Difference between revisions of "Removing System Encryption"
m (Putting long title into article body. Will next shorten long article title.)
m (moved Removing System Encryption with LUKS for dm-crypt to Removing System Encryption: more concise)
Revision as of 22:09, 10 April 2011
- an encrypted root filesystem or other filesystem you cannot umount while booted into your operating system
- enough drive space somewhere to store a backup
- an Arch Linux (or other) live CD
- a few hours
Boot into a Live Environment
Download and burn the latest archlive cd, stick it in, reboot your system and boot to cd
Activate Your Partitions
Note About Different Setups
I'm using a setup that looks like this:
Disregard the grey stuff, it only adds a frame of reference. The green partitons are the ones we're going to be modifying. you should make sure any green text matches your system's setup. the yellow parition is the one we're going to be using as storage space. you should feel free to change this at will.
on my system, I have myvg contains lvs called cryptroot and cryptswap. they are located at /dev/mapper/myvg_cryptroot and /dev/mapper/myvg_cryptswap. Upon boot, luks is used along with a few crypttab entries to create /dev/mapper/root and /dev/mapper/swap. I won't be unencrypting my swap as part of this guide, as undoing the swap encryption doesn't require any complex backup or restoration.
Your setup WILL be different. different filesystems require different tools to effectively backup and restore their data. Most of you will not be using LVM and can ignore that part. XFS requires xfs_copy to ensure an effective backup and restore. DD is insufficient. you can use DD with ext2,3,and 4. (Someone please comment on jfs, reiserfs and reiser4fs)
Now That You Know Where Your Partitions Are...
Load necessary modules:
modprobe dm-mod #device mapper/lvm modprobe dm-crypt #luks
Activate your lvm volume group:
pvscan #scan for Physical Volumes vgscan #scan for volume groups lvscan #scan for logical volumes lvchange -ay myvg/cryptroot
Open the encrypted filesystem with luks so we can read it:
cryptSetup luksOpen /dev/mapper/myvg_cryptroot root
Enter your password. Note: Do not mount the partitions you intend to operate on except the backup partition. If you've already mounted a partition other than your backup partition, you can safely umount it now. Once you've identifed and activated your partitions, you're ready to move on to step 3.
Mounting your backup space
Only if you're using NTFS to store your backup
# pacman -Sy ntfs-3g
This step will look different for you, but it is important. Without it, where will you store your backup?
# mount -t ntfs-3g -o rw /dev/sda5 /media/Shared
or you can use netcat to store your backup on a remote system
TODO: add netcat instructions.
Backup Your Data
xfs_copy -db /dev/mapper/root /media/Shared/backup_root.img
Note: -d tells xfs_copy to preserve uuids and -b tells xfs_copy to work with filesystems that don't allow direct io (like ntfs-3g).
dd if=/dev/mapper/root of=/media/Shared/backup_root.img
Now walk away. Get yourself something to eat or drink, or do some homework. This will take a while.
Now the crucial moment, the point of no return if you will. Make sure you're ready to do this. If you plan to undo this later, you'll have to almost start from scratch. You know how fun that is.
cryptsetup luksClose root lvm lvremove myvg/cryptroot
We have to create a new logical volume to house our root filesystem, then we restore our filesystem.
lvm lvcreate -l 100%FREE -n root myvg xfs_copy -db /media/Shared/backup_root.img /dev/mapper/myvg-root #notice the second drive name is changed now.
Reconfigure the Operating System
You need to boot into your operating system and edit /etc/crypttab, /etc/mkinitcpio.conf, /etc/fstab, and possibly /boot/grub/menu.lst.