How can I shrink a LUKS partition, what does `cryptsetup resize` do?

partition encryption ext4 luks cryptsetup

37,281

Solution 1

After backing up (step 1) and unmounting (between 2 and 3), run fsck to ensure that the filesystem is healthy:

e2fsck -f /dev/mapper/ExistingExt4

Other than that, the steps are OK.

Purpose of the `cryptsetup resize` command

what should I choose for $SECTORS? Is this step even necessary?

This step is necessary, otherwise the partition would still show up at the old side. This is confirmed with Nautilus, even after resizing with resize2fs, the LUKS partition showed up as the old size. After running cryptsetup resize, the correct number is shown. This step is not necessary. It only affects the current size status as shown in the file browser. After changing the size and closing/opening the partition again, the number is restored. So, when closing the LUKS partition as shown later will make this obsolete.

$SECTORS can be determined by looking at the output of cryptsetup status ExistingExt4:

    /dev/mapper/ExistingExt4 is active.
      type:    LUKS1
      cipher:  aes-cbc-essiv:sha256
      keysize: 256 bits
      device:  /dev/sda2
      sector size:  512
      offset:  2056 sectors
      size:    156049348 sectors
      mode:    read/write

(As of cryptsetup 2.0.0 (December 2017), the sector size may be larger than 512 bytes: see the cryptsetup(8) manpage and the --sector-size option.)

Thus, to subtract 15 GiB, use a sector size of 156049348 - 15 * 1024 * 1024 * 2 = 124592068:

cryptsetup resize ExistingExt4 -b 124592068

Resizing the partition with `parted`

As for resizing the partition, parted works fine with GPT partitions. The resize command does not work however, as a workaround (or solution), remove the partition information and create a new partition as inspired by http://ubuntuforums.org/showthread.php?p=8721017#post8721017:

# cryptsetup luksClose ExistingExt4
# parted /dev/sda2
GNU Parted 2.3
Using /dev/sda
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) unit s
(parted) p
Model: ATA INTEL SSDSA2CW08 (scsi)
Disk /dev/sda: 156301488s
Sector size (logical/physical): 512B/512B
Partition Table: gpt

Number  Start    End         Size        File system  Name    Flags
 1      34s      2082s       2049s                    Boot    bios_grub
 3      2083s    250034s     247952s     ext2         RootBoot
 2      250035s  156301438s  156051404s               Everything

As 15 GiB has to be shaved off, the new end becomes 156301438 - 15 * 1024 * 1024 * 2 = 124844158. Since I want to change partition 2, I first have to remove it and then recreate it with the label "Everything" (this could be changed if you like). Note: this disk has a GPT layout. For MBR, you should replace Everything by primary or extended (untested, resizing a partition on MBR has not been tested and is not recommended because it is untested).

WARNING: the following commands has destroyed data. Do not copy it without understanding what is happening. The sector dimensions must be changed, otherwise you WILL destroy your partition(s). I am in no way responsible for your stupidness, BACKUP BACKUP BACKUP your data to a second storage medium before risking your data.

(parted) rm 2
(parted) mkpart Everything 250035s 124844158s
Warning: The resulting partition is not properly aligned for best performance.
Ignore/Cancel? ignore
(parted) p
Model: ATA INTEL SSDSA2CW08 (scsi)
Disk /dev/sda: 156301488s
Sector size (logical/physical): 512B/512B
Partition Table: gpt

Number  Start    End         Size        File system  Name    Flags
 1      34s      2082s       2049s                    Boot    bios_grub
 3      2083s    250034s     247952s     ext2         RootBoot
 2      250035s  124844158s  124594124s               Everything
(parted) quit

In the above parted example, my sectors are not aligned which is a mistake from an earlier installation, do not pay too much attention to it.

That is it! You can use cryptsetup status and file -Ls /dev/... to verify that everything is OK and then reboot.

Solution 2

Note that KDE Partition Manager 2.2.0 can do those steps and resizing LUKS partitions works nicely.

37,281

Lekensteyn

Arch Linux user, open-source enthusiast, programmer, Wireshark developer, TRU/e Security master student at TU/e. Interests: network protocols, Linux kernel, server administration, Android, breaking & fixing stuff.

Updated on September 18, 2022

Comments

Lekensteyn over 1 year
I am in progress of resizing a LUKS encrypted partition that contains a single ext4 filesystem (no LVM or something). The cryptsetup FAQ recommends to remove the old partition and recreate it, but that sounds like wasting a lot time. Therefore I want to proceeed by manually, carefully resizing the partition.

So far, I think that I need to do:
1. Create an (encrypted) backup of the filesystem. Important! You won't be the first to lose your data while performing the following tasks.
2. Unmount the existing ext4 filesystem (e.g. by booting into a Live CD). If booting from a Live CD, mount the encrypted partition using cryptsetup luksOpen /dev/sdXY ExistingExt4
3. Resize the existing ext4 filesystem.
4. cryptsetup resize /dev/mapper/ExistingExt4 -b $SECTORS
5. Close/ "unmount" the LUKS partition using cryptsetup luksClose ExistingExt4
6. Shrink the partition size.
Are the above steps correct?

In step 4, what should I choose for $SECTORS? Is this step even necessary? The cryptsetup manual page is not really descriptive on the resize option:
```
resize <name>
    resizes an active mapping <name>.
    If --size (in sectors) is not specified, the size of the underlying
    block device is used.
```
Finally, if I shrink the ext4 partition by 15 GiB, can I safely assume that 15 GiB can be removed from the existing partition using parted? If yes, how to do so? My disk is GPT partitioned, if that matters.
- Dago about 10 years
  
  I've always wondered about the resize option on cryptsetup as well. Even the cryptsetup FAQ says: "2.15 Can I resize a dm-crypt or LUKS partition? Yes, you can, as neither dm-crypt nor LUKS stores partition size." So why does it have a resize option if it has nothing to do with partition size...
Jake over 10 years

I strongly advise against using this solution without full backup, as it is highly likely to go wrong. But if you have a full backup, creating a new partition is a lot easier.
Lekensteyn over 10 years

Let me guess, a human did this? Anyway I have now clearly emphasized that a backup should be performed before playing with this. I thought it was obvious that a backup has to be performed before doing such this manually... even then how could someone mess this up given the clear instructions and ways to verify?
Lekensteyn over 10 years

Do you also have a source for the failure you mentioned? Everyone can make a claim that the provided information is incorrect, but I would like to verify it. It may be helpful for other users in the future...
Philipp Wendler over 10 years

Arno was talking of this post on the mailing list: saout.de/pipermail/dm-crypt/2013-September/003521.html
Rob W over 6 years

Instead of rm 2 and mkpart [part-type] [start] [end], one can also use resizepart 2 [end] to resize a partition without changing the name or start offset.
Lekensteyn over 6 years

@RobW There was an older version where that command did not exist or had a bug with interpreting relative values. If it works for you now, great!
sjy over 3 years

KDE Partition Manager 4 also supports resizing LUKS2 volumes. This is not supported by GParted, as of late 2020.
Admin almost 2 years

With gparted I always had trouble, KDE app worked fine.