What does `cryptsetup resize` do if LUKS doesn't store partition size?

luks dm-crypt cryptsetup volume device-mapper
9,199

It's about online resize.

For example if you use LVM, create a LV of 1G size, and put LUKS on that, it's like this:

# lvcreate -L1G -n test VG
# cryptsetup luksFormat /dev/mapper/VG-test
# cryptsetup luksOpen /dev/mapper/VG-test lukstest
# blockdev --getsize64 /dev/mapper/VG-test
1073741824
# blockdev --getsize64 /dev/mapper/lukstest
1071644672

So the LUKS device is about the same size as the VG-test device (1G minus 2MiB used by the LUKS header).

Now what happens when you make the LV larger?

# lvresize -L+1G /dev/mapper/VG-test
  Size of logical volume VG/test changed from 1.00 GiB (16 extents) to 2.00 GiB (32 extents).
  Logical volume test successfully resized.
# blockdev --getsize64 /dev/mapper/VG-test
2147483648
# blockdev --getsize64 /dev/mapper/lukstest
1071644672

The LV is 2G large now, but the LUKS device is still stuck at 1G, as that was the size it was originally opened with.

Once you luksClose and luksOpen, it would also be 2G — because LUKS does not store a size, it defaults to the device size at the time you open it. So close and open (or simply rebooting) would update the crypt mapping to the new device size. However, since you can only close a container after umounting/stopping everything inside of it, this is basically an offline resize.

But maybe you have a mounted filesystem on the LUKS, it's in use, and you don't want to umount it for the resize, and that's where cryptsetup resize comes in as an online resize operation.

# cryptsetup resize /dev/mapper/lukstest
# blockdev --getsize64 /dev/mapper/lukstest
2145386496

cryptsetup resize updates the active crypt mapping to the new device size, no umount required, and then you can follow it up with resize2fs or whatever to also grow the mounted filesystem itself online.

If you don't mind rebooting or remounting, you'll never need cryptsetup resize as it happens automatically offline. But if you want to do it online, that's the only way.

When shrinking (cryptsetup resize --size x), the resize is temporary. LUKS does not store device size, so next time you luksOpen, it will simply use the device size again. So shrinking sticks only if the backing device was also shrunk accordingly.

For a successful shrink you have to work backwards... growing is grow partition first, then LUKS, then filesystem... shrinking is shrink filesystem first, and partition last.

If the resize doesn't work, it's most likely due to the backing device not being resized, for example the kernel may refuse changes to the partition table while the drive is in use. Check with blockdev that all device layers have the sizes you expect them to have.

Share:
9,199

Related videos on Youtube

Tom Hale
Author by

Tom Hale

Updated on September 18, 2022

Comments

  • Tom Hale
    Tom Hale almost 2 years

    The LUKS / dm-crypt / cryptsetup FAQ page says:

    2.15 Can I resize a dm-crypt or LUKS partition?

    Yes, you can, as neither dm-crypt nor LUKS stores partition size.

    I'm befuzzled:

    1. What is "resized" if no size information is stored?

    2. How does a "resize" get remembered across open / closes of a encrypted volume?

    • the_velour_fog
      the_velour_fog over 7 years
      I don't think cryptsetup or LUKS affect the partition table. On a LUKS encrypted container, the disk partitioning is still performed by a tool like parted and stored in the partition table. I think the LUKS system is applied as a file format, i.e. you would partition the disk, then after that operation - which defines the partition size, then you would apply the LUKS file format, instead of say, ext4. So in short "resizing" just would not be applicable to LUKS. i.e. you wouldn't say Can I resize ext4?
    • cylgalad
      cylgalad over 7 years
      man cryptsetup : "resize <name> Resizes an active mapping <name>. If --size (in sectors) is not specified, the size of the underlying block device is used. Note that this does not change the device geometry, it just changes how many sectors of the device are represented in the mapped device."
    • Tom Hale
      Tom Hale over 7 years
      @the_velour_fog resize2fs resizes an ext2/3/4 BLOB as these have a concept of the a last block, see tune2fs -l.
    • Tom Hale
      Tom Hale over 7 years
      @cylgalad So how does one remember that "resize" across mounts? I couldn't see a mount option for this.
    • Tom Hale
      Tom Hale over 7 years
      I got my eyes checked: the open action has a --size argument.
  • frostschutz
    frostschutz over 6 years
    @markling I thought it was clear enough, but here you go.
  • markling
    markling over 5 years
    Yeah, it's a brilliant answer. I didn't know what I was talking about. I do now, however - now that I have read it again. Ah, I see - you edited it. Well I'm certainly wiser for it now. Thank you.
  • Mathieu J.
    Mathieu J. about 3 years
    can you add a bit more information ? I did the resize2fs on my partiion, my lvdisplay and pvdisplay shows the shrinked size? How can I make the volume smaller now? as far as I understand here, cryptsetup only reports a size, but does not store or have a size? so I guess next step is to go a level higher. My volume is a VirtualBox .vdi image file. is there an extra layer between VBox and Luks? I don't know. Thanks
  • Mathieu J.
    Mathieu J. about 3 years
    some small precision here, --getsize64 gives a size 512 times bigger than what you want to give to cryptsetup resize --size

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Abysmal general dm-crypt (LUKS) write performance
How to mount a cryptsetup container just with `mount`?
LUKS discard/TRIM: conflicting kernel command line options
How can I set a label on a dm-crypt+LUKS container?
"No key available with this passphrase" with a newly-created DM-CRYPT / LUKS partition
Can I "cryptsetup ... luksFormat" a partition formatted with Ext4, or must it be unformatted?
How to fix a not booting Ubuntu setup with encrypted root disk?
After upgrade to 20.04: luks doesn't open my disk on boot; cryptroot/crypttab is empty, cryptsetup doesn't recognize the crypttab entry
Full System encryption with LUKS on headless server - unlock with dropbear and busybox. How?
Filesystem types for encrypted partitions