Difference between revisions of "Removing System Encryption"

From ArchWiki
Jump to: navigation, search
(some style fixes, poorly written)
(31 intermediate revisions by 8 users not shown)
Line 1: Line 1:
Okay, I'm writing this prior to install, I'll update it after and make it pretty.
+
[[Category:Security]]
 +
{{Poor writing|written in first person.}}
  
=prerequisites=
+
Removing system encryption with [[dm-crypt with LUKS|dm-crypt and LUKS]].
 +
 
 +
== Prerequisites==
 
*an encrypted root filesystem or other filesystem you cannot umount while booted into your operating system
 
*an encrypted root filesystem or other filesystem you cannot umount while booted into your operating system
 
*enough drive space somewhere to store a backup
 
*enough drive space somewhere to store a backup
 +
*an Arch Linux (or other) live CD
 
*a few hours
 
*a few hours
=step 1: boot into a live environment=
+
 
 +
==Boot into a Live Environment==
 
Download and burn the latest archlive cd, stick it in, reboot your system and boot to cd
 
Download and burn the latest archlive cd, stick it in, reboot your system and boot to cd
=step 2: identify and activate your partitions=
+
 
TODO: enter lvm command to activate volume groups/lvs.
+
==Activate Your Partitions==
TODO: enter cryptsetup commands to unencrypt drive
+
 
Note: do not mount the partitions you intend to operate on except the backup partition.  if you've already mounted a partition other than your backup partition, you can safely umount it now.
+
===Note About Different Setups===
Once you've identifed and activated your partitions, you're ready to move on to step 3
+
==note about different setups==
+
 
I'm using a setup that looks like this:
 
I'm using a setup that looks like this:
 
{|border=1 style="text-align: center;"
 
{|border=1 style="text-align: center;"
 
|colspan=4|disk
 
|colspan=4|disk
 
|-
 
|-
|style="background-color: #888888;"| ntfs ||colspan=2|lvm ||style="background-color: yellow;"| ntfs
+
|style="background-color: #888888;"| ntfs ||colspan=2|myvg(lvm) ||style="background-color: yellow;"| ntfs
 
|-
 
|-
 
|rowspan=3 style="background-color: #888888;"| other os
 
|rowspan=3 style="background-color: #888888;"| other os
|vol0 ||style="background-color: green;"| vol1
+
|cryptswap(lv) ||style="background-color: green;"| cryptroot(lv)
 
|rowspan=3 style="background-color: yellow;"| Shared
 
|rowspan=3 style="background-color: yellow;"| Shared
 
|-
 
|-
Line 29: Line 32:
  
 
Disregard the grey stuff, it only adds a frame of reference.
 
Disregard the grey stuff, it only adds a frame of reference.
The green partitons are the ones we're going to be modifying.  you should make sure any green text matches your system's setup.
+
The green partitons are the ones we are going to be modifying.  you should make sure any green text matches your system's setup.
the yellow parition is the one we're going to be using as storage space.  you should feel free to change this at will.
+
the yellow parition is the one we are going to be using as storage space.  you should feel free to change this at will.
  
 
on my system, I have
 
on my system, I have
<span style="color: green;">myvg</span> contains lvs called <span style="color: green;">cryptroot</span> and <span style="color: green;">crtpyswap</span>.  they are located at <span style="color: green;">/dev/mapper/myvg_cryptroot</span> and <span style="color: green;">/dev/mapper/myvg_cryptswap</span>.  Upon boot, luks is used along with a few crypttab entries to create <span style="color: green;">/dev/mapper/root</span> and <span style="color: green;">/dev/mapper/swap</span>.  I won't be unencrypting my swap as part of this guide, as undoing the swap encryption doesn't require any complex backup or restoration.
+
<span style="color: green;">myvg</span> contains lvs called <span style="color: green;">cryptroot</span> and <span style="color: green;">cryptswap</span>.  they are located at <span style="color: green;">/dev/mapper/myvg_cryptroot</span> and <span style="color: green;">/dev/mapper/myvg_cryptswap</span>.  Upon boot, luks is used along with a few crypttab entries to create <span style="color: green;">/dev/mapper/root</span> and <span style="color: green;">/dev/mapper/swap</span>.  I will not be unencrypting my swap as part of this guide, as undoing the swap encryption does not require any complex backup or restoration.
  
 
Your setup WILL be different.  different filesystems require different tools to effectively backup and restore their data.  Most of you will not be using LVM and can ignore that part.
 
Your setup WILL be different.  different filesystems require different tools to effectively backup and restore their data.  Most of you will not be using LVM and can ignore that part.
 
XFS requires xfs_copy to ensure an effective backup and restore.  DD is insufficient.  you can use DD with ext2,3,and 4.  (Someone please comment on jfs, reiserfs and reiser4fs)
 
XFS requires xfs_copy to ensure an effective backup and restore.  DD is insufficient.  you can use DD with ext2,3,and 4.  (Someone please comment on jfs, reiserfs and reiser4fs)
  
=step 3: backup your data=
+
===Now That You Know Where Your Partitions Are...===
==using xfs_copy==
+
 
  xfs_copy -d <span style="color: green;">/dev/mapper/root</span> <span style="color: yellow;">/media/Shared/backup_root.img</span>
+
Load necessary modules:
==using dd==
+
  modprobe dm-mod #device mapper/lvm
  dd if=<span style="color: green;">/dev/mapper/root</span> of=<span style="color: yellow;">/media/Shared/backup_root.img</span>
+
modprobe dm-crypt #luks
 +
 
 +
Activate your lvm volume group:
 +
pvscan #scan for Physical Volumes
 +
vgscan #scan for volume groups
 +
lvscan #scan for logical volumes
 +
lvchange -ay <span style="color: green;">myvg/cryptroot</span>
 +
Open the encrypted filesystem with luks so we can read it:
 +
cryptSetup luksOpen <span style="color: green;">/dev/mapper/myvg_cryptroot</span> root
 +
Enter your password.
 +
Note: Do not mount the partitions you intend to operate on except the backup partition. If you have already mounted a partition other than your backup partition, you can safely umount it now.
 +
Once you have identifed and activated your partitions, you are ready to move on to step 3.
 +
 
 +
Mounting your backup space
 +
 
 +
Only if you are using NTFS to store your backup
 +
# pacman -S ntfs-3g
 +
 
 +
This step will look different for you, but it is important.
 +
Without it, where will you store your backup?
 +
# mount -t ntfs-3g -o rw <u>/dev/sda5 /media/Shared</u>
 +
or you can use netcat to store your backup on a remote system
 +
 
 +
TODO: add netcat instructions.
 +
 
 +
==Backup Your Data==
 +
Using xfs_copy:
 +
xfs_copy -db <span style="color: green;">/dev/mapper/root</span> <u>/media/Shared/backup_root.img</u>
 +
Note: -d tells xfs_copy to preserve uuids and -b tells xfs_copy to work with filesystems that do not allow direct io (like ntfs-3g).
 +
 
 +
Using dd:
 +
  dd if=<span style="color: green;">/dev/mapper/root</span> of=<u>/media/Shared/backup_root.img</u>
 +
Now walk away. Get yourself something to eat or drink, or do some homework. This will take a while.
 +
 
 +
==Undo Encryption==
 +
Now the crucial moment, the point of no return if you will.  Make sure you are ready to do this. If you plan to undo this later, you will have to almost start from scratch. You know how fun that is.
 +
cryptsetup luksClose root
 +
lvm lvremove <span style="color: green;">myvg/cryptroot</span>
 +
 
 +
==Restore Data==
 +
We have to create a new logical volume to house our root filesystem, then we restore our filesystem.
 +
lvm lvcreate <span style="color: green;">-l 100%FREE -n root myvg</span>
 +
xfs_copy -db <u>/media/Shared/backup_root.img</u> <span style="color: green;">/dev/mapper/myvg-root</span> #notice the second drive name is changed now.
 +
 
 +
==Reconfigure the Operating System==
 +
You need to boot into your operating system and edit /etc/crypttab, /etc/mkinitcpio.conf, /etc/fstab, and possibly /boot/grub/menu.lst.

Revision as of 15:13, 6 July 2012

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: written in first person. (Discuss in Talk:Removing System Encryption#)

Removing system encryption with dm-crypt and LUKS.

Prerequisites

  • an encrypted root filesystem or other filesystem you cannot umount while booted into your operating system
  • enough drive space somewhere to store a backup
  • an Arch Linux (or other) live CD
  • a few hours

Boot into a Live Environment

Download and burn the latest archlive cd, stick it in, reboot your system and boot to cd

Activate Your Partitions

Note About Different Setups

I'm using a setup that looks like this:

disk
ntfs myvg(lvm) ntfs
other os cryptswap(lv) cryptroot(lv) Shared
luks luks
swap root(xfs)

Disregard the grey stuff, it only adds a frame of reference. The green partitons are the ones we are going to be modifying. you should make sure any green text matches your system's setup. the yellow parition is the one we are going to be using as storage space. you should feel free to change this at will.

on my system, I have myvg contains lvs called cryptroot and cryptswap. they are located at /dev/mapper/myvg_cryptroot and /dev/mapper/myvg_cryptswap. Upon boot, luks is used along with a few crypttab entries to create /dev/mapper/root and /dev/mapper/swap. I will not be unencrypting my swap as part of this guide, as undoing the swap encryption does not require any complex backup or restoration.

Your setup WILL be different. different filesystems require different tools to effectively backup and restore their data. Most of you will not be using LVM and can ignore that part. XFS requires xfs_copy to ensure an effective backup and restore. DD is insufficient. you can use DD with ext2,3,and 4. (Someone please comment on jfs, reiserfs and reiser4fs)

Now That You Know Where Your Partitions Are...

Load necessary modules:

modprobe dm-mod #device mapper/lvm
modprobe dm-crypt #luks

Activate your lvm volume group:

pvscan #scan for Physical Volumes
vgscan #scan for volume groups
lvscan #scan for logical volumes
lvchange -ay myvg/cryptroot

Open the encrypted filesystem with luks so we can read it:

cryptSetup luksOpen /dev/mapper/myvg_cryptroot root

Enter your password. Note: Do not mount the partitions you intend to operate on except the backup partition. If you have already mounted a partition other than your backup partition, you can safely umount it now. Once you have identifed and activated your partitions, you are ready to move on to step 3.

Mounting your backup space

Only if you are using NTFS to store your backup

# pacman -S ntfs-3g

This step will look different for you, but it is important. Without it, where will you store your backup?

# mount -t ntfs-3g -o rw /dev/sda5 /media/Shared

or you can use netcat to store your backup on a remote system

TODO: add netcat instructions.

Backup Your Data

Using xfs_copy:

xfs_copy -db /dev/mapper/root /media/Shared/backup_root.img

Note: -d tells xfs_copy to preserve uuids and -b tells xfs_copy to work with filesystems that do not allow direct io (like ntfs-3g).

Using dd:

dd if=/dev/mapper/root of=/media/Shared/backup_root.img

Now walk away. Get yourself something to eat or drink, or do some homework. This will take a while.

Undo Encryption

Now the crucial moment, the point of no return if you will. Make sure you are ready to do this. If you plan to undo this later, you will have to almost start from scratch. You know how fun that is.

cryptsetup luksClose root
lvm lvremove myvg/cryptroot

Restore Data

We have to create a new logical volume to house our root filesystem, then we restore our filesystem.

lvm lvcreate -l 100%FREE -n root myvg
xfs_copy -db /media/Shared/backup_root.img /dev/mapper/myvg-root #notice the second drive name is changed now.

Reconfigure the Operating System

You need to boot into your operating system and edit /etc/crypttab, /etc/mkinitcpio.conf, /etc/fstab, and possibly /boot/grub/menu.lst.