You are not logged in.

#1 2022-08-07 04:13:48

shoelesshunter
Member
From: USA
Registered: 2014-05-18
Posts: 289

[solved]shrink a (non-lvm) luks partition

I have a 1.8TB root partition. on it, I had created a luks container and formatted it btrfs. I need to grow my /boot partition, so I would like to shrink this root luks container, then the underlying partition, to make space.

I have reduced the btrfs filesystem, but I can't find a sane way to shrink the luks container, and then the partition itself. all of the documentation on the matter deals only with shrinking lvm on top of luks or shrinking luks according to data collected with lvm tools.

I know it's not as simple as using gparted to resize the partition. I'm pretty sure that would lead to data loss.

suggestions?

Last edited by shoelesshunter (2022-08-08 01:58:22)

Offline

#2 2022-08-07 04:57:12

mpan
Member
Registered: 2012-08-01
Posts: 1,359
Website

Re: [solved]shrink a (non-lvm) luks partition

You can’t find a sane way to resize LUKS container, because LUKS doesn’t store that information. dm_crypt blindly encrypts/decrypts sectors it is ordered to process. If you have a 1GB file system on 2GB underlying storage, that file system will never read/write anything above 1GB and so dm_crypt will never touch it.


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

#3 2022-08-07 05:23:53

shoelesshunter
Member
From: USA
Registered: 2014-05-18
Posts: 289

Re: [solved]shrink a (non-lvm) luks partition

Does that mean it's safe to shrink the underlying partition or no?

Offline

#4 2022-08-07 06:47:19

frostschutz
Member
Registered: 2013-11-15
Posts: 1,480

Re: [solved]shrink a (non-lvm) luks partition

You have to take the size of the LUKS header into account, so if you resized the filesystem to 1G but your LUKS2 header is 16M, the partition needs to be 1G+16M in size for everything to work out right. Alternatively, shrink the filesystem by another 16M before resizing the partition to 1G.

You can usually see this offset in cryptsetup luksDump

for LUKS2, 16MiB is the default

Data segments:
  0: crypt
	offset: 16777216 [bytes]

alternatively for LUKS 1 it's usually 2MiB (4096 512-byte sectors)

Payload offset:	4096

Offline

#5 2022-08-07 06:49:34

shoelesshunter
Member
From: USA
Registered: 2014-05-18
Posts: 289

Re: [solved]shrink a (non-lvm) luks partition

But what's the command that does the shrinking once I determine the size?

Offline

#6 2022-08-07 06:55:28

frostschutz
Member
Registered: 2013-11-15
Posts: 1,480

Re: [solved]shrink a (non-lvm) luks partition

It's different for each filesystem. LUKS itself doesn't care, it just uses the size of the partition.

For online resize (without unmounting, closing, or rebooting) there is cryptsetup resize. But usually you don't need it.

Offline

#7 2022-08-07 08:28:44

mpan
Member
Registered: 2012-08-01
Posts: 1,359
Website

Re: [solved]shrink a (non-lvm) luks partition

To make it clear, cryptsetup resize is meant to update how currently mounted (active) volumes are seen without remounting them. It doesn’t affect the underlying storage, just the current view of it.

And, again, LUKS volume itself requires no shrinking, as LUKS doesn’t care. Of the three layers involved — the file system, dm-crypt and the underlying partition — you only shrink the file system and the underlying partition. The file system is shrunk  to whatever you need. The partition should be shrunken to not less than LUKS header size + file system size.

The mental image you should get is:

,-----------------------------------------------.
| storage                                       |
|,------------------------------.,-------------.|
|| part1                        || part2       ||
||,-.,-------------------------.||             ||
|||L|| file-system (encrypted) |||    . . .    ||
||`-'`-------------------------'||             ||
|`------------------------------'`-------------'|
`-----------------------------------------------'

dm-crypt, with or witout LUKS,⁽¹⁾ is merely acting as a layer that encrypts/decrypts sectors inside file-system. There is no additional, separate structure involved that “contains” the file-system. It may perform encryption at arbitrary place in the device if asked to.

If you need that in more detail. This is unencrypted volume:

,------------------------------------.
| any device                         |
|   ,-------------------------------.|
|   | some data (maybe file-system) ||
|   `-------------------------------'|
`----^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-'
     | | | | | | | | | | | | | | | |
     | | | | | input/output| | | | |
     | | | | | | | | | | | | | | | |
     V V V V V V V V V V V V V V V V

Let’s add encryption:

,------------------------------------.
| any device                         |
|   ,-------------------------------.|
|   | some data (maybe file-system) ||
|   `-------------------------------'|
`----^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-'
     | | | | | | | | | | | | | | | |
    ,-------------------------------.
    |   dm-crypt with [params]      |
    `-------------------------------'
     | | | | | input/output| | | | |
     | | | | | | | | | | | | | | | |
     V V V V V V V V V V V V V V V V

Let’s add LUKS header, from which dm-crypt will receive parameters:

,------------------------------------.
| any device                         |
|,-.,-------------------------------.|
||L|| some data (maybe file-system) ||
|`-'`-------------------------------'|
`-|--^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-'
  |  | | | | | | | | | | | | | | | |
  | ,-------------------------------.
  `--[params] -> dm-crypt           |
    `-------------------------------'
     | | | | | input/output| | | | |
     | | | | | | | | | | | | | | | |
     V V V V V V V V V V V V V V V V

____
⁽¹⁾ With LUKS being only a standard of storing information about encryption parameters.

Last edited by mpan (2022-08-08 11:34:27)


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

Board footer

Powered by FluxBB