Difference between revisions of "Removing system encryption"

From ArchWiki
Jump to navigation Jump to search
m (update ES interlanguage link)
 
(14 intermediate revisions by 9 users not shown)
Line 1: Line 1:
[[Category:Security]]
+
[[Category:Disk encryption]]
{{Poor writing|written in first person.}}
+
[[es:Removing system encryption]]
 +
{{Style|written in first person, other style issues.}}
  
Removing system encryption with [[dm-crypt with LUKS|dm-crypt and LUKS]].
+
Removing system encryption with [[dm-crypt|dm-crypt and LUKS]].
  
 
== Prerequisites==
 
== Prerequisites==
*an encrypted root filesystem or other filesystem you cannot umount while booted into your operating system
+
*An encrypted root filesystem or other filesystem that cannot be umounted while booted into the operating system.
*enough drive space somewhere to store a backup
+
*Enough drive space to store a backup.
*an Arch Linux (or other) live CD
+
*An Arch Linux (or other) live CD.
*a few hours
+
*A few hours.
 +
 
 +
{{Note|As of late 2012 new tools have been added to {{ic|cryptsetup}} to add or remove encryption to/from an existing file system. While they are still considered experimental, they may help considerably with such an effort. More information is available with {{man|8|cryptsetup-reencrypt}}.}}
  
 
==Boot into a Live Environment==
 
==Boot into a Live Environment==
Download and burn the latest archlive cd, stick it in, reboot your system and boot to cd
+
Download and burn the latest archlive cd, reboot system and boot to cd.
  
 
==Activate Partitions==
 
==Activate Partitions==
Line 17: Line 20:
 
===Note About Different Setups===
 
===Note About Different Setups===
 
An example setup is shown here:
 
An example setup is shown here:
{|border=1 style="text-align: center;"
+
{| class="wikitable" style="text-align: center;"
|colspan=4|disk
+
|colspan="4"|disk
 
|-
 
|-
 
|style="background-color: #888888;"| ntfs ||colspan=2|myvg(lvm) ||style="background-color: yellow;"| ntfs
 
|style="background-color: #888888;"| ntfs ||colspan=2|myvg(lvm) ||style="background-color: yellow;"| ntfs
 
|-
 
|-
|rowspan=3 style="background-color: #888888;"| other os
+
|rowspan="3" style="background-color: #888888;"| other os
 
|cryptswap(lv) ||style="background-color: green;"| cryptroot(lv)
 
|cryptswap(lv) ||style="background-color: green;"| cryptroot(lv)
|rowspan=3 style="background-color: yellow;"| Shared
+
|rowspan="3" style="background-color: yellow;"| Shared
 
|-
 
|-
 
|luks ||style="background-color: green;"| luks
 
|luks ||style="background-color: green;"| luks
Line 35: Line 38:
 
The yellow partition will be used as storage space and may be changed at will.
 
The yellow partition will be used as storage space and may be changed at will.
 
In the example system:
 
In the example system:
<span style="color: green;">myvg</span> contains lvs called <span style="color: green;">cryptroot</span> and <span style="color: green;">cryptswap</span>.  they are located at <span style="color: green;">/dev/mapper/myvg_cryptroot</span> and <span style="color: green;">/dev/mapper/myvg_cryptswap</span>.  Upon boot, luks is used along with a few crypttab entries to create <span style="color: green;">/dev/mapper/root</span> and <span style="color: green;">/dev/mapper/swap</span>.  Swap will not be unencrypted as part of this guide, as undoing the swap encryption does not require any complex backup or restoration.
+
<span style="color: green;">myvg</span> contains lvs called <span style="color: green;">cryptroot</span> and <span style="color: green;">cryptswap</span>.  they are located at <span style="color: green;">/dev/myvg/cryptroot</span> and <span style="color: green;">/dev/myvg/cryptswap</span>.  Upon boot, luks is used along with a few crypttab entries to create <span style="color: green;">/dev/mapper/root</span> and <span style="color: green;">/dev/mapper/swap</span>.  Swap will not be unencrypted as part of this guide, as undoing the swap encryption does not require any complex backup or restoration.
  
 
The example system is not indicative of all systems. Different filesystems require different tools to effectively backup and restore their data. LVM can be ignored if not used.
 
The example system is not indicative of all systems. Different filesystems require different tools to effectively backup and restore their data. LVM can be ignored if not used.
Line 52: Line 55:
 
  lvchange -ay <span style="color: green;">myvg/cryptroot</span>
 
  lvchange -ay <span style="color: green;">myvg/cryptroot</span>
 
Open the encrypted filesystem with luks so it can be read:
 
Open the encrypted filesystem with luks so it can be read:
  cryptSetup luksOpen <span style="color: green;">/dev/mapper/myvg_cryptroot</span> root
+
  cryptSetup luksOpen <span style="color: green;">/dev/myvg/cryptroot</span> root
 
Enter password.
 
Enter password.
 
Note: The only partition that will be operated on that should be mounted at this point is the backup partition. If a partition other than the backup partition is already mounted, it can be safely umounted it now.
 
Note: The only partition that will be operated on that should be mounted at this point is the backup partition. If a partition other than the backup partition is already mounted, it can be safely umounted it now.
Line 69: Line 72:
 
TODO: add netcat instructions.
 
TODO: add netcat instructions.
  
==Backup Your Data==
+
==Backup Data==
 
Using xfs_copy:
 
Using xfs_copy:
 
  xfs_copy -db <span style="color: green;">/dev/mapper/root</span> <u>/media/Shared/backup_root.img</u>
 
  xfs_copy -db <span style="color: green;">/dev/mapper/root</span> <u>/media/Shared/backup_root.img</u>
Note: -d tells xfs_copy to preserve uuids and -b tells xfs_copy to work with filesystems that do not allow direct io (like ntfs-3g).
+
Note: -d flag preserves uuids and -b ensures direct IO is not attempted to any of the target files.
  
 
Using dd:
 
Using dd:
 
  dd if=<span style="color: green;">/dev/mapper/root</span> of=<u>/media/Shared/backup_root.img</u>
 
  dd if=<span style="color: green;">/dev/mapper/root</span> of=<u>/media/Shared/backup_root.img</u>
Now walk away. Get yourself something to eat or drink, or do some homework. This will take a while.
 
  
 
==Undo Encryption==
 
==Undo Encryption==
Line 86: Line 88:
 
We have to create a new logical volume to house our root filesystem, then we restore our filesystem.
 
We have to create a new logical volume to house our root filesystem, then we restore our filesystem.
 
  lvm lvcreate <span style="color: green;">-l 100%FREE -n root myvg</span>
 
  lvm lvcreate <span style="color: green;">-l 100%FREE -n root myvg</span>
  xfs_copy -db <u>/media/Shared/backup_root.img</u> <span style="color: green;">/dev/mapper/myvg-root</span> #notice the second drive name is changed now.
+
  xfs_copy -db <u>/media/Shared/backup_root.img</u> <span style="color: green;">/dev/myvg/root</span> #notice the second drive name is changed now.
  
 
==Reconfigure the Operating System==
 
==Reconfigure the Operating System==
 
You need to boot into your operating system and edit /etc/crypttab, /etc/mkinitcpio.conf, /etc/fstab, and possibly /boot/grub/menu.lst.
 
You need to boot into your operating system and edit /etc/crypttab, /etc/mkinitcpio.conf, /etc/fstab, and possibly /boot/grub/menu.lst.

Latest revision as of 18:16, 18 September 2019

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements. See Help:Style for reference.Tango-edit-clear.png

Reason: written in first person, other style issues. (Discuss in Talk:Removing system encryption#)

Removing system encryption with dm-crypt and LUKS.

Prerequisites

  • An encrypted root filesystem or other filesystem that cannot be umounted while booted into the operating system.
  • Enough drive space to store a backup.
  • An Arch Linux (or other) live CD.
  • A few hours.
Note: As of late 2012 new tools have been added to cryptsetup to add or remove encryption to/from an existing file system. While they are still considered experimental, they may help considerably with such an effort. More information is available with cryptsetup-reencrypt(8).

Boot into a Live Environment

Download and burn the latest archlive cd, reboot system and boot to cd.

Activate Partitions

Note About Different Setups

An example setup is shown here:

disk
ntfs myvg(lvm) ntfs
other os cryptswap(lv) cryptroot(lv) Shared
luks luks
swap root(xfs)

The grey sections only add a frame of reference and can be disregarded. The green partitions will be modified. Green text must match your system's setup. The yellow partition will be used as storage space and may be changed at will. In the example system: myvg contains lvs called cryptroot and cryptswap. they are located at /dev/myvg/cryptroot and /dev/myvg/cryptswap. Upon boot, luks is used along with a few crypttab entries to create /dev/mapper/root and /dev/mapper/swap. Swap will not be unencrypted as part of this guide, as undoing the swap encryption does not require any complex backup or restoration.

The example system is not indicative of all systems. Different filesystems require different tools to effectively backup and restore their data. LVM can be ignored if not used. XFS requires xfs_copy to ensure an effective backup and restore, DD is insufficient. DD may be used with ext2,3,and 4. (Someone please comment on jfs, reiserfs and reiser4fs)

Once Partitions Are Located

Load necessary modules:

modprobe dm-mod #device mapper/lvm
modprobe dm-crypt #luks

Activate lvm volume group:

pvscan #scan for Physical Volumes
vgscan #scan for volume groups
lvscan #scan for logical volumes
lvchange -ay myvg/cryptroot

Open the encrypted filesystem with luks so it can be read:

cryptSetup luksOpen /dev/myvg/cryptroot root

Enter password. Note: The only partition that will be operated on that should be mounted at this point is the backup partition. If a partition other than the backup partition is already mounted, it can be safely umounted it now.


Mounting backup space

Only if using NTFS to store the backup

# pacman -S ntfs-3g

The next step is important for backup storage.

# mount -t ntfs-3g -o rw /dev/sda5 /media/Shared

or use netcat to store the backup on a remote system

TODO: add netcat instructions.

Backup Data

Using xfs_copy:

xfs_copy -db /dev/mapper/root /media/Shared/backup_root.img

Note: -d flag preserves uuids and -b ensures direct IO is not attempted to any of the target files.

Using dd:

dd if=/dev/mapper/root of=/media/Shared/backup_root.img

Undo Encryption

Now the crucial moment, the point of no return if you will. Make sure you are ready to do this. If you plan to undo this later, you will have to almost start from scratch. You know how fun that is.

cryptsetup luksClose root
lvm lvremove myvg/cryptroot

Restore Data

We have to create a new logical volume to house our root filesystem, then we restore our filesystem.

lvm lvcreate -l 100%FREE -n root myvg
xfs_copy -db /media/Shared/backup_root.img /dev/myvg/root #notice the second drive name is changed now.

Reconfigure the Operating System

You need to boot into your operating system and edit /etc/crypttab, /etc/mkinitcpio.conf, /etc/fstab, and possibly /boot/grub/menu.lst.