How to determine what encryption is being used a LUKS partition

cryptsetupencryptionlukspartition

What command can be used to determine the used encryption on a LUKS partition (all the relevant information, initialization vector, generation scheme, mode of operation and block cipher primitive)?

Best Answer

If the decrypted volume is /dev/mapper/crypto then you can get the information with

dmsetup table crypto
0 104853504 crypt aes-cbc-essiv:sha256 000[...]000 0 254:2 4096

If the encrypted volume is /dev/storage2/crypto then you get the information with

cryptsetup luksDump /dev/storage2/crypto
LUKS header information for /dev/storage2/crypto

Version:        1
Cipher name:    aes
Cipher mode:    cbc-essiv:sha256
Hash spec:      sha256
[...]

Purpose of the `cryptsetup resize` command

what should I choose for $SECTORS? Is this step even necessary?

This step is necessary, otherwise the partition would still show up at the old side. This is confirmed with Nautilus, even after resizing with resize2fs, the LUKS partition showed up as the old size. After running cryptsetup resize, the correct number is shown. This step is not necessary. It only affects the current size status as shown in the file browser. After changing the size and closing/opening the partition again, the number is restored. So, when closing the LUKS partition as shown later will make this obsolete.

$SECTORS can be determined by looking at the output of cryptsetup status ExistingExt4:

    /dev/mapper/ExistingExt4 is active.
      type:    LUKS1
      cipher:  aes-cbc-essiv:sha256
      keysize: 256 bits
      device:  /dev/sda2
      sector size:  512
      offset:  2056 sectors
      size:    156049348 sectors
      mode:    read/write

(As of cryptsetup 2.0.0 (December 2017), the sector size may be larger than 512 bytes: see the cryptsetup(8) manpage and the --sector-size option.)

Thus, to subtract 15 GiB, use a sector size of 156049348 - 15 * 1024 * 1024 * 2 = 124592068:

cryptsetup resize ExistingExt4 -b 124592068

Resizing the partition with `parted`

As for resizing the partition, parted works fine with GPT partitions. The resize command does not work however, as a workaround (or solution), remove the partition information and create a new partition as inspired by http://ubuntuforums.org/showthread.php?p=8721017#post8721017:

# cryptsetup luksClose ExistingExt4
# parted /dev/sda2
GNU Parted 2.3
Using /dev/sda
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) unit s
(parted) p
Model: ATA INTEL SSDSA2CW08 (scsi)
Disk /dev/sda: 156301488s
Sector size (logical/physical): 512B/512B
Partition Table: gpt

Number  Start    End         Size        File system  Name    Flags
 1      34s      2082s       2049s                    Boot    bios_grub
 3      2083s    250034s     247952s     ext2         RootBoot
 2      250035s  156301438s  156051404s               Everything

As 15 GiB has to be shaved off, the new end becomes 156301438 - 15 * 1024 * 1024 * 2 = 124844158. Since I want to change partition 2, I first have to remove it and then recreate it with the label "Everything" (this could be changed if you like). Note: this disk has a GPT layout. For MBR, you should replace Everything by primary or extended (untested, resizing a partition on MBR has not been tested and is not recommended because it is untested).

WARNING: the following commands has destroyed data. Do not copy it without understanding what is happening. The sector dimensions must be changed, otherwise you WILL destroy your partition(s). I am in no way responsible for your stupidness, BACKUP BACKUP BACKUP your data to a second storage medium before risking your data.

(parted) rm 2
(parted) mkpart Everything 250035s 124844158s
Warning: The resulting partition is not properly aligned for best performance.
Ignore/Cancel? ignore
(parted) p
Model: ATA INTEL SSDSA2CW08 (scsi)
Disk /dev/sda: 156301488s
Sector size (logical/physical): 512B/512B
Partition Table: gpt

Number  Start    End         Size        File system  Name    Flags
 1      34s      2082s       2049s                    Boot    bios_grub
 3      2083s    250034s     247952s     ext2         RootBoot
 2      250035s  124844158s  124594124s               Everything
(parted) quit

In the above parted example, my sectors are not aligned which is a mistake from an earlier installation, do not pay too much attention to it.

That is it! You can use cryptsetup status and file -Ls /dev/... to verify that everything is OK and then reboot.

LUKS Encryption – How to Remove LUKS Encryption

Backup
Reformat
Restore

cryptsetup luksRemoveKey would only remove an encryption key if you had more than one. The encryption would still be there.

The Fedora Installation_Guide Section C.5.3 explains how luksRemoveKey works.

That it's "impossible" to remove the encryption while keeping the contents is just an educated guess. I base that on two things:

Because the LUKS container has a filesystem or LVM or whatever on top of it, just removing the encryption layer would require knowledge of the meaning of the data stored on top of it, which simply is not available. Also, a requirement would be that overwriting a part of the LUKS volume with its decrypted counterpart, would not break the rest of the LUKS content, and I'm not sure if that can be done.
Implementing it would solve a problem that is about as far away from the purpose of LUKS as you can get, and I find it very unlikely that someone would take the time to do that instead of something more "meaningful".

Best Answer

Related Solutions

How to shrink a LUKS partition, what does `cryptsetup resize` do

Purpose of the cryptsetup resize command

Resizing the partition with parted

LUKS Encryption – How to Remove LUKS Encryption

Related Question

Purpose of the `cryptsetup resize` command

Resizing the partition with `parted`