Online removal of a LUKS disk encryption

Felix Zimmermann -

To secure a Linux installation, the installer offers the option of encrypting the entire hard drive with LUKS and LVM. In a virtualized environment however it may be necessary to remove this encryption later on, because for example the encryption mechanisms of the hypervisor should be used. How can this be done without reinstalling the whole system and without booting a live linux?

Starting point is the following disk layout:

root@debian:/# lsblk
NAME                    MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
sda                       8:0    0   25G  0 disk
├─sda1                    8:1    0  903M  0 part  /boot/efi
├─sda2                    8:2    0  904M  0 part  /boot
└─sda3                    8:3    0 23.2G  0 part
  └─sda3_crypt          254:0    0 23.2G  0 crypt
    ├─debian--vg-root   254:1    0  6.9G  0 lvm   /
    ├─debian--vg-var    254:2    0    4G  0 lvm   /var
    ├─debian--vg-swap_1 254:3    0  892M  0 lvm   [SWAP]
    ├─debian--vg-tmp    254:4    0  560M  0 lvm   /tmp
    └─debian--vg-home   254:5    0  7.8G  0 lvm   /home

As described, the whole installation is encrypted and stored on sda3_crypt.

First step to remove the encryption is to add a new disk to the VM, format and mount it, so that some temporary data can be stored while encrpying the disk.

Then, the encryption can be removed using cryptsetup:

cryptsetup reencrypt <drive> --decrypt --header <mounted disk>/backup.img

In the example above the command looks like that:

cryptsetup reencrypt /dev/sda3 --decrypt --header /mnt/mydisk/backup.img

This process can take some time, depending on the disk size and speed as the full disk is rewritten. Afterwards, the system needs to be rebooted.

The last step is to remove leftover references to the encrypted partition:
In /etc/crypttab the reference to sda3 can be removed.
In /etc/fstab, the reference to the root volume group needs to be replaced with the UUID of the drive containing the LVM - in the example, sda3:
OLD:

# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/mapper/debian--vg-root /               ext4    errors=remount-ro 0       1

NEW:

# <file system> <mount point>   <type>  <options>       <dump>  <pass>
UUID=daA3Gk-EIAv-Uyum-Xkji-9gPX-VNwJ-yrBb1i /               ext4    errors=remount-ro 0       1

To get the UUID, lsblk -f can be used.

That's it - the encryption is fully removed.