Removing system encryption

From ArchWiki

This article or section needs language, wiki syntax or style improvements. See Help:Style for reference.

Reason: written in first person, other style issues. (Discuss in Talk:Removing system encryption)

Removing system encryption with dm-crypt and LUKS.

Removing LUKS Encryption in-place

Overview

Although not as safe as backing up your data and restoring it on to a reformatted device, cryptsetup does allow the user to permanently remove the LUKS encryption from a device in-place. For example, if you have an ext4 filesystem living inside a LUKS-encrypted partition, performing in-place decryption will remove the LUKS signature, and place the ext4 filesystem directly on the partition, so that you can mount it directly. Unless something goes wrong, the files in the filesystem will remain intact. The terms used by cryptsetup's documentation for this is "decryption."

See the cryptsetup-reencrypt(8) manual for the --decrypt option.

Support for non-destructive offline decryption of LUKS1 devices has been available starting with cryptsetup version 1.5.0, which was released in 2012. LUKS1 decryption is only supported for offline mode decryption.

For LUKS2 devices, both offline and online (i.e. unmount not required) decryption are supported.

Warning: The procedures which follow are inherently risky and may cause catastrophic data loss. You should always backup your drive and LUKS header before proceeding, to protect your data from accidents during decryption.

Decrypting LUKS1 devices in-place

The decryption of a LUKS1 device is done in offline mode, i.e. it must not opened and mounted. If you want to decrypt the system drive, reboot into a USB live environment. Otherwise, use unmount followed by cryptsetup close dm-name.

To start, identify the device_path using blkid or lsblk.

Next, the following command performs the decryption:

# cryptsetup reencrypt --decrypt device_path
Enter any existing passphrase: 
Finished, time 02m05s,   19 GiB written, speed 162,6 MiB/s

It will automatically identify the LUKS1 header version and not proceed for an opened device. The process might take a while, but give a progress meter. If no problems occur, the filesystem on the device can immediately be mounted directly.

Decrypting LUKS2 devices in-place

Decryption can be done in either offline or online mode, using the cryptsetup command. Since cryptsetup version 2.5.0 (2022) LUKS2 supports decryption by migrating LUKS2 header in a separate file.

The new_file to which the LUKS2 header will be migrated must not exist in the initialization phase of the decryption.

# cryptsetup reencrypt --decrypt --header new_file device_path
Warning: The exported header must be placed outside the filesystem hosted on the device that will be in-place decrypted. Otherwise deadlock can occur or in case the decryption process is interrupted it will not be possible to resume it.

To resume interrupted LUKS2 in-place decryption just issue following command:

# cryptsetup reencrypt --decrypt --resume-only --header migrated_header_file device_path

If the decryption was successfully finished on active device (online decryption), the mapped device will be lazy deactivated so that linear mapping is automatically removed when no longer used. Later the original device_path can be used without device mapper mapping.

Note: Device with interrupted LUKS2 decryption using migrated header to a file can not be resumed with cryptsetup version < 2.5.0

Cleaning up system files

Device names and UUIDs may change due to decryption, and you will likely need to update relevant configuration files. The files most likely to need updating are /etc/crypttab, /etc/fstab and, if your recently decrypted device appeared on the kernel command line, your bootloader's configuration (e.g, /etc/default/grub). If you edit the latter, remember to regenerate the grub configuration as described in GRUB.

Removing LUKS via Backup-Format-Restore

Prerequisites

  • An encrypted root filesystem you wish to decrypt.
  • Enough drive space to store a backup.
  • An Arch Linux (or other) live CD/USB.
  • A few hours.

Boot into a live environment

Download and burn the latest Arch ISO to a CD or USB, reboot the system, and boot to cd.

Activate partitions

This article or section needs language, wiki syntax or style improvements. See Help:Style for reference.

Reason: Hard to read, written like a blog post, misses some prompts. (Discuss in Talk:Removing system encryption)

Note about different setups

An example setup is shown here:

Disk
NTFS myvg(lvm) NTFS
Other OS cryptswap(lv) cryptroot(lv) Shared
luks luks
swap root(xfs)

The grey partition is a frame of reference and can be ignored. The yellow partition will be used as storage space and may be changed at will. The green partitions will be modified. Bold text must match your system's setup.

In the example system: myvg contains lvs called cryptroot and cryptswap. They are located at /dev/myvg/cryptroot and /dev/myvg/cryptswap. Upon boot, LUKS is used along with a few crypttab entries to create /dev/mapper/root and /dev/mapper/swap.

Swap will not be unencrypted as part of this guide, as undoing the swap encryption does not require any complex backup or restoration.

The example system is not indicative of all systems. Different filesystems require different tools to effectively backup and restore their data. LVM can be ignored if not used.

Note: XFS requires xfs_copy to ensure an effective backup and restore, dd is insufficient. dd may be used with ext2, 3 and 4.

This article or section needs expansion.

Reason: What of jfs? (Discuss in Talk:Removing system encryption)

Once partitions are located

Load necessary modules. For device mapper/LVM:

# modprobe dm-mod 

For LUKS:

# modprobe dm-crypt

Scan for physical, volume and logical volumes:

# pvscan; vgscan; lvscan

Activate the LVM volume group:

# lvchange -ay myvg/cryptroot

Open the encrypted filesystem with LUKS so that it can be read:

# cryptsetup luksOpen /dev/myvg/cryptroot root

Enter password.

Note: The only partition that will be operated on that should be mounted at this point is the backup partition. If a partition other than the backup partition is already mounted, it can be safely umounted it now.
Mounting backup space

Only if using NTFS to store the backup, install ntfs-3g.

The next step is important for backup storage.

# mount -t ntfs-3g -o rw /dev/sdXY /mount/point/

or use netcat to store the backup on a remote system.

This article or section needs expansion.

Reason: Add netcat instructions. (Discuss in Talk:Removing system encryption)

Backup data

Using xfs_copy:

# xfs_copy -db /dev/mapper/root /mount/point/backup_root.img
Note: The -d flag preserves UUIDs and -b ensures direct IO is not attempted to any of the target files.

Using dd:

# dd if=/dev/mapper/root of=/mount/point/backup_root.img

Undo encryption

This is the point of no return. Make sure that you are ready for this step. If you plan to undo this later, you will have to start almost from scratch.

# cryptsetup luksClose root
# lvm lvremove myvg/cryptroot

Restore data

We have to create a new logical volume to house our root filesystem, then we restore our filesystem.

# lvm lvcreate -l 100%FREE -n root myvg
# xfs_copy -db /mount/point/backup_root.img /dev/myvg/root

The second drive name is changed now.

Adjust configurations

You need to boot into your system and edit /etc/crypttab, /etc/mkinitcpio.conf, /etc/fstab, and possibly /boot/grub/menu.lst.