Results 1 to 10 of 41

Thread: How to: Resize an Encrypted Partition (LUKS)

Threaded View

  1. #1
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Thumbs down How to: Resize an Encrypted Partition (LUKS)

    How to Resize a LUKS Encrypted File System.




    Contents
    1. Introduction.
    2. Terminology.
    3. Setup Live CD to manage encrypted partitions.
    4. Resizing ~ Overview.
    5. Resizing in detail ~ Reduction.
    6. Resizing in detail ~ Enlargement
    7. References.




    Introduction: Encryption seems to becoming more popular and one can install onto an encrypted hard drive with the Alternate CD.

    Guided - use entire disk and set up encrypted LVM
    There is no (obvious) option to add additional partitions such as either a /home or /data partition. Now a big part of this problem can be solved if you understand the partitioning options on the Alternate CD, I will save that for another how-to ....

    In the mean time, see this link : http://users.piuha.net/martti/comp/u...cryptolvm.html


    Worse, I could not find any documentation on how to resize the encrypted partition after the installation .

    Resizing your encrypted file system can not be done directly as of yet with Gparted as Gparted sees the encrypted partitions as unformatted space.

    At this time, the crypt must be re-sized from a live CD in multiple steps, manually, from the command line.

    It should go without saying, resizing your crypt may result in data loss Be sure to BACK UP your data first.

    It may be easier to simply reinstall following the link above. Here it is again :

    http://users.piuha.net/martti/comp/u...cryptolvm.html

    For this how-to I used the default partitioning/encryption scheme. The LUKS crypt is called "crypt1" and I called the LV group "hardy" (the installer defaults to your hostname).


    Terminology

    Compartments within compartments.

    LUKS = Linux Unified Key Setup.

    While a detailed explanation of either LVM or encryption is beyond this how to, think of an encrypted system we have multiple containers, the crypt and LVM, and the file system. We need to resize each of those.

    • Physical partition.
    • Crypt.
    • LVM ->
      • Physical Volume.
      • Logical Volume.
    • File system.


    Physical partition -> This is a partition on your hard drive to contain the LUKS crypt (The Alternate CD defaults to /dev/sda5 for encryption).

    Crypt = LUKS then creates a crypt within the physical partition. The contents of the crypt are, of course, encrypted. The encrypted space is mapped to /dev/mapper/crypt1 , LVM is then used to create partitions within the crypt.

    LVM = Logical Volume Management. LVM takes physical partitions (AKA Physical Volumes) and creates Logical Volumes, somewhat similar to a logical partition within an extended partition.

    Physical Volume The (LVM) Physical Volume used for encryption is the LUKS crypt, which is mapped to /dev/mapper/crypt1.

    Logical Volumes The (LVM) Physical Volume is divided into (LVM) Logical Volumes which are in turn used for / (root partition) and swap. Similar to logical partitions, these are contained within the (LVM) Physical Volume within (LUKS) crypt within the physical partition.

    File system = ext3 (or swap) = The actual file system written onto the logical volumes.


    Start by knowing your root partition and how you want to resize. Some helpful commands include :

    Code:
    df -h
    
    sudo blkid
    
    sudo fdisk -l
    
    sudo cryptsetup status crypt1
    
    sudo pvdisplay
    
    sudo lvdisplay
    
    mount
    
    free

    Setup ~ Desktop (Live) CD, Adding the tools to manage encrypted partitions

    1. Boot the live (Desktop) CD and install lvm2 and cryptsetup.

    Code:
    sudo apt-get update && sudo apt-get install lvm2 cryptsetup
    2. Load the cryptsetup module.

    Code:
    sudo modprobe dm-crypt
    2. Decrypt your file system.

    Code:
    sudo cryptsetup luksOpen /dev/sda5 crypt1
    4. Get the live CD to recognize (activate) your LVM.

    Code:
    sudo vgscan --mknodes
    sudo vgchange -ay
    You can now manage your encrypted partitions, mount them, copy them, or perform maintenance (fsck, backup, resize).


    Resizing ~ Overview

    The order of the next steps depends on if you are shrinking or enlarging your encrypted partition. Enlarging is somewhat easier as the defaults of many of the commands is to fill the available space.

    Note: If you want to Enlarge your encrypted partition, although adding a second physical hard drive to LVM is "easy" I am not sure you could then add this to your Crypt (the Crypt must be on a single hard drive).

    Shrink an encrypted partition
    1. Boot the desktop, live CD. Install & configure the tools (lvm2 and cryptsetup).
    2. Reduce the (root) file system with resize2fs.
    3. Reduce the (root) (LVM) Logical Volume with lvreduce.
    4. Reduce the (LVM) Physical Volume with pvresize.
    5. Reduce the Crypt with cryptsetup.
    6. Reduce the Partition storing the crypt with fdisk.
    7. Reboot to your encrypted hard drive ~ You should always reboot after changing your partition table with fdisk.


    Enlarge an encrypted partition
    1. Boot the desktop, live CD. Use gparted (or any tool) to put unallocated space adjacent, and to the left of your Crypt partition.
    2. Enlarge the Partition storing the crypt with fdisk.
    3. Reboot ~ You should always reboot after changing your partition table with fdisk.
    4. Boot the desktop, live CD. Install & configure the tools (lvm2 and cryptsetup).
    5. Enlarge the Crypt with cryptsetup.
    6. Enlarge the (LVM) Physical Volume with pvresize.
    7. Enlarge the (root) (LVM) Logical Volume with lvresize.
    8. Enlarge the (root) file system with resize2fs.
    9. Reboot to your encrypted hard drive.



    Detailed resizing ~ Shrinking an encrypted partition

    1. Reduce the size of your file system with resize2fs (this tool works on ext2 and ext3 partitions). You need to check the file system before you can resize it.

    Code:
    sudo e2fsck -f /dev/mapper/hardy-root
    sudo resize2fs -p /dev/mapper/hardy-root 5g
    • Replace the "5g" with your intended size (in Gb) of your filesystem.
    • The -p flag shows a progress hash.


    Check that the file system is still intact with e2fsck.

    Code:
    sudo e2fsck -f /dev/mapper/hardy-root

    2. Reduce the size of your root (LVM) Logical Volume. The -L flag is how much you want to reduce the size of your (LVM) Logical Volume, so keep this in mind.

    Display your (LVM) Logical Volumes with lvdisplay.

    Code:
    sudo lvdisplay
    Note how much you need to reduce your root (LVM) Logical Volume by (in my case it was 4.3 Gb).

    Code:
    sudo lvreduce -L -4.3G /dev/hardy/root
    Note: You will need to change the "-4.3G" to the proper size to reduce your root (LVM) Logical Volume to your desired size.

    Re-display your (LVM) Logical Volumes to check the final size is correct.

    Code:
    sudo lvdisplay

    3. Resize your (LVM) Physical Volume.

    Remove the swap (LVM) Logical Volume. The (LVM) Physical Volume used by LVM can become "fragmented" in that the (LVM) Logical Volumes within the (LVM) Physical Volume are not always in order. There is no defragmentation tool, so if you may need to manually move the (LVM) Logical Volume (back up the data, delete the (LVM) Logical Volume, re-create a replacement (LVM) Logical Volume, restore data from backup).

    Show the size of your (LVM) Physical Volume with pvdisplay.

    Code:
    pvdisplay
    Remove the swap (LVM) Logical Volume.

    Code:
    lvremove /dev/hardy/swap_1
    Resize the (LVM) Physical Volume.

    Code:
    sudo pvresize --setphysicalvolumesize 5.6G /dev/mapper/crypt1
    Now we will restore (recreate) the swap (LVM) Logical Volume.

    Set permissions of (LVM) Physical Volume to allow allocation (if needed).

    Code:
    sudo pvchange -x y /dev/mapper/crypt1
    Restore the swap (LVM) Logical Volume.

    Code:
    sudo lvcreate -L 512m -n swap_1 hardy
    sudo mkswap -L swap_1 /dev/hardy/swap1
    As the mkswap command finishes it will print the new uuid to the terminal.

    Update fstab with new uuid (use any editor).

    Code:
    sudo mount /dev/hardy/root /mnt
    Code:
    gksu gedit /mnt//etc/fstab
    Copy-paste the new uuid from the terminal to fstab, updating the uuid for your swap partition.

    Save and exit gedit.

    Unmount the root (LVM) Logical Volume.

    Code:
    sudo umount /mnt
    Re-lock the (LVM) Physical Volume after adding the swap (LVM) Logical Volume (locking the physical volume keeps it from changing).

    Code:
    sudo pvchange -x n /dev/mapper/crypt1

    4. Resize your crypt.

    Show the size of your crypt with cryptsetup.

    Code:
    sudo cryptsetup status crypt1
    This shows the size of your crypt in sectors.

    Make note of the offset.

    offset: 2056 sectors
    Resize with cryptsetup.

    Code:
    sudo cryptsetup -o 2056 -b 11800000 resize crypt1
    -o = offset (get this from the status command).
    -b = size in sectors. I had to do this by trial and error. After resizing I used Gparted to show the size of the crypt (System -> Administration -> Partition Editor ; select /dev/mapper/crypt1 from the pul down menu). Close gparted after confirming the new size of your crypt.


    5. Resize your partitions with fdisk.

    Unmount your LVM and crypt.

    Code:
    sudo vgchange -an
    sudo cryptsetup luksClose crypt1
    Now the scary part, use fdisk to manually resize your partitions.

    If you are unfamiliar with fdisk, I advise you read this link.

    http://tldp.org/HOWTO/Partition/fdisk_partitioning.html

    Note : fdisk does NOT overwrite data, so if you make a mistake you should be able to "undo" the changes.

    List your partition information with fdisk.

    Code:
    sudo fdisk -l
    WRITE THIS INFORMATION DOWN (or print it out).

    Re-write your partition table. To do this, DELETE your partitions and RECREATE them, but in a smaller size.

    You will need to delete and re-create ALL your LVM partitions within your crypt.

    Code:
    sudo fdisk /dev/sda
    This was my fdisk session :

    The number of cylinders for this disk is set to 1305.
    There is nothing wrong with that, but this is larger than 1024,
    and could in certain setups cause problems with:
    1) software that runs at boot time (e.g., old versions of LILO)
    2) booting and partitioning software from other OSs
    (e.g., DOS FDISK, OS/2 FDISK)

    Command (m for help): d
    Partition number (1-5): 5

    Command (m for help): d
    Partition number (1-5): 2

    Command (m for help): n
    Command action
    e extended
    p primary partition (1-4)
    e
    Partition number (1-4): 2
    First cylinder (32-1305, default 32):
    Using default value 32
    Last cylinder or +size or +sizeM or +sizeK (32-1305, default 1305): +6000M

    Command (m for help): n
    Command action
    l logical (5 or over)
    p primary partition (1-4)
    l
    First cylinder (32-761, default 32):
    Using default value 32
    Last cylinder or +size or +sizeM or +sizeK (32-761, default 761):
    Using default value 761

    Command (m for help): n
    Command action
    l logical (5 or over)
    p primary partition (1-4)
    p
    Partition number (1-4): 3
    First cylinder (762-1305, default 762):
    Using default value 762
    Last cylinder or +size or +sizeM or +sizeK (762-1305, default 1305):
    Using default value 1305

    Command (m for help): p

    Disk /dev/sda: 10.7 GB, 10737418240 bytes
    255 heads, 63 sectors/track, 1305 cylinders
    Units = cylinders of 16065 * 512 = 8225280 bytes
    Disk identifier: 0x000a6bf9

    Device Boot Start End Blocks Id System
    /dev/sda1 * 1 31 248976 83 Linux
    /dev/sda2 32 761 5863725 5 Extended
    /dev/sda3 762 1305 4369680 83 Linux
    /dev/sda5 32 761 5863693+ 83 Linux

    Command (m for help): w
    The partition table has been altered!

    Calling ioctl() to re-read partition table.
    Syncing disks.
    Cancel the "Authentication" dialog that appears (the live CD is trying to auto-mount your new partition).


    <Say prayer here>

    Reboot to your hard drive, enter your crypt password.


    Detailed resizing ~ Enlarging an encrypted partition.

    This section will be shorter, it is basically the reverse of the above. Enlarging is easier as the defaults resize the containers to the largest available space.

    1. Boot a live CD and, using any tool, create a new partition, lets call it /dev/sda6 , next to and to the left of (after) your crypt.

    2. Write random data to the new partition.

    Make sure you have the correct partition for this command or you will overwrite your crypt.

    Code:
    sudo dd if=/dev/urandom of=/dev/sda6
    You can run that command as many times as your paranoia requires.

    3. Use fdisk as above to delete and then re-create a larger crypt partition.

    4. Reboot to the live CD.

    5. Install lvm2 and cryptsetup.

    Code:
    sudo apt-get update && sudo apt-get install lvm2 cryptsetup
    6. Load the cryptsetup module.

    Code:
    sudo modprobe dm-crypt
    7. Decrypt your file system.

    Code:
    sudo cryptsetup luksOpen /dev/sda5 crypt1
    8. Get the live CD to recognize (activate) your LVM.

    Code:
    sudo vgscan --mknodes
    sudo vgchange -ay
    9. Resize the Crypt.

    Code:
    sudo cryptsetup resize crypt1
    10. Resize the (LVM) Physical volume.

    Code:
    sudo pvresize /dev/mapper/crypt1
    11. Resize your root (LVM) Logical Volume.

    Unlock the physical volume.

    Code:
    sudo pvchange -x y /dev/mapper/crypt1
    Resize your root (LVM) Logical Volume.

    Code:
    lvresize -L +4G /dev/hardy/root
    Note: Change the +4G to the amount of space you are adding.

    Re-lock the (LVM) Physical Volume.

    Code:
    sudo pvchange -x n /dev/mapper/crypt1
    12. Resize the filesystem.

    Code:
    sudo e2fsck -f /dev/mapper/hardy-root
    sudo resize2fs -p /dev/mapper/hardy-root
    You can check the size of the file system by mounting it before and after resizing the file system and running df -h . DO NOT RESIZE A MOUNTED PARTITION

    Before :
    Filesystem Size Used Avail Use% Mounted on
    /dev/mapper/hardy-root 5.0G 2.1G 2.7G 45% /mnt
    After :
    Filesystem Size Used Avail Use% Mounted on
    /dev/mapper/hardy-root 9.2G 2.1G 6.6G 24% /mnt
    12. Reboot to hard drive.

    Note : With most of those commands the default was to resize by expanding to take up the available space. This is why expanding is easier then reducing.


    Hope this helped,

    bodhi.zazen



    References :

    LUKS wiki page :
    http://www.saout.de/tikiwiki/tiki-in...LUKSPartitions


    Managing encrypted partitions from a live CD :
    http://www.ubuntugeek.com/rescue-an-...vm-volume.html
    http://linuxwave.blogspot.com/2007/1...tu-livecd.html

    man resize2fs :
    http://linux.die.net/man/8/resize2fs


    LVM :



    fdisk :


    Note : the first (and only comment at the time of this post) on this blog reads :

    How to get the data back ?


    BACK UP before your Resize.
    Last edited by bodhi.zazen; March 19th, 2008 at 12:24 AM. Reason: Added information re: Enlarging Crypt
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •