How to: Resize an Encrypted Partition (LUKS)
How to Resize a LUKS Encrypted File System.
Contents
- Introduction.
- Terminology.
- Setup Live CD to manage encrypted partitions.
- Resizing ~ Overview.
- Resizing in detail ~ Reduction.
- Resizing in detail ~ Enlargement
- References.
Introduction: Encryption seems to becoming more popular and one can install onto an encrypted hard drive with the Alternate CD.
Quote:
Guided - use entire disk and set up encrypted LVM
There is no (obvious) option to add additional partitions such as either a /home or /data partition. Now a big part of this problem can be solved if you understand the partitioning options on the Alternate CD, I will save that for another how-to ....
In the mean time, see this link : http://users.piuha.net/martti/comp/u...cryptolvm.html
Worse, I could not find any documentation on how to resize the encrypted partition after the installation :( .
Resizing your encrypted file system can not be done directly as of yet with Gparted as Gparted sees the encrypted partitions as unformatted space.
At this time, the crypt must be re-sized from a live CD in multiple steps, manually, from the command line.
It should go without saying, resizing your crypt may result in data loss :( Be sure to BACK UP your data first. :twisted:
It may be easier to simply reinstall following the link above. Here it is again :
http://users.piuha.net/martti/comp/u...cryptolvm.html
For this how-to I used the default partitioning/encryption scheme. The LUKS crypt is called "crypt1" and I called the LV group "hardy" (the installer defaults to your hostname).
Terminology
Compartments within compartments.
LUKS = Linux Unified Key Setup.
While a detailed explanation of either LVM or encryption is beyond this how to, think of an encrypted system we have multiple containers, the crypt and LVM, and the file system. We need to resize each of those.
- Physical partition.
- Crypt.
- LVM ->
- Physical Volume.
- Logical Volume.
- File system.
Physical partition -> This is a partition on your hard drive to contain the LUKS crypt (The Alternate CD defaults to /dev/sda5 for encryption).
Crypt = LUKS then creates a crypt within the physical partition. The contents of the crypt are, of course, encrypted. The encrypted space is mapped to /dev/mapper/crypt1 , LVM is then used to create partitions within the crypt.
LVM = Logical Volume Management. LVM takes physical partitions (AKA Physical Volumes) and creates Logical Volumes, somewhat similar to a logical partition within an extended partition.
Physical Volume The (LVM) Physical Volume used for encryption is the LUKS crypt, which is mapped to /dev/mapper/crypt1.
Logical Volumes The (LVM) Physical Volume is divided into (LVM) Logical Volumes which are in turn used for / (root partition) and swap. Similar to logical partitions, these are contained within the (LVM) Physical Volume within (LUKS) crypt within the physical partition.
File system = ext3 (or swap) = The actual file system written onto the logical volumes.
Start by knowing your root partition and how you want to resize. Some helpful commands include :
Code:
df -h
sudo blkid
sudo fdisk -l
sudo cryptsetup status crypt1
sudo pvdisplay
sudo lvdisplay
mount
free
Setup ~ Desktop (Live) CD, Adding the tools to manage encrypted partitions
1. Boot the live (Desktop) CD and install lvm2 and cryptsetup.
Code:
sudo apt-get update && sudo apt-get install lvm2 cryptsetup
2. Load the cryptsetup module.
Code:
sudo modprobe dm-crypt
2. Decrypt your file system.
Code:
sudo cryptsetup luksOpen /dev/sda5 crypt1
4. Get the live CD to recognize (activate) your LVM.
Code:
sudo vgscan --mknodes
sudo vgchange -ay
You can now manage your encrypted partitions, mount them, copy them, or perform maintenance (fsck, backup, resize).
Resizing ~ Overview
The order of the next steps depends on if you are shrinking or enlarging your encrypted partition. Enlarging is somewhat easier as the defaults of many of the commands is to fill the available space.
Note: If you want to Enlarge your encrypted partition, although adding a second physical hard drive to LVM is "easy" I am not sure you could then add this to your Crypt (the Crypt must be on a single hard drive).
Shrink an encrypted partition
- Boot the desktop, live CD. Install & configure the tools (lvm2 and cryptsetup).
- Reduce the (root) file system with resize2fs.
- Reduce the (root) (LVM) Logical Volume with lvreduce.
- Reduce the (LVM) Physical Volume with pvresize.
- Reduce the Crypt with cryptsetup.
- Reduce the Partition storing the crypt with fdisk.
- Reboot to your encrypted hard drive ~ You should always reboot after changing your partition table with fdisk.
Enlarge an encrypted partition
- Boot the desktop, live CD. Use gparted (or any tool) to put unallocated space adjacent, and to the left of your Crypt partition.
- Enlarge the Partition storing the crypt with fdisk.
- Reboot ~ You should always reboot after changing your partition table with fdisk.
- Boot the desktop, live CD. Install & configure the tools (lvm2 and cryptsetup).
- Enlarge the Crypt with cryptsetup.
- Enlarge the (LVM) Physical Volume with pvresize.
- Enlarge the (root) (LVM) Logical Volume with lvresize.
- Enlarge the (root) file system with resize2fs.
- Reboot to your encrypted hard drive.
Detailed resizing ~ Shrinking an encrypted partition
1. Reduce the size of your file system with resize2fs (this tool works on ext2 and ext3 partitions). You need to check the file system before you can resize it.
Code:
sudo e2fsck -f /dev/mapper/hardy-root
sudo resize2fs -p /dev/mapper/hardy-root 5g
- Replace the "5g" with your intended size (in Gb) of your filesystem.
- The -p flag shows a progress hash.
Check that the file system is still intact with e2fsck.
Code:
sudo e2fsck -f /dev/mapper/hardy-root
2. Reduce the size of your root (LVM) Logical Volume. The -L flag is how much you want to reduce the size of your (LVM) Logical Volume, so keep this in mind.
Display your (LVM) Logical Volumes with lvdisplay.
Note how much you need to reduce your root (LVM) Logical Volume by (in my case it was 4.3 Gb).
Code:
sudo lvreduce -L -4.3G /dev/hardy/root
Note: You will need to change the "-4.3G" to the proper size to reduce your root (LVM) Logical Volume to your desired size.
Re-display your (LVM) Logical Volumes to check the final size is correct.
3. Resize your (LVM) Physical Volume.
Remove the swap (LVM) Logical Volume. The (LVM) Physical Volume used by LVM can become "fragmented" in that the (LVM) Logical Volumes within the (LVM) Physical Volume are not always in order. There is no defragmentation tool, so if you may need to manually move the (LVM) Logical Volume (back up the data, delete the (LVM) Logical Volume, re-create a replacement (LVM) Logical Volume, restore data from backup).
Show the size of your (LVM) Physical Volume with pvdisplay.
Remove the swap (LVM) Logical Volume.
Code:
lvremove /dev/hardy/swap_1
Resize the (LVM) Physical Volume.
Code:
sudo pvresize --setphysicalvolumesize 5.6G /dev/mapper/crypt1
Now we will restore (recreate) the swap (LVM) Logical Volume.
Set permissions of (LVM) Physical Volume to allow allocation (if needed).
Code:
sudo pvchange -x y /dev/mapper/crypt1
Restore the swap (LVM) Logical Volume.
Code:
sudo lvcreate -L 512m -n swap_1 hardy
sudo mkswap -L swap_1 /dev/hardy/swap1
As the mkswap command finishes it will print the new uuid to the terminal.
Update fstab with new uuid (use any editor).
Code:
sudo mount /dev/hardy/root /mnt
Code:
gksu gedit /mnt//etc/fstab
Copy-paste the new uuid from the terminal to fstab, updating the uuid for your swap partition.
Save and exit gedit.
Unmount the root (LVM) Logical Volume.
Re-lock the (LVM) Physical Volume after adding the swap (LVM) Logical Volume (locking the physical volume keeps it from changing).
Code:
sudo pvchange -x n /dev/mapper/crypt1
4. Resize your crypt.
Show the size of your crypt with cryptsetup.
Code:
sudo cryptsetup status crypt1
This shows the size of your crypt in sectors.
Make note of the offset.
Quote:
offset: 2056 sectors
Resize with cryptsetup.
Code:
sudo cryptsetup -o 2056 -b 11800000 resize crypt1
-o = offset (get this from the status command).
-b = size in sectors. I had to do this by trial and error. After resizing I used Gparted to show the size of the crypt (System -> Administration -> Partition Editor ; select /dev/mapper/crypt1 from the pul down menu). Close gparted after confirming the new size of your crypt.
5. Resize your partitions with fdisk.
Unmount your LVM and crypt.
Code:
sudo vgchange -an
sudo cryptsetup luksClose crypt1
Now the scary part, use fdisk to manually resize your partitions.
If you are unfamiliar with fdisk, I advise you read this link.
http://tldp.org/HOWTO/Partition/fdisk_partitioning.html
Note : fdisk does NOT overwrite data, so if you make a mistake you should be able to "undo" the changes.
List your partition information with fdisk.
WRITE THIS INFORMATION DOWN (or print it out).
Re-write your partition table. To do this, DELETE your partitions and RECREATE them, but in a smaller size.
You will need to delete and re-create ALL your LVM partitions within your crypt.
Code:
sudo fdisk /dev/sda
This was my fdisk session :
Quote:
The number of cylinders for this disk is set to 1305.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)
Command (m for help): d
Partition number (1-5): 5
Command (m for help): d
Partition number (1-5): 2
Command (m for help): n
Command action
e extended
p primary partition (1-4)
e
Partition number (1-4): 2
First cylinder (32-1305, default 32):
Using default value 32
Last cylinder or +size or +sizeM or +sizeK (32-1305, default 1305): +6000M
Command (m for help): n
Command action
l logical (5 or over)
p primary partition (1-4)
l
First cylinder (32-761, default 32):
Using default value 32
Last cylinder or +size or +sizeM or +sizeK (32-761, default 761):
Using default value 761
Command (m for help): n
Command action
l logical (5 or over)
p primary partition (1-4)
p
Partition number (1-4): 3
First cylinder (762-1305, default 762):
Using default value 762
Last cylinder or +size or +sizeM or +sizeK (762-1305, default 1305):
Using default value 1305
Command (m for help): p
Disk /dev/sda: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x000a6bf9
Device Boot Start End Blocks Id System
/dev/sda1 * 1 31 248976 83 Linux
/dev/sda2 32 761 5863725 5 Extended
/dev/sda3 762 1305 4369680 83 Linux
/dev/sda5 32 761 5863693+ 83 Linux
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
Cancel the "Authentication" dialog that appears (the live CD is trying to auto-mount your new partition).
<Say prayer here> [-o<
Reboot to your hard drive, enter your crypt password.
Detailed resizing ~ Enlarging an encrypted partition.
This section will be shorter, it is basically the reverse of the above. Enlarging is easier as the defaults resize the containers to the largest available space.
1. Boot a live CD and, using any tool, create a new partition, lets call it /dev/sda6 , next to and to the left of (after) your crypt.
2. Write random data to the new partition.
Make sure you have the correct partition for this command or you will overwrite your crypt.
Code:
sudo dd if=/dev/urandom of=/dev/sda6
You can run that command as many times as your paranoia requires. :twisted:
3. Use fdisk as above to delete and then re-create a larger crypt partition.
4. Reboot to the live CD.
5. Install lvm2 and cryptsetup.
Code:
sudo apt-get update && sudo apt-get install lvm2 cryptsetup
6. Load the cryptsetup module.
Code:
sudo modprobe dm-crypt
7. Decrypt your file system.
Code:
sudo cryptsetup luksOpen /dev/sda5 crypt1
8. Get the live CD to recognize (activate) your LVM.
Code:
sudo vgscan --mknodes
sudo vgchange -ay
9. Resize the Crypt.
Code:
sudo cryptsetup resize crypt1
10. Resize the (LVM) Physical volume.
Code:
sudo pvresize /dev/mapper/crypt1
11. Resize your root (LVM) Logical Volume.
Unlock the physical volume.
Code:
sudo pvchange -x y /dev/mapper/crypt1
Resize your root (LVM) Logical Volume.
Code:
lvresize -L +4G /dev/hardy/root
Note: Change the +4G to the amount of space you are adding.
Re-lock the (LVM) Physical Volume.
Code:
sudo pvchange -x n /dev/mapper/crypt1
12. Resize the filesystem.
Code:
sudo e2fsck -f /dev/mapper/hardy-root
sudo resize2fs -p /dev/mapper/hardy-root
You can check the size of the file system by mounting it before and after resizing the file system and running df -h . DO NOT RESIZE A MOUNTED PARTITION
Before :
Quote:
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/hardy-root 5.0G 2.1G 2.7G 45% /mnt
After :
Quote:
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/hardy-root 9.2G 2.1G 6.6G 24% /mnt
12. Reboot to hard drive.
Note : With most of those commands the default was to resize by expanding to take up the available space. This is why expanding is easier then reducing.
Hope this helped,
http://img381.imageshack.us/img381/4...o2small0lj.png bodhi.zazen
References :
LUKS wiki page :
http://www.saout.de/tikiwiki/tiki-in...LUKSPartitions
Managing encrypted partitions from a live CD :
http://www.ubuntugeek.com/rescue-an-...vm-volume.html
http://linuxwave.blogspot.com/2007/1...tu-livecd.html
man resize2fs :
http://linux.die.net/man/8/resize2fs
LVM :
fdisk :
Note : the first (and only comment at the time of this post) on this blog reads :
Quote:
How to get the data back ?
:lolflag:
BACK UP before your Resize.
Re: How to: Resize an Encrypted Partition (LUKS)
Wow! Thanks for all the hard work in relaying this info!
Further considerations about resizing a live LUKS-encrypted LVM
Hi Bodhi, thanks for this useful article. I have experimented further and it *seems* that the "cryptsetup resize" might be useless for a LUKS partition, at is *seems* that it uses the complete available partition size anyway. After I enlarged a partition holding a LUKS container (and rebooted), "cryptsetup status" for the container gave me the exact same numbers *before* and *after* "cryptsetup resize", so I truly wonder if it is of any use. The LUKS container was actually bigger than previously, so I assume it worked "automagically" ;-)
Furthermore, I was able to successfully "hot extend" the encrypted LVM partition holding my complete live system *without* having to do it booting from a "live CD", but truly from the live system itself.
I actually describe the process in an article at my ashram (in french, Google Translate or Babel fish may help you getting a truly poor translation into english ;-)
Thanks for your article again.
Re: How to: Resize an Encrypted Partition (LUKS)
thx a lot bodhi!! You saved me a lot of time !! This how-to works like a charm!:)
Re: How to: Resize an Encrypted Partition (LUKS)
Alright, after prayer, what do I do if I cannot boot? :'(
When I tried to reboot, the passphrase query did not pop up, and eventually the computer opened in commandline mode, and i couldn't do anything anyways.
EDIT: nm, turns out that everything was erased and I have to reinstall.
Re: How to: Resize an Encrypted Partition (LUKS)
Quote:
Resize with cryptsetup.
Code:
sudo cryptsetup -o 2056 -b 11800000 resize crypt1
-o = offset (get this from the status command).
-b = size in sectors. I had to do this by trial and error. After resizing I used Gparted to show the size of the crypt (System -> Administration -> Partition Editor ; select /dev/mapper/crypt1 from the pul down menu). Close gparted after confirming the new size of your crypt.
First thank you very much for this tutorial, I successfully shrinked my luks partition without problem.
I would just like to add some informations about how to get the size when shrinking.
In my case I didn't make use of LVM so I had an ext2 volume directly inside my luks partition.
Therefore, the size to give to "cryptsetup resize" was the one of the shrinked ext2 volume, as given by the "resize2fs" command (the -M option is to automatically shrink the volume to the minimum size) :
Code:
sudo resize2fs -M -p /dev/mapper/bak
resize2fs 1.41.3 (12-Oct-2008)
Resizing the filesystem on /dev/mapper/bak to 7233658 (4k) blocks.
Begin pass 2 (max = 5347914)
Relocating blocks XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Begin pass 3 (max = 746)
Scanning inode table XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Begin pass 4 (max = 41)
Updating inode references XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
The filesystem on /dev/mapper/bak is now 7233658 blocks long.
You can convert the number of blocks into a number of sectors using a simple golden rule.
You can get the number of bytes per block with the command "sudo tune2fs -l /dev/mapper/bak", for instance.
You can get the number of bytes per sector with "fdisk", for instance.
I let you do the rest.
To know which size to give to fdisk for the new partition (it's a little bit bigger than the luks partition, I don't know the exact rule), I simply noted the size of the partition before the operation and reduced it by the same amount as the luks partition had been shrinked by.
It worked like a charm : I had a shrinked luks partition with 0 byte available (the goal, was to transfer its data to another partition, then delete it to recreate it somewhere else) :-)
Re: How to: Resize an Encrypted Partition (LUKS)
Hi there! I wanted to know if this guide is correct for me or to guide me to accomplish something. Right now -- I currently have Ubuntu 8.10 full-disk encrypted LVM on the laptop. However, I'm trying to resize the HDD as to create free spaces for a new LVM + Cryptsetup + LUKS encrypted partition that I'd be able to access.
Should I be installing Ubuntu on regular LVM then from there, to resize the LV to...20G then create the new VG + LV for encrypted partition? Lot of partitions surely got me confused.
I only wanted to create a encrypted partition for my laptop (on one HDD) where I can storage my data in... in either encrypted LVM or regular LVM. Perhaps you can write a tutorial if you have the time? Please do advise. Thank you.
Re: How to: Resize an Encrypted Partition (LUKS)
hey,
unfortunately i have problems using cryptsetup resize.
I'm trying to free some space for a windows installation.
i'm following the steps descriped here. But after the cryptsetup resize i have the following problem:
cryptsetup status shows the size the partition should have after the resize.
if i close the cryptpartition with cryptsetup luksClose the partition has its old size in fdisk and when i remount the partition using the harddiskdetection function of the alternate cd (im installing from an alternate cd) the encrypted partition has its old size.
any help is appreciated
thanks,
martin
Re: How to: Resize an Encrypted Partition (LUKS)
Quote:
Originally Posted by
madmufflon
hey,
unfortunately i have problems using cryptsetup resize.
I'm trying to free some space for a windows installation.
i'm following the steps descriped here. But after the cryptsetup resize i have the following problem:
cryptsetup status shows the size the partition should have after the resize.
if i close the cryptpartition with cryptsetup luksClose the partition has its old size in fdisk and when i remount the partition using the harddiskdetection function of the alternate cd (im installing from an alternate cd) the encrypted partition has its old size.
any help is appreciated
thanks,
martin
Can you please give us more details ? What is your set up ? Are you using LVM ? What command did you enter and what output are you looking at ?
Did you read cbonar's post ?
Re: How to: Resize an Encrypted Partition (LUKS)
thanks for your answer,
i'm using the ubuntu 8.10 standart setup (installed via alternate cd), so I am using an LVM.
I'm running a Dell Studio Notebook with a 250GiB harddisk. At the moment this harddisk is fully covered by my ubuntu 8.10 x64.
I followed the orders to shrink my encrypted partition until step 5:
Code:
5. Resize your partitions with fdisk.
Unmount your LVM and crypt.
When trying to resize the partition using fdisk i come to that point:
Quote:
Command (m for help): d
Partition number (1-5): 5
Command (m for help): d
Partition number (1-5): 2
Command (m for help): n
Command action
e extended
p primary partition (1-4)
e
Partition number (1-4): 2
First cylinder (32-1305, default 32):
Using default value 32
Last cylinder or +size or +sizeM or +sizeK (32-1305, default 1305): +6000M
(Other Values vor the cylinders, arround 70000 but only a short range) when i try to enter a value which fits for me (from 230 to arround 200gb) fdisk says something about "value out of range". Even for very small values (10gb or so) it does not work with the same error.
If i let the harddiskrecognition of the Alernate CD detect the harddrives and mount the encrypted partition cryptsetup status sda5 says it has the old size ( the size before crpytsetup resize).
I hope this enough information, if not, please let me now
martin