Pre-Check: Switch from full encryption to only home encryption (LUKS2)

Utini · 2023-09-01 13:13:12

Hi everyone,

I currently use LVM on LUKS to encrypt my entire system in one big LUKS container.
Due to performance degradation of LUKS + modern/fast NVME's I thought about switching to an encryption of "/home/" only.
Since my main concern is to protect my private data on my laptop from a thief or in case I loose it, I feel like this level of encryption is more than enough.

I am on a 2TB NVME with 500GB for Windows and 1,5TB for Linux.
Current statistics on Linux are:
663GB free
650GB used
637GB in /home/
13GB for everything else (root, etc, usr, var, opt,..)

That means that 80GB for root, etc, usr, var, opt,... should be more than enough and future safe?
The rest of the available space would go into /home/.

While it is possible to remove the LUKS encryption (Convert LUKS2 to LUKS1 and then "cryptsetup-reencrypt") I am not sure if there is a way to then split up my current /home/ in a new partition?
Basically I have currently one big partition and the data allocation on it is completely mixed which means I can't just "split" the partition and "shrink" one part of it?

How ever, would this work?

Backup entire partition
Split the current partition in two parts (1x 80gb "root-partition" and the remaining space into "home-partition")
ALTERNATIVE: Delete current partition and create two new partitions (1x 80gb "root-partition" and the remaining space into "home-partition")
Encrypt "home-partition"
From the backup, copy everything (except /home/) into the new "root-partition" 
From the backup, copy /home/ into the new "home-partition"
Create fstab accordingly
Boot the laptop just as always

Thanks in advance!

fdisk -l:

Disk /dev/nvme0n1: 1,86 TiB, 2048408248320 bytes, 4000797360 sectors
Disk model: SOLIDIGM SSDPFKKW020X7                  
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: x

Device              Start        End    Sectors   Size Type
/dev/nvme0n1p1       2048     206847     204800   100M EFI System
/dev/nvme0n1p2     206848     239615      32768    16M Microsoft reserved
/dev/nvme0n1p3     239616 1047532172 1047292557 499,4G Microsoft basic data
/dev/nvme0n1p4 1047533568 1048575999    1042432   509M Windows recovery environment
/dev/nvme0n1p5 1048576000 1049599999    1024000   500M Linux extended boot
/dev/nvme0n1p6 1049600000 4000796671 2951196672   1,4T Linux filesystem


Disk /dev/mapper/lvm: 1,37 TiB, 1510995918848 bytes, 2951163904 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/mapper/MyVolume: 1,37 TiB, 1510456950784 bytes, 2950111232 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/zram0: 15,06 GiB, 16173236224 bytes, 3948544 sectors
Units: sectors of 1 * 4096 = 4096 bytes
Sector size (logical/physical): 4096 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes

lsblk --fs:

NAME                FSTYPE      FSVER    LABEL UUID                                   FSAVAIL FSUSE% MOUNTPOINTS
nvme0n1                                                                                              
├─nvme0n1p1         vfat        FAT32          9ED9-B1B2                                70,7M    26% /efi
├─nvme0n1p2                                                                                          
├─nvme0n1p3         ntfs                       x4                        275,2G    45% /run/media/user/F426DD2D26DCF21A
├─nvme0n1p4         ntfs                       x3                                      
├─nvme0n1p5         vfat        FAT32          6A67-15C7                               237,9M    52% /boot
└─nvme0n1p6         crypto_LUKS 2              x2                 
  └─lvm             LVM2_member LVM2 001      x             
    └─Volume
                    ext4        1.0            x5    663,2G    47% /

Last edited by Utini (2023-09-01 13:43:04)

deviantsemicolon618 · 2023-09-01 18:38:59

So, just to clarify, you have arch installed on one encrypted partition, and you want to remove the encryption, split up the two partitions, and re-encrypt the newly created home partition, yes?

Last edited by deviantsemicolon618 (2023-09-01 18:39:22)

Utini · 2023-09-01 20:57:38

deviantsemicolon618 wrote:

So, just to clarify, you have arch installed on one encrypted partition, and you want to remove the encryption, split up the two partitions, and re-encrypt the newly created home partition, yes?

Yep, that sums it up pretty good

frostschutz · 2023-09-01 21:02:27

You can do it but it probably won't help much with performance, that mainly depends on your files in /home anyway.

cloverskull · 2023-09-01 21:04:24

Utini wrote:

Due to performance degradation of LUKS + modern/fast NVME's I thought about switching to an encryption of "/home/" only.

What sort of performance degradation have you noticed? I have both of my laptops root fs on fully encrypted LUKS2 volumes and performance seems reasonable but I haven't tried without, am wondering if I'm missing out...

deviantsemicolon618 · 2023-09-02 03:43:42

Utini wrote:

deviantsemicolon618 wrote:
So, just to clarify, you have arch installed on one encrypted partition, and you want to remove the encryption, split up the two partitions, and re-encrypt the newly created home partition, yes?
Yep, that sums it up pretty good

I'm not really concerned about unencrypting your root partition. That seems relatively straight forward. I'm more concerned about how you plan on splitting the logical volume you have into two logical volumes. I know roughly how to split a regular root partition into two without reinstalling, but idk about a logical volume.

Also, the wiki says a LUKS on LVM set up is slower than LVM on LUKS. I really think you're better off just backing up your data and reinstalling arch with whatever setup you want.

Utini · 2023-09-02 06:39:08

frostschutz wrote:

You can do it but it probably won't help much with performance, that mainly depends on your files in /home anyway.

I would imagine it would help a lot with performance since the whole OS, system, all apps,... are outside of /home/.
The online thing in /home/ are the user specific configuration files, cache, pictures, music, documents,...
Additionally I am running firefox profile + cache from RAM.

But sadly it wouldn't really help when copying or decompressing files since those mostly happen inside /home/.
But by putting only /home/ in the encryption, I am trying to remove as much as possible I/O away from LUKS.

Last edited by Utini (2023-09-02 06:52:01)

Utini · 2023-09-02 06:40:43

cloverskull wrote:

Utini wrote:
Due to performance degradation of LUKS + modern/fast NVME's I thought about switching to an encryption of "/home/" only.
What sort of performance degradation have you noticed? I have both of my laptops root fs on fully encrypted LUKS2 volumes and performance seems reasonable but I haven't tried without, am wondering if I'm missing out...

Several links to read:
https://forums.linuxmint.com/viewtopic.php?t=394181
https://www.reddit.com/r/linux/comments … luks_disk/
https://bbs.archlinux.org/viewtopic.php?id=288252
https://bbs.archlinux.org/viewtopic.php?id=285617

Utini · 2023-09-02 06:46:19

deviantsemicolon618 wrote:

Utini wrote:
deviantsemicolon618 wrote:
So, just to clarify, you have arch installed on one encrypted partition, and you want to remove the encryption, split up the two partitions, and re-encrypt the newly created home partition, yes?
Yep, that sums it up pretty good
I'm not really concerned about unencrypting your root partition. That seems relatively straight forward. I'm more concerned about how you plan on splitting the logical volume you have into two logical volumes. I know roughly how to split a regular root partition into two without reinstalling, but idk about a logical volume.
Also, the wiki says a LUKS on LVM set up is slower than LVM on LUKS. I really think you're better off just backing up your data and reinstalling arch with whatever setup you want.

Regarding "LUKS on LVM setup is slower", are you referring to this overview?
https://wiki.archlinux.org/title/dm-cry … m#Overview
Because that means it is only slower during boot since each LV must be unlocked separately (and I only have one).

Well, can I skip re-installing by simply syncing back /home/ to partition B and everything else to partition A?
e.g.:

Power off laptop
Remove NVME
Add NVME to external housing
Connect external NVME to home server
Decrypt NVME
Sync all file from "/" to my home server 
Delete whole LUKS/LVM block on external NVME
Create two new partitions instead
Encrypt partition B with "LUKS on LVM"
Sync "/home/" from home server to partition B
Sync everything else from "/" (except /home) to partition A
Set up fstap / crypttab to new partitions
Put NVME back into laptop
Boot laptop

Arch Linux

#1 2023-09-01 13:13:12

Pre-Check: Switch from full encryption to only home encryption (LUKS2)

#2 2023-09-01 18:38:59

Re: Pre-Check: Switch from full encryption to only home encryption (LUKS2)

#3 2023-09-01 20:57:38

Re: Pre-Check: Switch from full encryption to only home encryption (LUKS2)

#4 2023-09-01 21:02:27

Re: Pre-Check: Switch from full encryption to only home encryption (LUKS2)

#5 2023-09-01 21:04:24

Re: Pre-Check: Switch from full encryption to only home encryption (LUKS2)

#6 2023-09-02 03:43:42

Re: Pre-Check: Switch from full encryption to only home encryption (LUKS2)

#7 2023-09-02 06:39:08

Re: Pre-Check: Switch from full encryption to only home encryption (LUKS2)

#8 2023-09-02 06:40:43

Re: Pre-Check: Switch from full encryption to only home encryption (LUKS2)

#9 2023-09-02 06:46:19

Re: Pre-Check: Switch from full encryption to only home encryption (LUKS2)

Board footer