(i) Please refer to EncryptedFilesystems for further documentation.

Introduction

Encryption seems to becoming more popular and the Alternate CD allows installation onto a LUKS encrypted root and swap partitions.

Resizing an encrypted partition is somewhat complicated. GUI tools such as Gparted see the LUKS container or crypt as unpartitioned space and thus resizing encrypted partitions must be performed entirely from the command line.

IconsPage/warning.png WARNING! Although unlikely (each step is reversible), resizing your encrypted partitions may result in data loss. BACKUP YOUR DATA FIRST

It may in fact be easier to re-install and restore your data from backup rather then attempt to resize your encrypted partition.

Terminology

Encrypted partitions are akin to a Russian Nesting Dolls and the terminology can be confusing. While a detailed explanation of either LVM or encryption is beyond this how to, think of an encrypted system we have multiple containers, the physical partition on the hard drive, the LUKS container or crypt, LVM, and the file system. We need to resize each of these containers in the proper order.

  • Physical partition -> This is a partition on your hard drive to contain the LUKS crypt (The Alternate CD defaults to /dev/sda5 for encryption).

  • Crypt or LUKS container. LUKS = Linux Unified Key Setup. LUKS creates a crypt within the physical partition. The contents of the crypt are, of course, encrypted. The crypt is mapped to /dev/mapper/crypt1 and LVM is utilized to create partitions within the crypt.

  • LVM or Logical Volume Management. LVM takes physical partitions (AKA Physical Volumes) and creates Logical Volumes, somewhat similar to a logical partition within an extended partition.

    • Physical Volume. The (LVM) Physical Volume used for encryption is the LUKS crypt, which is mapped to /dev/mapper/crypt1.

    • Logical Volume. The (LVM) Physical Volume is divided into (LVM) Logical Volumes which are in turn used for / (root partition) and swap. Similar to logical partitions, these are contained within the (LVM) physical volume within (LUKS) crypt within the physical partition (Hard Drive).

  • File System. The actual file system (ext3 / swap) written onto the (LVM) logical volumes.

Setup ~ Desktop (Live) CD, Adding the tools to manage encrypted partitions

Resizing an encrypted partition must be performed from a live CD and support for encryption and LVM are not included on the live CD.

1. Boot the live (Desktop) CD and install lvm2 and cryptsetup.

sudo apt-get update && sudo apt-get install lvm2 cryptsetup

2. Load the cryptsetup module.

sudo modprobe dm-crypt

3. Decrypt your file system.

sudo cryptsetup luksOpen /dev/sda5 crypt1

4. Get the live CD to recognize (activate) your LVM.

sudo vgscan --mknodes
sudo vgchange -ay

You can now manage your encrypted partitions, mount them, copy them, or perform maintenance (fsck, backup, resize).

Resizing ~ Overview

The order of the steps depends on if you are shrinking or enlarging your encrypted partition. Enlarging is somewhat easier as the defaults of many of the commands is to fill the available space.

Enlarge an encrypted partition

  1. Boot the desktop, live CD. Use gparted (or any tool) to put unallocated space adjacent, and to the left of your Crypt partition.
  2. Enlarge the Partition storing the crypt with fdisk.

  3. Reboot ~ You should always reboot after changing your partition table with fdisk.

  4. Boot the desktop, live CD. Install & configure the tools (lvm2 and cryptsetup).

  5. Enlarge the Crypt with cryptsetup.

  6. Enlarge the (LVM) Physical Volume with pvresize.

  7. Enlarge the (root) (LVM) Logical Volume with lvresize.

  8. Enlarge the (root) file system with resize2fs.

  9. Reboot to your encrypted hard drive.

Reduce an encrypted partition

  1. Boot the desktop, live CD. Install & configure the tools (lvm2 and cryptsetup).

  2. Reduce the (root) file system with resize2fs.

  3. Reduce the (root) (LVM) Logical Volume with lvreduce.

  4. Reduce the (LVM) Physical Volume with pvresize.

  5. Reduce the Crypt with cryptsetup.

  6. Reboot to reduce the Partition storing the crypt with fdisk.

  7. Reboot to your encrypted hard drive ~ You should always reboot after changing your partition table with fdisk.

Detailed resizing ~ Reducing an encrypted partition

1. Reduce the size of your file system.

If you have an ext2 or ext3 filesystem, you can use resize2fs and you need to check the file system before you can resize it.

sudo e2fsck -f /dev/mapper/hardy-root
sudo resize2fs -p /dev/mapper/hardy-root 5g
  • Replace the "5g" with your intended size (in Gb) of your filesystem.
  • The -p flag shows a progress hash.

Check that the file system is still intact with e2fsck.

sudo e2fsck -f /dev/mapper/hardy-root

If you have a btrfs filesystem, you should instead use a command like:

btrfs filesystem resize -500m /dev/mapper/hardy-root/@subvolume
  • You can use a variety of commands to reduce the size. The example above reduces it by 500MB, but it can be increased in a similar way or can be set to a specific size.

You can verify that the shrink worked by running:

btrfs filesystem show -d
  • -d will show information for all devices.

2. Reduce the size of your root (LVM) Logical Volume. The -L flag is how much you want to reduce the size of your (LVM) Logical Volume, so keep this in mind.

Display your (LVM) Logical Volumes with lvdisplay.

sudo lvdisplay
  • Note how much you need to reduce your root (LVM) Logical Volume by (in my case it was 4.3 Gb).

sudo lvreduce -L -4.3G /dev/hardy/root
  • Note: You will need to change the "-4.3G" to the proper size to reduce your (LVM) Logical Volume to your desired size.

Re-display your (LVM) Logical Volumes to check the final size is correct.

sudo lvdisplay

3. Resize your (LVM) Physical Volume.

IconsPage/info.png The physical volume used by LVM can become "fragmented" in that the (LVM) Logical Volumes within the (LVM) Physical Volume are not always in order. There is no defragmentation tool, so if you may need to manually move the logical partitions (back up the data, delete the (LVM) Logical Volume, re-create a replacement (LVM) Logical Volume, restore data from backup).

In order to resize the (LVM) Physical Volume I had to manually move (delete then recreate) the swap (LVM) Logical Volume.

Show the size of your physical volume with pvdisplay

pvdisplay

Remove the swap (LVM) Logical Volume

lvremove /dev/hardy/swap_1

Resize the (LVM) Physical Volume.

sudo pvresize --setphysicalvolumesize 5.6G /dev/mapper/crypt1

Now we will restore (recreate) the swap (LVM) Logical volume.

Set permissions of (LVM) Physical Volume to allow allocation (if needed)

sudo pvchange -x y /dev/mapper/crypt1

Restore the swap (LVM) Logical Volume.

sudo lvcreate -L 512m -n swap_1 hardy
sudo mkswap -L swap_1 /dev/hardy/swap_1
  • As the mkswap command finishes it will print the new uuid to the terminal.

Update fstab with new uuid (use any editor)

  • Mount the root (LVM) Logical Volume.
     sudo mount /dev/hardy/root /mnt
    Edit /etc/fstab
     gksu gedit /mnt//etc/fstab
    Copy-paste the new uuid from the terminal to fstab, updating the uuid for your swap partition. Save and exit gedit Unmount the root (LVM) Logical Volume
     sudo umount /mnt
    Re-lock the (LVM) Physical Volume after adding the (LVM) Logical Volume swap (locking the (LVM) Physical Volume keeps it from changing).
     sudo pvchange -x n /dev/mapper/crypt1

4. Resize your crypt.

Show the size of your crypt with cryptsetup.

sudo cryptsetup status crypt1
  • This shows the size of your crypt in sectors.

    Make note of the offset

    offset: 2056 sectors

Resize with cryptsetup. Note: nowadays the cryptsetup does not accept the -o parameter.

sudo cryptsetup -o 2056 -b 11800000 resize crypt1
  • -o = offset (get this from the status command) -b = size in sectors.

    IconsPage/tip.png I had to do this by trial and error. After resizing I used Gparted to show the size of the crypt (System -> Administration -> Partition Editor ; select /dev/mapper/crypt1 from the pull down menu). Close gparted after confirming the new size of your crypt.

5. Resize your partitions with fdisk.

Unmount your LVM and crypt :

sudo vgchange -an
sudo cryptsetup luksClose crypt1
  • IconsPage/warning.png cryptsetup luksClose throws error: ioctl, busy device (a bug?). So you have to reboot before using fdisk!

Now the scary part, use fdisk to manually resize your partitions.

  • IconsPage/warning.png If you are unfamiliar with fdisk, I advise you read this link. How to partition with fdisk

    IconsPage/tip.png Note : fdisk does NOT overwrite data, so if you make a mistake you should be able to "undo" the changes.

List your partition information with fdisk.

sudo fdisk -l
  • IconsPage/warning.png WRITE THIS INFORMATION DOWN (or print it out).

Re-write your partition table. To do this, use fdisk to DELETE your partitions and RECREATE them, but in a smaller size.

sudo fdisk /dev/sda

This was my fdisk session :

  •  The number of cylinders for this disk is set to 1305.
     There is nothing wrong with that, but this is larger than 1024,
     and could in certain setups cause problems with:
     1) software that runs at boot time (e.g., old versions of LILO)
     2) booting and partitioning software from other OSs
     (e.g., DOS FDISK, OS/2 FDISK)
     
     Command (m for help): d
     Partition number (1-5): 5
     
     Command (m for help): d
     Partition number (1-5): 2
     
     Command (m for help): n
     Command action
     e extended
     p primary partition (1-4)
     e
     Partition number (1-4): 2
     First cylinder (32-1305, default 32):
     Using default value 32
     Last cylinder or +size or +sizeM or +sizeK (32-1305, default 1305): +6000M
     
     Command (m for help): n
     Command action
     l logical (5 or over)
     p primary partition (1-4)
     l
     First cylinder (32-761, default 32):
     Using default value 32
     Last cylinder or +size or +sizeM or +sizeK (32-761, default 761):
     Using default value 761
     
     Command (m for help): n
     Command action
     l logical (5 or over)
     p primary partition (1-4)
     p
     Partition number (1-4): 3
     First cylinder (762-1305, default 762):
     Using default value 762
     Last cylinder or +size or +sizeM or +sizeK (762-1305, default 1305):
     Using default value 1305
     
     Command (m for help): p
     
     Disk /dev/sda: 10.7 GB, 10737418240 bytes
     255 heads, 63 sectors/track, 1305 cylinders
     Units = cylinders of 16065 * 512 = 8225280 bytes
     Disk identifier: 0x000a6bf9
     
     Device Boot Start End Blocks Id System
     /dev/sda1 * 1 31 248976 83 Linux
     /dev/sda2 32 761 5863725 5 Extended
     /dev/sda3 762 1305 4369680 83 Linux
     /dev/sda5 32 761 5863693+ 83 Linux
     
     Command (m for help): w
     The partition table has been altered!
     
     Calling ioctl() to re-read partition table.
     Syncing disks.

    IconsPage/tip.png Note : go to fdisk expert mode by commanding x to move ('b') the sda5 to start at it's original sector (eg. 501760).

Cancel the "Authentication" dialog that appears (the live CD is trying to auto-mount your new partition).

The LVM partition's system id should also be changed to "Linux LVM":

  •   Command (m for help): t
      Partition number (1-5): 5
      Hex code (type L to list codes): 8e
      Command (m for help): w

Failure to do this may cause the beginning sector of the logical partition not to line up with where it used to be, and the LVM will be unreadable!

6. <Say prayer here> http://ubuntuforums.org/images/smilies/eusa_pray.gif

Reboot to your hard drive, enter your crypt password.

If all went well your system should boot normally.

Detailed resizing ~ Enlarging an encrypted partition

This section will be shorter, it is basically the reverse of the above. Enlarging is easier as the defaults resize the containers to the largest available space.

1. Boot a live CD and, using any tool, using any tool create a new partition, lets call it /dev/sda6 , next to and to the left of (after) your crypt.

2. Write random data to the new partition with dd.

  • Make sure you have the correct partition for this command or you will overwrite your crypt.

sudo dd if=/dev/urandom of=/dev/sda6
  • IconsPage/tip.png You can run that command as many times as your paranoia requires.

3. Use fdisk as above to delete and then re-create a larger crypt partition.

4. Reboot to the live CD.

5. Install lvm2 and cryptsetup

sudo apt-get update && sudo apt-get install lvm2 cryptsetup

6. Load the cryptsetup module.

sudo modprobe dm-crypt

7. Decrypt your file system.

sudo cryptsetup luksOpen /dev/sda5 crypt1

8. Get the live CD to recognize (activate) your LVM.

sudo vgscan --mknodes
sudo vgchange -ay

9. Resize the Crypt.

sudo cryptsetup resize crypt1

10. Resize the (LVM) Physical Volume.

sudo pvresize /dev/mapper/crypt1

11. Resize your root (LVM) Logical Volume.

  • Unlock the (LVM) Physical Volume.
     sudo pvchange -x y /dev/mapper/crypt1
    Resize the (LVM) Physical Volume.
     lvresize -L +4G /dev/hardy/root
    • Note: Change the +4G to the amount of space you are adding, or +100%FREE to use all of the available space.

    Re-lock the physical volume.
     sudo pvchange -x n /dev/mapper/crypt1

12. Resize the filesystem.

sudo e2fsck -f /dev/mapper/hardy-root
sudo resize2fs -p /dev/mapper/hardy-root
  • IconsPage/tip.png You can check the size of the file system by mounting it before and after resizing the file system and running df -h . DO NOT RESIZE A MOUNTED PARTITION

    • Before :
        Filesystem Size        Used Avail Use% Mounted on
        /dev/mapper/hardy-root 5.0G 2.1G 2.7G 45% /mnt
      After :
        Filesystem Size        Used Avail Use% Mounted on
        /dev/mapper/hardy-root 9.2G 2.1G 6.6G 24% /mnt

13. <Say prayer here> http://ubuntuforums.org/images/smilies/eusa_pray.gif

Reboot to your hard drive, enter your crypt password.

If all went well your system should boot normally.

Note : With most of those commands the default was to resize by expanding to take up the available space. This is why expanding is easier then reducing.

Alternatives for different situations (LVM, jfs)

Some different steps are needed with different filesystems, LVM etc. Sometimes there's no need to reboot or even umount.

For example, I just enlarged an encrypted jfs volume under LVM like this (logical volume /dev/vg00/extra encrypted as extra_crypt and mounted on /extra):

lvextend -L820G /dev/vg00/extra
cryptsetup resize extra_crypt
mount -o remount,resize /extra/

That's all - no fsck's, umounts or reboots needed.

For ext3/ext4 filesystem it should work similarly, just use resize2fs instead of the remount.

References

LUKS wiki page :

Manage encrypted partitions from a live CD :

man resize2fs :

LVM :

fdisk :

Note : The first (and only comment at the time of this post) on this blog reads

How to get the data back ?

BACK UP before your Resize.


ResizeEncryptedPartitions (last edited 2014-04-29 18:01:31 by mlissner-michaeljaylissner)