Some Q&A about LUKS2 reencryption

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
I'm just sharing some Q&A originally exchanged via private e-mails. Thank you for letting me share it publicly! I've also added some clarifications to my original answers. 

---------
Q: I mean how are you re-encrypting a drive that is say 98% full, where is all that data going? I know you create devices but you have to store the data somewhere right?
A: All metadata necessary to perform recovery of said segment (in case of crash) are stored in LUKS2 metadata area. No matter if the LUKS2 reencryption was run in online or offline mode.
Q: If a drive is interrupted during re-encryption, and I remove the device mapping from the hotzone device to mounted filesystem and old encrypted device. Then won't the system be un-bootable? 

A: In case of reencryption application crash, try to close the original
device via following command first: "cryptsetup close my_crypt_device".
Cryptsetup assesses if it's safe to teardown reencryption device stack
or not. It also cut off I/O (via dm-error mapping) to current hotzone segment (to make later recovery possible). If it can't be torn down i.e. due to mounted fs, you must unmount filesystem first. Never try to tear down reencryption dm devices manually using e.g. dmsetup tool, at least not unless cryptsetup says it's safe to do so. It could damage data beyond repair.
Q: There is also resume support, how do you do these things? Also if I reboot the system in such a state [the interrupted LUKS2 reencryption] won't the system be un-bootable since there is no way to enter 2 keys at start-up?
A: Cryptsetup (command line utility) expects passphrase be identical for keyslot containing old volume key and for keyslot containing new one. So the recovery in such case happen during normal "cryptsetup open" operation. Or even in during systemd-cryptsetup attach during boot.
Reencryption recovery can be also performed in offline mode (w/o need to activate luks device) by "cryptsetup repair" command. 

O.

_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux