How to remove LUKS encryption?

linux encryption luks

67,244

Solution 1

Backup
Reformat
Restore

cryptsetup luksRemoveKey would only remove an encryption key if you had more than one. The encryption would still be there.

The Fedora Installation_Guide Section C.5.3 explains how luksRemoveKey works.

That it's "impossible" to remove the encryption while keeping the contents is just an educated guess. I base that on two things:

Because the LUKS container has a filesystem or LVM or whatever on top of it, just removing the encryption layer would require knowledge of the meaning of the data stored on top of it, which simply is not available. Also, a requirement would be that overwriting a part of the LUKS volume with its decrypted counterpart, would not break the rest of the LUKS content, and I'm not sure if that can be done.
Implementing it would solve a problem that is about as far away from the purpose of LUKS as you can get, and I find it very unlikely that someone would take the time to do that instead of something more "meaningful".

Solution 2

Firstly, when removing a passphrase from a LUKS partition, you need to specify the disk partition where it resides, like:

cryptsetup luksRemoveKey /dev/sda2

And when you want the status from a LUKS-encrypted device, you need to refer to the LUKS-name, as you did.

But luksRemoveKey only removes one of the passphrases (and never the last one). If you want to permanently decrypt, you have to use cryptsetup-reencrypt:

cryptsetup-reencrypt --decrypt /dev/sda2

Solution 3

Removing key-slots is like forgetting a password, it has nothing to do with moving the replacing the LUKS device by the filesytem inside of it.

You CAN non-destructively remove the LUKS encryption from a device, without having to backup, reformat and restore. cryptsetup has supported this since version 1.5.0, released in 2012.

After succesful decryption of a LUKS device, the filesystem inside becomes available to the OS, and you can mount it directly.

Warning: This is dangerous, backup all your data first.

For LUKS1:

Boot from a USB key

Use

cryptsetup-reencrypt --decrypt <device_path>

For LUKS2:

Boot from a USB key
Convert all key-slots to use LUKS1 compatible parameters with
```
cryptsetup luksChangeKey  --pbkdf pbkdf2 <device_path>
```
Convert the LUKS2 device to a LUKS1 device using
```
cryptsetup convert --type luks1 <device_path>
```

Perform the decryption using

cryptsetup-reencrypt --decrypt <device_path>

I've tested both of these and they work.

Current versions of cryptsetup claim to support direct decryption of LUKS2 devices. The command is

cryptsetup --reencrypt --decrypt --header HEADER_FILE <device_path>

The --header argument is required, because the commands assumes your device uses a detached header. If you do, it works, and can even do the decryption online. If you don't use a detached header (quite common), and you try to either provide a dump of the header, or passing the block device itself as the --header value, cryptsetup will quietly proceed and when it finishes, you'll end up with a LUKS2 device which has no key-slots and your data will be gone.

This is as of version 2.3.3 (2020), it may change in future versions.

My recommendation is to use the safer LUKS2->LUKS1->Decrypt path, which I can confirm does the job.

67,244

Question Overflow

I don't have any formal education on programming. I guess it is the passion that gets me started and keeps me going. Thanks everybody for sharing your knowledge. Don't worry, I am no critic. I see no wrong answer, only good and not so good answers. All are welcome to learn and to share.

Updated on September 18, 2022

Comments

Question Overflow over 1 year
I tried removing LUKS encryption on my home directory using the following command:
```
cryptsetup luksRemoveKey /dev/mapper/luks-3fd5-235-26-2625-2456f-4353fgdgd
```
But it gives me an error saying:

Device /dev/mapper/luks-3fd5-235-26-2625-2456f-4353fgdgd is not a valid LUKS device.

Puzzled, I tried the following:
```
cryptsetup status luks-3fd5-235-26-2625-2456f-4353fgdgd
```
And it says:
```
/dev/mapper/luks-3fd5-235-26-2625-2456f-4353fgdgd is active and is in use.
type: LUKS1
cipher: ...
```
It seems the encrypted device is active, but not valid. What could be wrong here?
- Admin over 3 years
  
  WARNING the command op tried will wipe the volume if it its written correctly and there is only one passphrase. see man cryptsetup under luksRemoveKey the command revokes the password, at does not remove encryption.
Question Overflow over 11 years

How did you know that? Any references?
MattBianco over 11 years

Added reference to Fedora Installation Guide and why I believe backup-restore is the only option for going from full-disk-encryption to no-encryption.
maxschlepzig about 4 years

FWIW, for LUKS 2 devices cryptsetup has a reencrypt subcommand.
valbuev over 3 years

This was fantastic. Thank you! I want to add a little. After doing this on a CentOS system (RH probably similiar) you must take a few more steps to allow it to boot (assuming it was a boot partition). Boot from a Install Media, and Rescue the system. chroot in the system /mnt/sysroot. remove /etc/crypttab. Edit /etc/default/grub and remove the luks portion. Regenerate the grub config: grub2-mkconfig -o /etc/efi/EFI/centos/grub.cfg Reinstall grub. yum reinstall grub2-efi (This part was a little tricky, without internet access, but there is a package repo on the recovery disk)
SwiftD about 2 years

this was probably correct when written - other answers more relevant now