Hi Ondrej, thanks. Added somewhat streamlined and edited to fit the format of the FAQ better. Do you want to be listed under "Contributors"? Regards, Arno On Mon, Apr 27, 2020 at 10:39:05 CEST, Ondrej Kozina wrote: > Hi, > > I'm just sharing some Q&A originally exchanged via private e-mails. Thank > you for letting me share it publicly! I've also added some clarifications to > my original answers. > > --------- > > Q: I mean how are you re-encrypting a drive that is say 98% full, where is > all that data going? I know you create devices but you have to store the > data somewhere right? > > A: All metadata necessary to perform recovery of said segment (in case of > crash) are stored in LUKS2 metadata area. No matter if the LUKS2 > reencryption was run in online or offline mode. > > Q: If a drive is interrupted during re-encryption, and I remove the device > mapping from the hotzone device to mounted filesystem and old encrypted > device. Then won't the system be un-bootable? > > A: In case of reencryption application crash, try to close the original > device via following command first: "cryptsetup close my_crypt_device". > Cryptsetup assesses if it's safe to teardown reencryption device stack > or not. It also cut off I/O (via dm-error mapping) to current hotzone > segment (to make later recovery possible). If it can't be torn down i.e. due > to mounted fs, you must unmount filesystem first. Never try to tear down > reencryption dm devices manually using e.g. dmsetup tool, at least not > unless cryptsetup says it's safe to do so. It could damage data beyond > repair. > > Q: There is also resume support, how do you do these things? Also if I > reboot the system in such a state [the interrupted LUKS2 reencryption] won't > the system be un-bootable since there is no way to enter 2 keys at start-up? > > A: Cryptsetup (command line utility) expects passphrase be identical for > keyslot containing old volume key and for keyslot containing new one. So the > recovery in such case happen during normal "cryptsetup open" operation. Or > even in during systemd-cryptsetup attach during boot. > > Reencryption recovery can be also performed in offline mode (w/o need to > activate luks device) by "cryptsetup repair" command. > > O. > > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > https://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
