From Wiki

Revision as of 08:54, 20 June 2016 by Apos (talk | contribs) (HowTo - shrink and resize encrypted LUKS volumes)

HowTo - shrink and resize encrypted LUKS volumes

LVM and LUKS are often used together within a standard encrypted setup. The best HowTo I could find for Ubuntu which really sums up the essential tasks in a very good manner is on Ubuntu forums. Written in 2008 but the procedures are and will remain the same. The scenarios are to e.g. shrink an existing ubuntu installation to fit on another disk (move from bigger hdd to a smaller sdd) or vice versa.

It describes the procedure using a life disk. If you are using you PC which is also encrypted you should read the LVM#Troubleshooting section.

Install necessary apps

E.g. on a rescue disc ...

apt-get install cryptsetup

Open encryted lvm partition

Be arefulat this step!

If this is the root device, you will need to use exactly the _ SAME NAME _ for the crypt (in our example: sda5_crypt for ${my_crpyt_name}) like in your destination Ubuntu environment. If not, you will not be able to boot your device, because the system will be configured using the wrong name for your mapper name which is written down in /etc/crypttab (don't change this!).

# Please edit acccording to your entry in /etc/crypttab of your destination installation
# If you don't now it yet, see the troubleshooting section next.
cryptsetup luksOpen /dev/sda5 ${my_crpyt_name}


If you are unsure about the name of ${my_crpyt_name} which is used within your destination setup, you have to look into its /etc/crypttab. To to this: decrypt your device, mount it, have a look into the /etc/crypttab, unmount, uncrypt and start over again with the right name:

cryptsetup luksOpen /dev/sda5 test_crypt
mount /dev/mapper/vg-somename-root /mnt/test
nano /mnt/test/etc/crypttab
> sda5_crypt UUID=def346a0-6e33-4523-b99c-d7777b980b34 none luks,discard
umount /mnt/test
crpytsetup luksClose test_crypt

BUT: If you try to encrypt a system from within an encrypted system, which uses the _SAME_ crypt name as the destination system this will _NOT WORK_. Then the only way is to use a life cd or another PC with an uncrypted installation !!!

Mount existing volume groups

sudo apt-get install lvm2
sudo modprobe dm-mod
sudo vgchange -a y
> 2 logical volume(s) in volume group "vg-whatever" now active
ls /dev/mapper
> control sda5_crypt vg--whatever--root  vg--whatever--swap
# Please edit
# Mount /root and /boot
mkdir ${my_root}
mount /dev/mapper/${my_vg} ${my_root}
mount ${my_boot_device} ${my_root}/boot
# Chroot
mount -o bind /dev ${my_root}/dev; \
mount -o bind /run ${my_root}/run; \
mount -t proc /proc ${my_root}/proc; \
mount -t sysfs /sys ${my_root}/sys
chroot ${my_root}

Umount existing volume groups and close encrypted container

sudo umount ${my_root}/*
sudo umount /dev/mapper/${my_vg}
sudo vgchange -a n
sudo cryptsetup luksClose ${my_crpyt}