Re: Some Q&A about LUKS2 reencryption

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Ondrej,

thanks. Added somewhat streamlined and edited to fit the format 
of the FAQ better. Do you want to be listed under "Contributors"?

Regards,
Arno

On Mon, Apr 27, 2020 at 10:39:05 CEST, Ondrej Kozina wrote:
> Hi,
> 
> I'm just sharing some Q&A originally exchanged via private e-mails. Thank
> you for letting me share it publicly! I've also added some clarifications to
> my original answers.
> 
> ---------
> 
> Q: I mean how are you re-encrypting a drive that is say 98% full, where is
> all that data going? I know you create devices but you have to store the
> data somewhere right?
> 
> A: All metadata necessary to perform recovery of said segment (in case of
> crash) are stored in LUKS2 metadata area. No matter if the LUKS2
> reencryption was run in online or offline mode.
> 
> Q: If a drive is interrupted during re-encryption, and I remove the device
> mapping from the hotzone device to mounted filesystem and old encrypted
> device. Then won't the system be un-bootable?
> 
> A: In case of reencryption application crash, try to close the original
> device via following command first: "cryptsetup close my_crypt_device".
> Cryptsetup assesses if it's safe to teardown reencryption device stack
> or not. It also cut off I/O (via dm-error mapping) to current hotzone
> segment (to make later recovery possible). If it can't be torn down i.e. due
> to mounted fs, you must unmount filesystem first. Never try to tear down
> reencryption dm devices manually using e.g. dmsetup tool, at least not
> unless cryptsetup says it's safe to do so. It could damage data beyond
> repair.
> 
> Q: There is also resume support, how do you do these things? Also if I
> reboot the system in such a state [the interrupted LUKS2 reencryption] won't
> the system be un-bootable since there is no way to enter 2 keys at start-up?
> 
> A: Cryptsetup (command line utility) expects passphrase be identical for
> keyslot containing old volume key and for keyslot containing new one. So the
> recovery in such case happen during normal "cryptsetup open" operation. Or
> even in during systemd-cryptsetup attach during boot.
> 
> Reencryption recovery can be also performed in offline mode (w/o need to
> activate luks device) by "cryptsetup repair" command.
> 
> O.
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@xxxxxxxx
> https://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@xxxxxxxxxxx
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt



[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux