Talk:Removing system encryption

From ArchWiki

Decrypting LUKS2 devices in-place may be okay now

There is a big warning in Removing system encryption#Decrypting LUKS2 devices in-place. It seems relevant issues in cryptsetup [1][2] are fixed. I successfully decrypted a LUKS2 partition in-place with the following command several days ago.

sudo cryptsetup reencrypt --header /path/to/luks-header.img --decrypt /dev/sdxY

Note that `/boot/luks-header.img` does not exist before this command

[1] https://gitlab.com/cryptsetup/cryptsetup/-/issues/669

[2] https://gitlab.com/cryptsetup/cryptsetup/-/issues/614

Yan12125 (talk) 15:41, 19 January 2024 (UTC)Reply

I'm going to (suggest) rewrite of the whole section with more up to date guide Oniko (talk) 11:15, 22 February 2024 (UTC)Reply
It's all wrong about LUKS2! The in-place decryption works as suggested IF AND ONLY IF LUKS2 uses an external header in a separate file! The only solution that works in the other case (the usual one) is converting to LUKS1 and decrypting:
# cryptsetup luksChangeKey  --pbkdf pbkdf2 <device>
# cryptsetup convert --type luks1 <device>
# cryptsetup reencrypt --decrypt <device>
The text: "The new_file to which the LUKS2 header will be migrated must not exist in the initialization phase of the decryption." is a misinformation! Guayaseal (talk) 09:53, 13 October 2024 (UTC)Reply
See [1] (my experiments) and the second answer in [2] (the explanation). Guayaseal (talk) 09:55, 13 October 2024 (UTC)Reply
If you believe there's an issue with LUKS2 decryption I'd suggest to open issue on cryptsetup upstream tracker (https://gitlab.com/cryptsetup/cryptsetup) and provide as much information as possible (including --debug outputs). I've tried to reproduce your claimed issue with current upstream version (2.7.5) and it worked as described on this page. Oniko (talk) 10:44, 14 October 2024 (UTC)Reply
There is no issue. Just, I'm afraid LUKS2 decrypt assumes that LUKS2 partition uses an external header in a separate file rather than at the begging of the partition. I'll try again but a few days ago following your proposal resulted in unreadable partition (See the linked discussion) Guayaseal (talk) 12:37, 14 October 2024 (UTC)Reply
Well... with the most recent version it worked, you're right. The downgrade however works too and some people believe it's safer. Of course the safest solution is to back the data up ;-)
Sorry, for the mess. Guayaseal (talk) 13:13, 15 October 2024 (UTC)Reply