Guilhem Moulin: > On Thu, 13 Sep 2018 at 00:47:00 +0000, procmem wrote: >> Guilhem Moulin: >>> On Wed, 12 Sep 2018 at 15:21:00 +0000, procmem wrote: >>>> cryptsetup convert /dev/vda5 --type luks2 --debug >>>> […] >>>> Cannot convert device /dev/vda5 which is still in use. >>>> […] >>>> Command failed with code -5 (device already exists or device is busy). >>> >>> As the error message indicates, you need to remove (ie, close) the >>> mapped device first. If that device is required for your system to run >>> (for instance if it's holding the root file system) you won't be able to >>> run `cryptsetup luksClose $name` from the main system; however you >>> should be able to perform `cryptsetup convert` from a live CD, or from >>> the initramfs image. >> >> initramfs sounds like the most versatile option. Any pointers on how to >> to this? Searching SE turns up irrelevant results. > > Before rebooting you might want to make sure the ‘algif_skcipher’ kernel > module is included in the initramfs image, otherwise you might not be > able to open LUKS2 volumes. (See https://bugs.debian.org/896968 for > details.) To do so, run the following two commands: > > echo algif_skcipher | sudo tee -a /etc/initramfs-tools/modules > sudo update-initramfs -u > > Now assuming your bootloader is GRUB, reboot, press <E> to obtain an > emacs-like screen, append “ break=premount” to the line starting with > “initrd”, and press <Ctrl>+<X> to boot. (The edit is transient and > won't survive the next reboot.) You should land into an initramfs debug > shell; see initramfs-tools(7) for details. > > That has probably become off-topic for the dm-crypt list, by the way > (discussing how to reboot into an initramfs shell has nothing to do with > dm-crypt, LUKS, or cryptsetup(8) per se); the user support channels of > your distro might be a better venue for this. > Appending break=premount to the line starting with "linux" worked for converting the header to v2. However changing it to argon2id still failed with a -1 error code. So I ended up bypassing this process by creating a new keyslot with the same passphrase - which happens to use the best parameters by default (argon2id in this case) and then going back and deleting the legacy keyslot: # cryptsetup luksAddKey /dev/vda5 -S 1 # cryptsetup luksKillSlot /dev/vda5 0 Everything continues to boot up. I think this is the best way to do things unless anyone has any reservations* * As long as no SSDs are used I don't think users have to worry about the old header floating around. Though I'm unsure if in-place conversion would have been a security advantage in that case. _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
