Encrypted LVM — Setting Up, Shrinking and Growing

I’ve been tinkering with my LVM config and exploring, and trying to learn how to setup an encrypted Logical Volume, and then, how to grow and shrink it. I’d like to share my workings with you so you know too. This is a long article, so I’ve hidden it under a cut.

Remember, before you do ANYTHING that involves shrinking or resizing partitions on your hard drive, you MUST make a backup. Ideally as an image. If anything goes wrong, you will need to revert back to this image.

I’m not going to give you a background on LVM or crypt volumes. If you need that, try this linkthis link and this link.

Firstly, let’s talk shrinking a volume. If you don’t have any room for an encrypted LV, then you must resize an existing LV. I’m resizing one of my LVs (which contains some videos from my dashboard camera), and reducing it by 10GB (“-L -10G” means “resize to -10G (e.g. 10GB smaller than it currently is.) “-r” means “run resize2fs to resize the filesystem inside the LV”. “-v” means “be verbose”

lvresize -L -10G -r -v /dev/HitachiVG/Dashcam

Once the resize is complete, we can create a new LV in the same Volume Group. Since I’ve just resized my other LV down by 10G, this new one must be 10GB or lower. Here, I give it a name (-n), tell LVM I want rw access (-p), to be verbose (-v) and specify a size of 10GB (-L 10G). I also have to tell LVM which volume group I want to put this new LV in (HitachiVG)

lvcreate -n CryptTesting -p rw -v -L 10G HitachiVG

Once the LV has been successfully created, we can now format the LV as a LUKS volume. Here, I tell it I want to use the AES crypto algorithm (-c aes) , and use a SHA256 hash (-h sha256). I also have to give it the mapping of the new LV (/dev/mapper/HitachiVG-CryptTesting). A password will need to be set at this point.

cryptsetup luksFormat -c aes -h sha256 /dev/mapper/HitachiVG-CryptTesting

When the format is completed, I can now decrypt (open) the new crypt volume, giving the new name I want the decrypted mapping that will appear in /dev/mapper/ directory.

In the example below, once the mapping for the decrypted (volume will be /dev/mapper/DecryptedTest)

cryptsetup luksOpen /dev/mapper/HitachiVG-CryptTesting DecryptedTest

With the decrypted volume open, I can now format it. I’m using ext4 here, but you could use anything

mkfs.ext4 /dev/mapper/DecryptedTest

I’m creating a mount point manually here for the purposes of testing, but you can use cryptmount

mkdir /media/DecryptedTestMount

Mount the decrypted volume so you can start using the content

mount -t ext4 /dev/mapper/DecryptedTest /media/DecryptedTestMount/

At this point, you can work with the content. For this test, I’m going to create a 512MB file

dd if=/dev/zero of=/media/DecryptedTestMount/dummyfile bs=1M count=512

Now we can unmount the volume

umount -f /media/DecryptedTestMount/

(Optional) We can change the way we unlock the crypted volume by creating and adding a key to the crypted volume. I’m making a 409,600 byte key, but you can mess around with your own values here.

dd if=/dev/urandom of=./crypttest.key bs=1024 count=400

Remember that the key will unlock the crypted volume, so you should, where possible avoid having it accessible by other users. You should also lock it down – for example, by making it only readable to root (or whichever user is going to use the key)

chown root:root ./crypttest.key
chmod 400 ./crypttest.key

Now we can add the key to the crypted volume

cryptsetup luksAddKey /dev/mapper/HitachiVG-CryptTesting ./crypttest.key

To test the key method works, we close and reopen the crypted volume, this time, passing the key file. This time, it shouldn’t prompt for a password.

cryptsetup luksClose DecryptedTest
cryptsetup luksOpen --key-file=./crypttest.key /dev/mapper/HitachiVG-CryptTesting DecryptedTest

Mount to check the content is untouched

mount -t ext4 /dev/mapper/DecryptedTest /media/DecryptedTestMount/

Unmount

umount -f /media/DecryptedTestMount/

Now, we have an encrypted LV. Now we move onto shrinking the crypted volume. We will resize in the following order:

  1. Decrypted Filesystem
  2. Logical Volume

NOTE: there are pages which say that you also need to shrink the crypted volume, but other pages also say that the crypted volume doesn’t actually store any size-related information. So take this following section with a pinch of salt. As mentioned at the start of the article, always make sure you have backups ready in case this goes wrong.

First, we must run a fsck on the decrypted filesystem

e2fsck -f /dev/mapper/DecryptedTest

Now, we resize the filesystem. I’m resizing it down to 1GB

resize2fs /dev/mapper/DecryptedTest 1G

Close the crypt volume

cryptsetup luksClose /dev/mapper/DecryptedTest

Now we resize the LV. You may get a warning here that you may lose data. You MUST make sure you have a backup before resizing.

lvresize /dev/HitachiVG/CryptTesting -L 1G

We close and reopen the crypted and decrypted volumes

cryptsetup luksClose /dev/mapper/DecryptedTest
cryptsetup luksOpen --key-file=./crypttest.key /dev/mapper/HitachiVG-CryptTesting DecryptedTest

Because of the crypt resize the crypted and decrypted filesystems aren’t exactly the same size, so let’s make them match. If you don’t do this, any fsck you run on the decrypted volume will flag up as an error. This line resizes the decrypted filesystem to fit the space available for it.

resize2fs /dev/mapper/DecryptedTest

Now let’s do a final fsck to make sure everything is OK

e2fsck -f /dev/mapper/DecryptedTest

Now growing. Let’s say I wanted to grow the crypted filesystem back up to 10GB. This is easier because you’re making things BIGGER, not smaller. First, close the decrypted volume if it is already open

cryptsetup luksClose /dev/mapper/DecryptedTest

Resizes must happen in the REVERSE order to the shrinking:

  1. Logical Volume
  2. Decrypted Filesystem

Resize the LV first

lvresize -n -L 10G -v /dev/mapper/HitachiVG-CryptTesting

Open the crypted volume

cryptsetup luksOpen --key-file=./crypttest.key /dev/mapper/HitachiVG-CryptTesting DecryptedTest

Resize the Decrypted file system to fit

resize2fs /dev/mapper/DecryptedTest

The filesystems are now grown

%d bloggers like this: