Talk:Removing system encryption
Latest comment: 15 October 2024 by Guayaseal in topic Decrypting LUKS2 devices in-place may be okay now
Decrypting LUKS2 devices in-place may be okay now
There is a big warning in Removing system encryption#Decrypting LUKS2 devices in-place. It seems relevant issues in cryptsetup [1][2] are fixed. I successfully decrypted a LUKS2 partition in-place with the following command several days ago.
sudo cryptsetup reencrypt --header /path/to/luks-header.img --decrypt /dev/sdxY
Note that `/boot/luks-header.img` does not exist before this command
[1] https://gitlab.com/cryptsetup/cryptsetup/-/issues/669
[2] https://gitlab.com/cryptsetup/cryptsetup/-/issues/614
Yan12125 (talk) 15:41, 19 January 2024 (UTC)
- I'm going to (suggest) rewrite of the whole section with more up to date guide Oniko (talk) 11:15, 22 February 2024 (UTC)
- It's all wrong about LUKS2! The in-place decryption works as suggested IF AND ONLY IF LUKS2 uses an external header in a separate file! The only solution that works in the other case (the usual one) is converting to LUKS1 and decrypting:
# cryptsetup luksChangeKey --pbkdf pbkdf2 <device>
# cryptsetup convert --type luks1 <device>
# cryptsetup reencrypt --decrypt <device>
- The text: "The
new_file
to which the LUKS2 header will be migrated must not exist in the initialization phase of the decryption." is a misinformation! Guayaseal (talk) 09:53, 13 October 2024 (UTC)- See [1] (my experiments) and the second answer in [2] (the explanation). Guayaseal (talk) 09:55, 13 October 2024 (UTC)
- If you believe there's an issue with LUKS2 decryption I'd suggest to open issue on cryptsetup upstream tracker (https://gitlab.com/cryptsetup/cryptsetup) and provide as much information as possible (including --debug outputs). I've tried to reproduce your claimed issue with current upstream version (2.7.5) and it worked as described on this page. Oniko (talk) 10:44, 14 October 2024 (UTC)
- There is no issue. Just, I'm afraid LUKS2 decrypt assumes that LUKS2 partition uses an external header in a separate file rather than at the begging of the partition. I'll try again but a few days ago following your proposal resulted in unreadable partition (See the linked discussion) Guayaseal (talk) 12:37, 14 October 2024 (UTC)
- Well... with the most recent version it worked, you're right. The downgrade however works too and some people believe it's safer. Of course the safest solution is to back the data up ;-)
- Sorry, for the mess. Guayaseal (talk) 13:13, 15 October 2024 (UTC)
- There is no issue. Just, I'm afraid LUKS2 decrypt assumes that LUKS2 partition uses an external header in a separate file rather than at the begging of the partition. I'll try again but a few days ago following your proposal resulted in unreadable partition (See the linked discussion) Guayaseal (talk) 12:37, 14 October 2024 (UTC)
- If you believe there's an issue with LUKS2 decryption I'd suggest to open issue on cryptsetup upstream tracker (https://gitlab.com/cryptsetup/cryptsetup) and provide as much information as possible (including --debug outputs). I've tried to reproduce your claimed issue with current upstream version (2.7.5) and it worked as described on this page. Oniko (talk) 10:44, 14 October 2024 (UTC)
- See [1] (my experiments) and the second answer in [2] (the explanation). Guayaseal (talk) 09:55, 13 October 2024 (UTC)