Removing system encryption

From ArchWiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements. See Help:Style for reference.Tango-edit-clear.png

Reason: written in first person, other style issues. (Discuss in Talk:Removing system encryption)

Removing system encryption with dm-crypt and LUKS.

Removing LUKS Encryption in-place

Overview

Although not as safe as backing up your data and restoring it on to a reformatted device, cryptsetup does allow the user to permanently remove the LUKS encryption from a device in-place. For example, if you have an ext4 filesystem living inside a LUKS-encrypted partition, performing in-place decryption will remove the LUKS signature, and place the ext4 filesystem directly on the partition, so that you can mount it directly. Unless something goes wrong, the files in the filesystem will remain intact. The terms used by cryptsetup's documentation for this is "decryption."

Support for non-destructive offline decryption of LUKS1 devices has been available starting with cryptsetup version 1.5.0, which was released in 2012. LUKS1 decryption only supported offline mode decryption.

For LUKS2 devices, both offline and online (i.e. unmount not required) decryption are supported.

Warning: The procedures which follow are inherently risky and may cause catastrophic data loss. You should always backup your drive and LUKS headers before proceeding, to protect your data from accidents during decryption.

Decrypting LUKS1 devices in-place

Decryption is done in offline mode, using the (noq legacy) cryptsetup-reencrypt command. The steps are:

  1. Verify that your block device has a LUKS1 header (and not LUKS2) using cryptsetup luksDump <dev>
  2. reboot into a live environment using a USB stick.
  3. Identify your block device using blkid, lsblk, etc'
  4. Make sure that the block device to be decrypted has not been opened by cryptsetup (there is no entry under `/dev/mapper/`, let alone mounted. If it has been, unmount and use cryptsetup luksClose to close it.
  5. Use the legacy command cryptsetup-reencrypt:
cryptsetup-reencrypt --decrypt <device_path>

The process might take a while. If no problems occur, the contents of the encrypted block device should not be accessible directly from the block device. i.e., you should be able to mount it directly.

Decrypting LUKS2 devices in-place

Decryption can be done in either offline or online mode, using the cryptsetup command.

Warning: As of 2020, and version 2.3.3, when using cryptsetup to decrypt a LUKS2 block device the program requires you to provide a LUKS --header file. If you do not use the "detached header" feature of LUKS, and naively try to pass the block device itself (which contains a LUKS2 header) as the subject of the --header, cryptsetup will accept this and go ahead with alleged decryption. Afterwards the block device will show up as a LUKS2 device with no key-slots, and your data will be lost. If you try to use cryptsetup luksHeaderBackup as the header file used with --header, your data will be lost. If you try to restore a backed-up header after this faulty decryption, your data will still be lost.

If you still went ahead with the decryption, the data might be recoverable by shifting the partition start after the now defunct LUKS header: [1], still, do not rely on this.

Given the data loss risk just noted, you should avoid in-place decryption of LUKS2 devices unless you use detached header. I have tested offline LUKS2 decryption for a device with a detached header file and the procedure went smoothly. This functionality is also part of the tests included in the cryptsetup source.

If you do not use a detached header, your safest course is to use the safer backup-format-restore procedure described below. Alternatively, you can choose to convert your LUKS2 device to a LUKS1 device, and then proceed with the LUKS1 decryption procedure.

The conversion with take a significant amount of time, the system should be connected to mains power and extreme care should be taken to avoid any event that may lead to a system crash or loss of power. Data loss may occur if interrupted.

Steps:

  1. Verify that your block device has a LUKS2 header (and not LUKS1) using cryptsetup luksDump dev
  2. Note what key slots are in use using cryptsetup luksDump dev
  3. Reboot into a live environment using a USB stick.
  4. Identify your block device using blkid or lsblk.
  5. Make sure that the block device to be decrypted has not been opened by cryptsetup (there is no entry under /dev/mapper/, let alone mounted). If it has been, unmount and use cryptsetup luksClose to close it.
  6. Before converting the device, you must convert the Password-Based Key Derivation Function (PBKDF) for all key-slots to be LUKS1 compatible. Use the following command for each key slot: sudo cryptsetup luksConvertKey --key-slot key_slot_number --pbkdf pbkdf2 device_path
  7. Verify that all key slots PBKDFs are convert to pbkdf2: cryptsetup luksDump dev
  8. Convert the device from LUKS2 to LUKS1: sudo cryptsetup convert --type luks1 device_path
  9. Decrypt the (now) LUKS1 device: sudo cryptsetup-reencrypt --decrypt device_path

If successful, you should now be able to mount whatever filesystem was previously inside the LUKS device, by mounting the block device directly.

Hopefully, the cryptsetup project will address these usability and data loss issues in a future release (written August 2020).

Cleaning up system files

Device names and UUIDs may change due to decryption, and you will likely need to update relevant configuration files. The files most likely to need updating are /etc/crypttab, /etc/fstab and, if your recently decrypted device appeared on the kernel command line, your bootloader's configuration (e.g, /etc/default/grub). If you edit the latter, remember to regenerate the grub configuration as described in GRUB.

Removing LUKS via Backup-Format-Restore

Prerequisites

  • An encrypted root filesystem you wish to decrypt.
  • Enough drive space to store a backup.
  • An Arch Linux (or other) live CD/USB.
  • A few hours.

Boot into a Live Environment

Download and burn the latest Arch ISO to a CD or USB, reboot the system, and boot to cd.

Activate Partitions

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements. See Help:Style for reference.Tango-edit-clear.png

Reason: This uses too many HTML attributes instead of templates (Discuss in Talk:Removing system encryption)

Note About Different Setups

An example setup is shown here:

disk
ntfs myvg(lvm) ntfs
other os cryptswap(lv) cryptroot(lv) Shared
luks luks
swap root(xfs)

The grey sections only add a frame of reference and can be disregarded. The green partitions will be modified. Green text must match your system's setup. The yellow partition will be used as storage space and may be changed at will. In the example system: myvg contains lvs called cryptroot and cryptswap. they are located at /dev/myvg/cryptroot and /dev/myvg/cryptswap. Upon boot, luks is used along with a few crypttab entries to create /dev/mapper/root and /dev/mapper/swap. Swap will not be unencrypted as part of this guide, as undoing the swap encryption does not require any complex backup or restoration.

The example system is not indicative of all systems. Different filesystems require different tools to effectively backup and restore their data. LVM can be ignored if not used. XFS requires xfs_copy to ensure an effective backup and restore, DD is insufficient. DD may be used with ext2,3,and 4. (Someone please comment on jfs, reiserfs and reiser4fs)

Once Partitions Are Located

Load necessary modules:

modprobe dm-mod #device mapper/lvm
modprobe dm-crypt #luks

Activate lvm volume group:

pvscan #scan for Physical Volumes
vgscan #scan for volume groups
lvscan #scan for logical volumes
lvchange -ay myvg/cryptroot

Open the encrypted filesystem with luks so it can be read:

cryptSetup luksOpen /dev/myvg/cryptroot root

Enter password. Note: The only partition that will be operated on that should be mounted at this point is the backup partition. If a partition other than the backup partition is already mounted, it can be safely umounted it now.

Mounting backup space

Only if using NTFS to store the backup, install ntfs-3g.

The next step is important for backup storage.

# mount -t ntfs-3g -o rw /dev/sda5 /media/Shared

or use netcat to store the backup on a remote system

TODO: add netcat instructions.

Backup Data

Using xfs_copy:

xfs_copy -db /dev/mapper/root /media/Shared/backup_root.img

Note: -d flag preserves uuids and -b ensures direct IO is not attempted to any of the target files.

Using dd:

dd if=/dev/mapper/root of=/media/Shared/backup_root.img

Undo Encryption

Now the crucial moment, the point of no return if you will. Make sure you are ready to do this. If you plan to undo this later, you will have to almost start from scratch. You know how fun that is.

cryptsetup luksClose root
lvm lvremove myvg/cryptroot

Restore Data

We have to create a new logical volume to house our root filesystem, then we restore our filesystem.

lvm lvcreate -l 100%FREE -n root myvg
xfs_copy -db /media/Shared/backup_root.img /dev/myvg/root #notice the second drive name is changed now.

Reconfigure the Operating System

You need to boot into your operating system and edit /etc/crypttab, /etc/mkinitcpio.conf, /etc/fstab, and possibly /boot/grub/menu.lst.