LUKS Encryption – How to Remove LUKS Encryption

encryptionlinuxluks

I tried removing LUKS encryption on my home directory using the following command:

cryptsetup luksRemoveKey /dev/mapper/luks-3fd5-235-26-2625-2456f-4353fgdgd

But it gives me an error saying:

Device /dev/mapper/luks-3fd5-235-26-2625-2456f-4353fgdgd is not a
valid LUKS device.

Puzzled, I tried the following:

cryptsetup status luks-3fd5-235-26-2625-2456f-4353fgdgd

And it says:

/dev/mapper/luks-3fd5-235-26-2625-2456f-4353fgdgd is active and is in use.
type: LUKS1
cipher: ...

It seems the encrypted device is active, but not valid. What could be wrong here?

Best Answer

Backup
Reformat
Restore

cryptsetup luksRemoveKey would only remove an encryption key if you had more than one. The encryption would still be there.

The Fedora Installation_Guide Section C.5.3 explains how luksRemoveKey works.

That it's "impossible" to remove the encryption while keeping the contents is just an educated guess. I base that on two things:

Because the LUKS container has a filesystem or LVM or whatever on top of it, just removing the encryption layer would require knowledge of the meaning of the data stored on top of it, which simply is not available. Also, a requirement would be that overwriting a part of the LUKS volume with its decrypted counterpart, would not break the rest of the LUKS content, and I'm not sure if that can be done.
Implementing it would solve a problem that is about as far away from the purpose of LUKS as you can get, and I find it very unlikely that someone would take the time to do that instead of something more "meaningful".

Related Solutions

Linux – Trying to understand LUKS encryption

1a - it really doesn't matter all that much. which ever hash you use for the key derivation function, LUKS makes sure it will be computationally expensive. It will simply loop it until 1 second real time has passed.

1b - the key derivation method has no influence on performance. the cipher itself does. cryptsetup benchmark shows you as much.

2 - AES is the fastest if your CPU is modern enough to support AES-NI instructions (hardware acceleration for AES). If you go with serpent now you may not be able to utilize the AES-NI of your next laptop.

# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1      1165084 iterations per second
PBKDF2-sha256     781353 iterations per second
PBKDF2-sha512     588426 iterations per second
PBKDF2-ripemd160  726160 iterations per second
PBKDF2-whirlpool  261882 iterations per second
#  Algorithm | Key |  Encryption |  Decryption
     aes-cbc   128b   692.9 MiB/s  3091.3 MiB/s
 serpent-cbc   128b    94.6 MiB/s   308.6 MiB/s
 twofish-cbc   128b   195.2 MiB/s   378.7 MiB/s
     aes-cbc   256b   519.5 MiB/s  2374.0 MiB/s
 serpent-cbc   256b    96.5 MiB/s   311.3 MiB/s
 twofish-cbc   256b   197.9 MiB/s   378.0 MiB/s
     aes-xts   256b  2630.6 MiB/s  2714.8 MiB/s
 serpent-xts   256b   310.4 MiB/s   303.8 MiB/s
 twofish-xts   256b   367.4 MiB/s   376.6 MiB/s
     aes-xts   512b  2048.6 MiB/s  2076.1 MiB/s
 serpent-xts   512b   317.0 MiB/s   304.2 MiB/s
 twofish-xts   512b   368.7 MiB/s   377.0 MiB/s

Keep in mind this benchmark does not use storage so you should verify these results with whatever storage and filesystem you are actually going to use.

Fedora – How to identify LVM-over-LUKS or LUKS-over-LVM

cryptsetup luksDump /dev/fedora/01 shows the LVM logical volume to be a LUKS encrypted volume. The output of pvs or pvdisplay would show the partition /dev/sda3 to be a physical volume. Thus you have LUKS over LVM. At a lower level, you have LVM over PC partition.

The output of lsblk confirms this: sda is a disk, sda3 is a partition (which contains an LVM physical volume), fedora-00 and fedora-01 are logical volumes, and each logical volume contains a LUKS encrypted volume.

Best Answer

Related Solutions

Linux – Trying to understand LUKS encryption

Fedora – How to identify LVM-over-LUKS or LUKS-over-LVM

Related Question