From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wg0-x230.google.com (mail-wg0-x230.google.com [IPv6:2a00:1450:400c:c00::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Tue, 24 Jun 2014 19:57:20 +0200 (CEST) Received: by mail-wg0-f48.google.com with SMTP id n12so768184wgh.31 for ; Tue, 24 Jun 2014 10:57:19 -0700 (PDT) Message-ID: <53A9BBFC.5040909@gmail.com> Date: Tue, 24 Jun 2014 19:57:16 +0200 From: Milan Broz MIME-Version: 1.0 References: <53A4374C.9080705@redhat.com> In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] Cryptsetup-reencrypt failing with error with option --new reduce-device-size List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Abhrajyoti Kirtania , Ondrej Kozina , Milan Broz Cc: dm-crypt@saout.de On 06/24/2014 06:53 PM, Abhrajyoti Kirtania wrote: > HI Ondrej/ Milan, I have used gparted to resize the partition and > able to create a new LUKS enabled partition with --new option using > reencrypt tool. Though i had used reencrypt tool, after enabling the > encryption, formatting (i.e mkfs.ext4) is needed to mount that > volume. So i loss all the data present onto the partition. Sigh. Mkfs definitely cannot fix anything. too late here. > *I am wondering, Is there any way to enable encryption (in-place) > without losing data from the partition with the help of > cryptsetup-reencrypt or any other option?* Yes, there is a way. But you should really understand what you are doing before blindly trying various parameters. All the tools are low level tools and mistake means complete data loss. So simple example how to enable encryption without data copy: - the only requirement is to have fs which is able to shrink for at least 4MB to create space for LUKS header. 1) Shrink fs. You can use trick to shrink to minimum. 2) reencrypt with reduce size 3) luksOpen device 4) resize fs to maximum 5) profit :) Here is the example I just run on my VM. The test file is random file just to prove data are intact (example is for ext4 fs): 1) Check test file checksum: # mount /dev/sdb1 /mnt/tst # sha256sum /mnt/tst/test ccc803eaf55d9fee5ec4bba9f1ae56c88951ce506124ee25f6d938cc2dd22c7c /mnt/tst/test # umount /mnt/tst 2) Reduce fs to minimum (I know it will provide at least 4M space I need for LUKS) # resize2fs -M /dev/sdb1 resize2fs 1.42.7 (21-Jan-2013) Resizing the filesystem on /dev/sdb1 to 137435 (1k) blocks. The filesystem on /dev/sdb1 is now 137435 blocks long. 3) Reencrypt with data shift (4M is enough) # cryptsetup-reencrypt --new --reduce-device-size 4M /dev/sdb1 WARNING: this is experimental code, it can completely break your data. Enter new passphrase: Progress: 100.0%, ETA 00:00, 199 MiB written, speed 83.6 MiB/s 4) Mount new LUKS device # cryptsetup luksOpen /dev/sdb1 sdb1_crypt Enter passphrase for /dev/sdb1: 5) Resize fs to maximal size # resize2fs /dev/mapper/sdb1_crypt resize2fs 1.42.7 (21-Jan-2013) Resizing the filesystem on /dev/mapper/sdb1_crypt to 203776 (1k) blocks. The filesystem on /dev/mapper/sdb1_crypt is now 203776 blocks long. 6) Check that data is still there # mount /dev/mapper/sdb1_crypt /mnt/tst # sha256sum /mnt/tst/test ccc803eaf55d9fee5ec4bba9f1ae56c88951ce506124ee25f6d938cc2dd22c7c /mnt/tst/test If you use exact resize argument in step 2) and 3) you do not need step 5). See man page for resize tool. Milan