Resizing Encrypted Filesystems

Posted by dkg on Tue 26 Jun 2007 at 14:13

Tags: , , ,

Yes! You can grow an encrypted partition, as long as the size of the underlying block device grows first. If you have an ext3 filesystem on the encrypted partition, you can even grow the (encrypted) filesystem without unmounting it. This article gives a brief overview of how it is done.

I recommend reading the man pages for the commands used here. They are all quite good.

Below is a full transcript of creating and resizing an encrypted filesystem with a test setup. I don't include any RAID (mdadm) here, because that would all happen way before you even get to this step, since RAID devices are usually used as physical volumes to feed into an LVM Volume Group. The process below is basically two phases:

Phase 0 (Setup)

  1. Create a logical volume (just a block device, no filesystem yet)
  2. Overlay it with strong encryption (using LUKS)
  3. Create a filesystem on top of the encrypted device
  4. Mount the filesystem, and put some data into its tree

(and no, that's not my real passphrase; this is an experiment!)

[0 root@monkey ~]# vgs
  VG      #PV #LV #SN Attr   VSize  VFree 
  monkey0   1   9   0 wz--n- 54.49G 20.49G
[0 root@monkey ~]# lvcreate --name=testy --size=50M monkey0
  Rounding up size to full physical extent 52.00 MB
  Logical volume "testy" created
[0 root@monkey ~]# cryptsetup luksFormat /dev/mapper/monkey0-testy

WARNING!
========
This will overwrite data on /dev/mapper/monkey0-testy irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: abc123
Verify passphrase: abc123
Command successful.
[0 root@monkey ~]# cryptsetup luksOpen /dev/mapper/monkey0-testy testy_crypt
Enter LUKS passphrase: abc123

key slot 0 unlocked.
Command successful.
[0 root@monkey ~]# mkfs -t ext3 -q /dev/mapper/testy_crypt
[0 root@monkey ~]# mount /dev/mapper/testy_crypt /mnt
[0 root@monkey ~]# dd if=/dev/zero of=/mnt/zeroes bs=1k count=1k
1024+0 records in
1024+0 records out
1048576 bytes (1.0 MB) copied, 0.0200926 seconds, 52.2 MB/s
[0 root@monkey ~]# df -h /mnt
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/testy_crypt
                       50M  5.9M   42M  13% /mnt
[0 root@monkey ~]#

Phase 1 (Resizing)

  1. Grow the logical volume with lvresize
  2. Ask the cryptsetup subsystem to acknowledge the new size
  3. Grow the filesystem on top of the newly bigger encrypted device
  4. Look to see how much more space you've got!

In the transcript below, it's interesting to watch how the kernel's representation of the underlying block devices change in size. You can see this by grepping the content of /proc/partitions, which i've done during these steps to demonstrate: 

[0 root@monkey ~]# lvs | grep testy
  testy        monkey0 -wi-ao 52.00M                              
[0 root@monkey ~]# ls -la /dev/mapper/monkey0-testy /dev/mapper/testy_crypt
brw-rw---- 1 root disk 253, 14 2007-06-06 00:10 /dev/mapper/monkey0-testy
brw-rw---- 1 root disk 253, 15 2007-06-06 00:10 /dev/mapper/testy_crypt
[0 root@monkey ~]# grep '^\s*253\s*1[45]\s' /proc/partitions
 253    14      53248 dm-14
 253    15      52732 dm-15

[0 root@monkey ~]# lvresize --size=150M monkey0/testy
  Rounding up size to full physical extent 152.00 MB
  Extending logical volume testy to 152.00 MB
  Logical volume testy successfully resized
[0 root@monkey ~]# grep '^\s*253\s*1[45]\s' /proc/partitions
 253    14     155648 dm-14
 253    15      52732 dm-15
[0 root@monkey ~]# cryptsetup resize testy_crypt
[0 root@monkey ~]# grep '^\s*253\s*1[45]\s' /proc/partitions
 253    14     155648 dm-14
 253    15     155132 dm-15

[0 root@monkey ~]# df -h /mnt
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/testy_crypt
                       50M  5.9M   42M  13% /mnt
[0 root@monkey ~]# resize2fs /dev/mapper/testy_crypt
resize2fs 1.40-WIP (14-Nov-2006)
Filesystem at /dev/mapper/testy_crypt is mounted on /mnt; on-line resizing required
old desc_blocks = 1, new_desc_blocks = 1
Performing an on-line resize of /dev/mapper/testy_crypt to 155132 (1k) blocks.
The filesystem on /dev/mapper/testy_crypt is now 155132 blocks long.

[0 root@monkey ~]# df -h /mnt
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/testy_crypt
                      148M  6.3M  134M   5% /mnt
[0 root@monkey ~]# ls -la /mnt/
total 1046
drwxr-xr-x  3 root root    1024 2007-06-06 00:12 .
drwxr-xr-x 21 root root    4096 2007-02-27 20:08 ..
drwx------  2 root root   12288 2007-06-06 00:10 lost+found
-rw-r--r--  1 root root 1048576 2007-06-06 00:12 zeroes
[0 root@monkey ~]#

Software versions

Here are the versions of the software used on monkey at the time i made this test, fwiw:

[0 dkg@monkey ~]$ uname -a
Linux monkey 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686 GNU/Linux
[0 dkg@monkey ~]$ dpkg -l e2fsprogs lvm2 cryptsetup

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name        Version                           Description
+++-===========-=================================-=========================================
ii  cryptsetup  1.0.4+svn26-1                     configures encrypted block devices
ii  e2fsprogs   1.39+1.40-WIP-2006.11.14+dfsg-2   ext2 file system utilities and libraries
ii  lvm2        2.02.06-4                         The Linux Logical Volume Manager
[0 dkg@monkey ~]$

Cleanup the experiment

And since no example is responsibly complete without the cleanup phase, here it is (note that this cleanup makes it nearly impossible to recover data from the filesystem so removed, particularly if you've forgotten the LUKS passphrase): 

[0 root@monkey ~]# umount /mnt
[0 root@monkey ~]# cryptsetup luksClose testy_crypt

[0 root@monkey ~]# lvremove monkey0/testy
Do you really want to remove active logical volume "testy"? [y/n]: y
  Logical volume "testy" successfully removed
[0 root@monkey ~]#

I hope this is useful!

Share/Save/Bookmark
Add Comment XML logo Printable version

 

<<< Blocking ad servers with dnsmasq Setting up multiple Vservers for home gateway testing >>>

#1
Re: Resizing Encrypted Filesystems
Posted by Anonymous (194.51.xx.xx) on Tue 16 Oct 2007 at 16:32
Thx for the article, it will be really useful as soon as I will buy my new laptop ;)

[ Parent | Reply to this comment ]

#2
Re: Resizing Encrypted Filesystems
Posted by Anonymous (213.129.xx.xx) on Thu 1 Nov 2007 at 09:00
Very useful!

[ Parent | Reply to this comment ]

#3
Re: Resizing Encrypted Filesystems
Posted by Anonymous (24.203.xx.xx) on Sun 11 Nov 2007 at 22:58
Before reading this tutorial, I already resized an encrypted filesystem (over mdadm instead of LVM). I was using JFS and cryptsetup-luks. All the steps were basically the same, but I didn't explicitely told dm-crypt to resize the device. I didn't do the "cryptsetup resize <name-of-device>". All I did was :

# grow raid array (raid1 with sda1 sdb1)
mdadm /dev/md0 --grow --size=max
# JFS resize
mount -o remount,resize /mnt/my_jfs_filesystem

It worked great nonetheless :
~# cat /proc/partitions
major minor #blocks name

8 1 488384001 sda1
8 17 488384001 sdb1
9 0 488383936 md0
253 0 488383420 dm-0

[ Parent | Reply to this comment ]

#4
Re: Resizing Encrypted Filesystems
Posted by jamiemcc (166.84.xx.xx) on Mon 7 Jan 2008 at 00:29
[ Send Message ]
This was great - worked like a charm!

[ Parent | Reply to this comment ]

#5
Re: Resizing Encrypted Filesystems
Posted by Anonymous (85.126.xx.xx) on Mon 24 Mar 2008 at 15:16
Thanks a lot!
I might have figured it out myself, but that saved me some time. Also it's nice to *know* that it'll work beforehand.

[ Parent | Reply to this comment ]

#6
Re: Resizing Encrypted Filesystems
Posted by Anonymous (91.122.xx.xx) on Fri 2 May 2008 at 10:14
Clear and to the point, thanks.

[ Parent | Reply to this comment ]

User Login

Username:

Password:

[ Advanced Login ]

Register Account

Quick Site Search