How to remove LUKS encryption?
Solution 1
- Backup
- Reformat
- Restore
cryptsetup luksRemoveKey
would only remove an encryption key if you had more than one. The encryption would still be there.
The Fedora Installation_Guide Section C.5.3 explains how luksRemoveKey
works.
That it's "impossible" to remove the encryption while keeping the contents is just an educated guess. I base that on two things:
- Because the LUKS container has a filesystem or LVM or whatever on top of it, just removing the encryption layer would require knowledge of the meaning of the data stored on top of it, which simply is not available. Also, a requirement would be that overwriting a part of the LUKS volume with its decrypted counterpart, would not break the rest of the LUKS content, and I'm not sure if that can be done.
- Implementing it would solve a problem that is about as far away from the purpose of LUKS as you can get, and I find it very unlikely that someone would take the time to do that instead of something more "meaningful".
Solution 2
Firstly, when removing a passphrase from a LUKS partition, you need to specify the disk partition where it resides, like:
cryptsetup luksRemoveKey /dev/sda2
And when you want the status from a LUKS-encrypted device, you need to refer to the LUKS-name, as you did.
But luksRemoveKey only removes one of the passphrases (and never the last one). If you want to permanently decrypt, you have to use cryptsetup-reencrypt:
cryptsetup-reencrypt --decrypt /dev/sda2
Solution 3
Removing key-slots is like forgetting a password, it has nothing to do with moving the replacing the LUKS device by the filesytem inside of it.
You CAN non-destructively remove the LUKS encryption from a device, without having to backup, reformat and restore. cryptsetup
has supported this since version 1.5.0, released in 2012.
After succesful decryption of a LUKS device, the filesystem inside becomes available to the OS, and you can mount it directly.
Warning: This is dangerous, backup all your data first.
For LUKS1:
- Boot from a USB key
- Use
cryptsetup-reencrypt --decrypt <device_path>
For LUKS2:
- Boot from a USB key
- Convert all key-slots to use LUKS1 compatible parameters with
cryptsetup luksChangeKey --pbkdf pbkdf2 <device_path>
- Convert the LUKS2 device to a LUKS1 device using
cryptsetup convert --type luks1 <device_path>
- Perform the decryption using
cryptsetup-reencrypt --decrypt <device_path>
I've tested both of these and they work.
Current versions of cryptsetup
claim to support direct decryption of LUKS2
devices. The command is
cryptsetup --reencrypt --decrypt --header HEADER_FILE <device_path>
The --header
argument is required, because the commands assumes your device uses a detached header. If you do, it works, and can even do the decryption online. If you don't use a detached header (quite common), and you try to either provide a dump of the header, or passing the block device itself as the --header
value, cryptsetup
will quietly proceed and when it finishes, you'll end up with a LUKS2 device which has no key-slots and your data will be gone.
This is as of version 2.3.3 (2020), it may change in future versions.
My recommendation is to use the safer LUKS2->LUKS1->Decrypt path, which I can confirm does the job.
Related videos on Youtube
Question Overflow
I don't have any formal education on programming. I guess it is the passion that gets me started and keeps me going. Thanks everybody for sharing your knowledge. Don't worry, I am no critic. I see no wrong answer, only good and not so good answers. All are welcome to learn and to share.
Updated on September 18, 2022Comments
-
Question Overflow over 1 year
I tried removing LUKS encryption on my home directory using the following command:
cryptsetup luksRemoveKey /dev/mapper/luks-3fd5-235-26-2625-2456f-4353fgdgd
But it gives me an error saying:
Device /dev/mapper/luks-3fd5-235-26-2625-2456f-4353fgdgd is not a valid LUKS device.
Puzzled, I tried the following:
cryptsetup status luks-3fd5-235-26-2625-2456f-4353fgdgd
And it says:
/dev/mapper/luks-3fd5-235-26-2625-2456f-4353fgdgd is active and is in use. type: LUKS1 cipher: ...
It seems the encrypted device is active, but not valid. What could be wrong here?
-
Admin over 3 yearsWARNING the command op tried will wipe the volume if it its written correctly and there is only one passphrase. see
man cryptsetup
underluksRemoveKey
the command revokes the password, at does not remove encryption.
-
-
Question Overflow over 11 yearsHow did you know that? Any references?
-
MattBianco over 11 yearsAdded reference to Fedora Installation Guide and why I believe backup-restore is the only option for going from full-disk-encryption to no-encryption.
-
maxschlepzig about 4 yearsFWIW, for LUKS 2 devices
cryptsetup
has a reencrypt subcommand. -
valbuev over 3 yearsThis was fantastic. Thank you! I want to add a little. After doing this on a CentOS system (RH probably similiar) you must take a few more steps to allow it to boot (assuming it was a boot partition). Boot from a Install Media, and Rescue the system. chroot in the system /mnt/sysroot. remove /etc/crypttab. Edit /etc/default/grub and remove the luks portion. Regenerate the grub config: grub2-mkconfig -o /etc/efi/EFI/centos/grub.cfg Reinstall grub. yum reinstall grub2-efi (This part was a little tricky, without internet access, but there is a package repo on the recovery disk)
-
SwiftD about 2 yearsthis was probably correct when written - other answers more relevant now