafecafeeeee.new.

# dm status LUKS-cafecafe-cafe-cafe-cafe-cafecafeeeee.new  OF   [16384] (*1)

Device LUKS-cafecafe-cafe-cafe-cafe-cafecafeeeee.new is not active.

# Releasing crypt device (null) context.

# Releasing device-mapper backend.

test@ubuntu:~/in-place$

[-- Attachment #2: Type: text/html, Size: 7678 bytes --]

Re: [dm-crypt] Cryptsetup-reencrypt failing with error with option --new reduce-device-size

[Milan Broz]

On 06/20/2014 02:36 PM, Abhrajyoti Kirtania wrote:
> cryptsetup-reencrypt /dev/sda8 --new --reduce-device-size 1024

> Cannot wipe header on device /dev/loop0. if i pass --reduce-device-size as 1024.
> But if i pass this size as 4096 then getting the error as "Device /dev/loop0 is too small."

New LUKS device header needs more than 1024 or 4096 bytes - you need space for keyslots.
Try reduce device size by 4 Megabytes (and do not forget to reduce fs first):

cryptsetup-reencrypt /dev/sda8 --new --reduce-device-size 4M

and it should work.

I will probably add more descriptive error message here, it is really cryptic.

Milan

Re: [dm-crypt] Cryptsetup-reencrypt failing with error with option --new reduce-device-size

[Ondrej Kozina]

On 06/20/2014 02:36 PM, Abhrajyoti Kirtania wrote:
> HI,
> I able to build the crypt setup-reencrypt binary and trying to enable
> encryption on a particular partition with this tool, build failing with
> error like:
>
> *Cannot wipe header on device /dev/loop0. if i pass
> *--reduce-device-size as 1024. But if i pass this size as 4096 then
> getting the error as "Device /dev/loop0 is too small."
>
> Not sure what might be the root cause of this error. Truly appreciate
> your kind support?
>
> cryptsetup-reencrypt /dev/sda8 --new --reduce-device-size 1024 --debug
>
>
> WARNING: this is experimental code, it can completely break your data.
>
> # cryptsetup 1.6.4 processing "./abhra_new/sbin/cryptsetup-reencrypt
> /dev/sda8 --new --reduce-device-size 1024 --debug"

Hi Abhrajyoti,

you have to create enough space to fit new LUKS header during 
reencryption of not yet encrypted device. The LUKS header is 
approximately 1MiB in size (it differs and depends also on other 
parameters). The default unit for --reduce-device-size is a byte. Try to 
use --reduce-device-size 2048S (where 'S' stands for sectors). If I 
recall correctly --reduce-device-size must be aligned to 512B (dm-crypt 
sector size) or maybe even to page size (4 KiB).

Be extremely careful with the --new option! You have to create unused 
space at the end of the original device which is equal in size to 
--reduce-device-size option. By term unused  I mean there are no real 
filesystem data or any data important to you. Otherwise you will you 
loose this data. The best to achieve this would be to actually extend 
the partion or LV at its end exactly by intended --redude-device-size 
parameter first.

Kind regards
Ondrej

Re: [dm-crypt] Cryptsetup-reencrypt failing with error with option --new reduce-device-size

[Abhrajyoti Kirtania]

[-- Attachment #1: Type: text/plain, Size: 2366 bytes --]

Thank you for the reply.

How can i create unused space (shrink) at the end of original divide? As
per the man page "fdisk -u /dev/sdb # move sdb1 partition end + 4096
sectors" not giving expected result.

Even i tried with resize2fs but not helping

test@ubuntu:~/in-place$ sudo resize2fs /dev/sda8 4M

resize2fs 1.42.5 (29-Jul-2012)

resize2fs: New size smaller than minimum (45572)


test@ubuntu:~/in-place$ sudo resize2fs /dev/sda8 8M

resize2fs 1.42.5 (29-Jul-2012)

resize2fs: New size smaller than minimum (45572)








On Fri, Jun 20, 2014 at 6:59 PM, Ondrej Kozina <okozina@redhat.com> wrote:

> On 06/20/2014 02:36 PM, Abhrajyoti Kirtania wrote:
>
>> HI,
>> I able to build the crypt setup-reencrypt binary and trying to enable
>> encryption on a particular partition with this tool, build failing with
>> error like:
>>
>> *Cannot wipe header on device /dev/loop0. if i pass
>> *--reduce-device-size as 1024. But if i pass this size as 4096 then
>>
>> getting the error as "Device /dev/loop0 is too small."
>>
>> Not sure what might be the root cause of this error. Truly appreciate
>> your kind support?
>>
>> cryptsetup-reencrypt /dev/sda8 --new --reduce-device-size 1024 --debug
>>
>>
>> WARNING: this is experimental code, it can completely break your data.
>>
>> # cryptsetup 1.6.4 processing "./abhra_new/sbin/cryptsetup-reencrypt
>> /dev/sda8 --new --reduce-device-size 1024 --debug"
>>
>
> Hi Abhrajyoti,
>
> you have to create enough space to fit new LUKS header during reencryption
> of not yet encrypted device. The LUKS header is approximately 1MiB in size
> (it differs and depends also on other parameters). The default unit for
> --reduce-device-size is a byte. Try to use --reduce-device-size 2048S
> (where 'S' stands for sectors). If I recall correctly --reduce-device-size
> must be aligned to 512B (dm-crypt sector size) or maybe even to page size
> (4 KiB).
>
> Be extremely careful with the --new option! You have to create unused
> space at the end of the original device which is equal in size to
> --reduce-device-size option. By term unused  I mean there are no real
> filesystem data or any data important to you. Otherwise you will you loose
> this data. The best to achieve this would be to actually extend the partion
> or LV at its end exactly by intended --redude-device-size parameter first.
>
> Kind regards
> Ondrej
>

[-- Attachment #2: Type: text/html, Size: 4704 bytes --]

Re: [dm-crypt] Cryptsetup-reencrypt failing with error with option --new reduce-device-size

[Arno Wagner]

Hi,

there is some relevant info in the FAQ at
   http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions

1) There is an FAQ entry 
   "6.13 What is the smallest possible LUKS container?"
   It has some Examples as well.

2) The minimal size given by resize2fs is in blocks (of 1K).
   Yours wants ~45MB for some reason.
   For ext2, I managed to go down to 558k:

   > mke2fs /dev/loop0
   > resize2fs /dev/loop0 558k
   resize2fs 1.42.5 (29-Jul-2012)
   Resizing the filesystem on /dev/loop0 to 558 (1k) blocks.
   The filesystem on /dev/loop0 is now 558 blocks long.

   For ext3, resize2fs wants 4636k 
   For ext4, it wants 9048k.
   
   So for some reason, you have a filesystem where something 
   is larger. dumpe2fs gives you the fs data at the start,
   including the block size and other data. YOu can compare that
   to freshly generated filesystems, for example on loop-devices.
   Incidentally, FAQ item 2.6 tells you how to do loop-devices 
   with LUKS, you can use that to experiment.

Arno


On Fri, Jun 20, 2014 at 16:16:33 CEST, Abhrajyoti Kirtania wrote:
> Thank you for the reply.
> 
> How can i create unused space (shrink) at the end of original divide? As
> per the man page "fdisk -u /dev/sdb # move sdb1 partition end + 4096
> sectors" not giving expected result.
> 
> Even i tried with resize2fs but not helping
> 
> test@ubuntu:~/in-place$ sudo resize2fs /dev/sda8 4M
> 
> resize2fs 1.42.5 (29-Jul-2012)
> 
> resize2fs: New size smaller than minimum (45572)
> 
> 
> test@ubuntu:~/in-place$ sudo resize2fs /dev/sda8 8M
> 
> resize2fs 1.42.5 (29-Jul-2012)
> 
> resize2fs: New size smaller than minimum (45572)
> 
> 
> 
> 
> 
> 
> 
> 
> On Fri, Jun 20, 2014 at 6:59 PM, Ondrej Kozina <okozina@redhat.com> wrote:
> 
> > On 06/20/2014 02:36 PM, Abhrajyoti Kirtania wrote:
> >
> >> HI,
> >> I able to build the crypt setup-reencrypt binary and trying to enable
> >> encryption on a particular partition with this tool, build failing with
> >> error like:
> >>
> >> *Cannot wipe header on device /dev/loop0. if i pass
> >> *--reduce-device-size as 1024. But if i pass this size as 4096 then
> >>
> >> getting the error as "Device /dev/loop0 is too small."
> >>
> >> Not sure what might be the root cause of this error. Truly appreciate
> >> your kind support?
> >>
> >> cryptsetup-reencrypt /dev/sda8 --new --reduce-device-size 1024 --debug
> >>
> >>
> >> WARNING: this is experimental code, it can completely break your data.
> >>
> >> # cryptsetup 1.6.4 processing "./abhra_new/sbin/cryptsetup-reencrypt
> >> /dev/sda8 --new --reduce-device-size 1024 --debug"
> >>
> >
> > Hi Abhrajyoti,
> >
> > you have to create enough space to fit new LUKS header during reencryption
> > of not yet encrypted device. The LUKS header is approximately 1MiB in size
> > (it differs and depends also on other parameters). The default unit for
> > --reduce-device-size is a byte. Try to use --reduce-device-size 2048S
> > (where 'S' stands for sectors). If I recall correctly --reduce-device-size
> > must be aligned to 512B (dm-crypt sector size) or maybe even to page size
> > (4 KiB).
> >
> > Be extremely careful with the --new option! You have to create unused
> > space at the end of the original device which is equal in size to
> > --reduce-device-size option. By term unused  I mean there are no real
> > filesystem data or any data important to you. Otherwise you will you loose
> > this data. The best to achieve this would be to actually extend the partion
> > or LV at its end exactly by intended --redude-device-size parameter first.
> >
> > Kind regards
> > Ondrej
> >

> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt


-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -  Plato

Re: [dm-crypt] Cryptsetup-reencrypt failing with error with option --new reduce-device-size

[Robert Nichols]

On 06/20/2014 09:16 AM, Abhrajyoti Kirtania wrote:
> Thank you for the reply.
>
> How can i create unused space (shrink) at the end of original divide? As per the
> man page "fdisk -u /dev/sdb # move sdb1 partition end + 4096 sectors" not giving
> expected result.
>
> Even i tried with resize2fs but not helping
>
> test@ubuntu:~/in-place$ sudo resize2fs /dev/sda8 4M
>
> resize2fs 1.42.5 (29-Jul-2012)
>
> resize2fs: New size smaller than minimum (45572)

You have tried to resize the filesystem _to_ 4 megabytes, not reduce
its current size _by_ 4 Megabytes. Your current filesystem will of
course not fit in 4 Megabytes.

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.

Re: [dm-crypt] Cryptsetup-reencrypt failing with error with option --new reduce-device-size

[Arno Wagner]

On Sat, Jun 21, 2014 at 00:16:53 CEST, Robert Nichols wrote:
> On 06/20/2014 09:16 AM, Abhrajyoti Kirtania wrote:
> >Thank you for the reply.
> >
> >How can i create unused space (shrink) at the end of original divide? As per the
> >man page "fdisk -u /dev/sdb # move sdb1 partition end + 4096 sectors" not giving
> >expected result.
> >
> >Even i tried with resize2fs but not helping
> >
> >test@ubuntu:~/in-place$ sudo resize2fs /dev/sda8 4M
> >
> >resize2fs 1.42.5 (29-Jul-2012)
> >
> >resize2fs: New size smaller than minimum (45572)
> 
> You have tried to resize the filesystem _to_ 4 megabytes, not reduce
> its current size _by_ 4 Megabytes. Your current filesystem will of
> course not fit in 4 Megabytes.

If there is more than, say, 3.5MB of data in it, then definitely not.

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -  Plato

Re: [dm-crypt] Cryptsetup-reencrypt failing with error with option --new reduce-device-size

[Abhrajyoti Kirtania]

[-- Attachment #1: Type: text/plain, Size: 3108 bytes --]

HI Ondrej/ Milan,
I have used gparted to resize the partition and able to create a new LUKS
enabled partition with --new option using reencrypt tool. Though i had used
reencrypt tool, after enabling the encryption, formatting (i.e mkfs.ext4)
is needed to mount that volume. So i loss all the data present onto the
partition.

*I am wondering, Is there any way to enable encryption (in-place) without
losing data from the partition with the help of cryptsetup-reencrypt or any
other option?*

Truly appreciate your kind support and guide please?

Thanks,
Abhrajyoti



On Fri, Jun 20, 2014 at 7:46 PM, Abhrajyoti Kirtania <abhrajyoti@gmail.com>
wrote:

> Thank you for the reply.
>
> How can i create unused space (shrink) at the end of original divide? As
> per the man page "fdisk -u /dev/sdb # move sdb1 partition end + 4096
> sectors" not giving expected result.
>
> Even i tried with resize2fs but not helping
>
> test@ubuntu:~/in-place$ sudo resize2fs /dev/sda8 4M
>
> resize2fs 1.42.5 (29-Jul-2012)
>
> resize2fs: New size smaller than minimum (45572)
>
>
> test@ubuntu:~/in-place$ sudo resize2fs /dev/sda8 8M
>
> resize2fs 1.42.5 (29-Jul-2012)
>
> resize2fs: New size smaller than minimum (45572)
>
>
>
>
>
>
>
>
> On Fri, Jun 20, 2014 at 6:59 PM, Ondrej Kozina <okozina@redhat.com> wrote:
>
>> On 06/20/2014 02:36 PM, Abhrajyoti Kirtania wrote:
>>
>>> HI,
>>> I able to build the crypt setup-reencrypt binary and trying to enable
>>> encryption on a particular partition with this tool, build failing with
>>> error like:
>>>
>>> *Cannot wipe header on device /dev/loop0. if i pass
>>> *--reduce-device-size as 1024. But if i pass this size as 4096 then
>>>
>>> getting the error as "Device /dev/loop0 is too small."
>>>
>>> Not sure what might be the root cause of this error. Truly appreciate
>>> your kind support?
>>>
>>> cryptsetup-reencrypt /dev/sda8 --new --reduce-device-size 1024 --debug
>>>
>>>
>>> WARNING: this is experimental code, it can completely break your data.
>>>
>>> # cryptsetup 1.6.4 processing "./abhra_new/sbin/cryptsetup-reencrypt
>>> /dev/sda8 --new --reduce-device-size 1024 --debug"
>>>
>>
>> Hi Abhrajyoti,
>>
>> you have to create enough space to fit new LUKS header during
>> reencryption of not yet encrypted device. The LUKS header is approximately
>> 1MiB in size (it differs and depends also on other parameters). The default
>> unit for --reduce-device-size is a byte. Try to use --reduce-device-size
>> 2048S (where 'S' stands for sectors). If I recall correctly
>> --reduce-device-size must be aligned to 512B (dm-crypt sector size) or
>> maybe even to page size (4 KiB).
>>
>> Be extremely careful with the --new option! You have to create unused
>> space at the end of the original device which is equal in size to
>> --reduce-device-size option. By term unused  I mean there are no real
>> filesystem data or any data important to you. Otherwise you will you loose
>> this data. The best to achieve this would be to actually extend the partion
>> or LV at its end exactly by intended --redude-device-size parameter first.
>>
>> Kind regards
>> Ondrej
>>
>
>

[-- Attachment #2: Type: text/html, Size: 5939 bytes --]

Re: [dm-crypt] Cryptsetup-reencrypt failing with error with option --new reduce-device-size

[Milan Broz]

On 06/24/2014 06:53 PM, Abhrajyoti Kirtania wrote:
> HI Ondrej/ Milan, I have used gparted to resize the partition and
> able to create a new LUKS enabled partition with --new option using
> reencrypt tool. Though i had used reencrypt tool, after enabling the
> encryption, formatting (i.e mkfs.ext4) is needed to mount that
> volume. So i loss all the data present onto the partition.

Sigh. Mkfs definitely cannot fix anything. too late here.
 
> *I am wondering, Is there any way to enable encryption (in-place)
> without losing data from the partition with the help of
> cryptsetup-reencrypt or any other option?*

Yes, there is a way. But you should really understand what you are doing
before blindly trying various parameters. All the tools are low level
tools and mistake means complete data loss.

So simple example how to enable encryption without data copy:

- the only requirement is to have fs which is able to shrink
for at least 4MB to create space for LUKS header.

1) Shrink fs. You can use trick to shrink to minimum.

2) reencrypt with reduce size

3) luksOpen device

4) resize fs to maximum

5) profit :)


Here is the example I just run on my VM. The test file is random
file just to prove data are intact (example is for ext4 fs):

1) Check test file checksum:

  # mount /dev/sdb1 /mnt/tst
  # sha256sum /mnt/tst/test 
  ccc803eaf55d9fee5ec4bba9f1ae56c88951ce506124ee25f6d938cc2dd22c7c  /mnt/tst/test
  # umount /mnt/tst

2) Reduce fs to minimum (I know it will provide at least 4M space I need for LUKS)

  # resize2fs -M /dev/sdb1
  resize2fs 1.42.7 (21-Jan-2013)
  Resizing the filesystem on /dev/sdb1 to 137435 (1k) blocks.
  The filesystem on /dev/sdb1 is now 137435 blocks long.

3) Reencrypt with data shift (4M is enough)

  # cryptsetup-reencrypt --new --reduce-device-size 4M /dev/sdb1
  WARNING: this is experimental code, it can completely break your data.
  Enter new passphrase: 
  Progress: 100.0%, ETA 00:00,  199 MiB written, speed  83.6 MiB/s

4) Mount new LUKS device

  # cryptsetup luksOpen /dev/sdb1 sdb1_crypt
  Enter passphrase for /dev/sdb1: 

5) Resize fs to maximal size

  # resize2fs /dev/mapper/sdb1_crypt 
  resize2fs 1.42.7 (21-Jan-2013)
  Resizing the filesystem on /dev/mapper/sdb1_crypt to 203776 (1k) blocks.
  The filesystem on /dev/mapper/sdb1_crypt is now 203776 blocks long.

6) Check that data is still there
  # mount /dev/mapper/sdb1_crypt /mnt/tst
  # sha256sum /mnt/tst/test 
  ccc803eaf55d9fee5ec4bba9f1ae56c88951ce506124ee25f6d938cc2dd22c7c  /mnt/tst/test

If you use exact resize argument in step 2) and 3) you do not need step 5).
See man page for resize tool.

Milan

Re: [dm-crypt] Cryptsetup-reencrypt failing with error with option --new reduce-device-size

[Abhrajyoti Kirtania]

[-- Attachment #1: Type: text/plain, Size: 2862 bytes --]

Thank you.


On Tue, Jun 24, 2014 at 11:27 PM, Milan Broz <gmazyland@gmail.com> wrote:

> On 06/24/2014 06:53 PM, Abhrajyoti Kirtania wrote:
> > HI Ondrej/ Milan, I have used gparted to resize the partition and
> > able to create a new LUKS enabled partition with --new option using
> > reencrypt tool. Though i had used reencrypt tool, after enabling the
> > encryption, formatting (i.e mkfs.ext4) is needed to mount that
> > volume. So i loss all the data present onto the partition.
>
> Sigh. Mkfs definitely cannot fix anything. too late here.
>
> > *I am wondering, Is there any way to enable encryption (in-place)
> > without losing data from the partition with the help of
> > cryptsetup-reencrypt or any other option?*
>
> Yes, there is a way. But you should really understand what you are doing
> before blindly trying various parameters. All the tools are low level
> tools and mistake means complete data loss.
>
> So simple example how to enable encryption without data copy:
>
> - the only requirement is to have fs which is able to shrink
> for at least 4MB to create space for LUKS header.
>
> 1) Shrink fs. You can use trick to shrink to minimum.
>
> 2) reencrypt with reduce size
>
> 3) luksOpen device
>
> 4) resize fs to maximum
>
> 5) profit :)
>
>
> Here is the example I just run on my VM. The test file is random
> file just to prove data are intact (example is for ext4 fs):
>
> 1) Check test file checksum:
>
>   # mount /dev/sdb1 /mnt/tst
>   # sha256sum /mnt/tst/test
>   ccc803eaf55d9fee5ec4bba9f1ae56c88951ce506124ee25f6d938cc2dd22c7c
>  /mnt/tst/test
>   # umount /mnt/tst
>
> 2) Reduce fs to minimum (I know it will provide at least 4M space I need
> for LUKS)
>
>   # resize2fs -M /dev/sdb1
>   resize2fs 1.42.7 (21-Jan-2013)
>   Resizing the filesystem on /dev/sdb1 to 137435 (1k) blocks.
>   The filesystem on /dev/sdb1 is now 137435 blocks long.
>
> 3) Reencrypt with data shift (4M is enough)
>
>   # cryptsetup-reencrypt --new --reduce-device-size 4M /dev/sdb1
>   WARNING: this is experimental code, it can completely break your data.
>   Enter new passphrase:
>   Progress: 100.0%, ETA 00:00,  199 MiB written, speed  83.6 MiB/s
>
> 4) Mount new LUKS device
>
>   # cryptsetup luksOpen /dev/sdb1 sdb1_crypt
>   Enter passphrase for /dev/sdb1:
>
> 5) Resize fs to maximal size
>
>   # resize2fs /dev/mapper/sdb1_crypt
>   resize2fs 1.42.7 (21-Jan-2013)
>   Resizing the filesystem on /dev/mapper/sdb1_crypt to 203776 (1k) blocks.
>   The filesystem on /dev/mapper/sdb1_crypt is now 203776 blocks long.
>
> 6) Check that data is still there
>   # mount /dev/mapper/sdb1_crypt /mnt/tst
>   # sha256sum /mnt/tst/test
>   ccc803eaf55d9fee5ec4bba9f1ae56c88951ce506124ee25f6d938cc2dd22c7c
>  /mnt/tst/test
>
> If you use exact resize argument in step 2) and 3) you do not need step 5).
> See man page for resize tool.
>
> Milan
>

[-- Attachment #2: Type: text/html, Size: 3578 bytes --]