Posted by dkg on Tue 26 Jun 2007 at 14:13
Yes! You can grow an encrypted partition, as long as the size of the underlying block device grows first. If you have an ext3 filesystem on the encrypted partition, you can even grow the (encrypted) filesystem without unmounting it. This article gives a brief overview of how it is done.
I recommend reading the man pages for the commands used here. They are all quite good.
Below is a full transcript of creating and resizing an encrypted filesystem with a test setup. I don't include any RAID (mdadm) here, because that would all happen way before you even get to this step, since RAID devices are usually used as physical volumes to feed into an LVM Volume Group. The process below is basically two phases:
(and no, that's not my real passphrase; this is an experiment!)
[0 root@monkey ~]# vgs VG #PV #LV #SN Attr VSize VFree monkey0 1 9 0 wz--n- 54.49G 20.49G [0 root@monkey ~]# lvcreate --name=testy --size=50M monkey0 Rounding up size to full physical extent 52.00 MB Logical volume "testy" created [0 root@monkey ~]# cryptsetup luksFormat /dev/mapper/monkey0-testy WARNING! ======== This will overwrite data on /dev/mapper/monkey0-testy irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: abc123 Verify passphrase: abc123 Command successful. [0 root@monkey ~]# cryptsetup luksOpen /dev/mapper/monkey0-testy testy_crypt Enter LUKS passphrase: abc123 key slot 0 unlocked. Command successful. [0 root@monkey ~]# mkfs -t ext3 -q /dev/mapper/testy_crypt [0 root@monkey ~]# mount /dev/mapper/testy_crypt /mnt [0 root@monkey ~]# dd if=/dev/zero of=/mnt/zeroes bs=1k count=1k 1024+0 records in 1024+0 records out 1048576 bytes (1.0 MB) copied, 0.0200926 seconds, 52.2 MB/s [0 root@monkey ~]# df -h /mnt Filesystem Size Used Avail Use% Mounted on /dev/mapper/testy_crypt 50M 5.9M 42M 13% /mnt [0 root@monkey ~]#
In the transcript below, it's interesting to watch how the kernel's representation of the underlying block devices change in size. You can see this by grepping the content of /proc/partitions, which i've done during these steps to demonstrate:
[0 root@monkey ~]# lvs | grep testy testy monkey0 -wi-ao 52.00M [0 root@monkey ~]# ls -la /dev/mapper/monkey0-testy /dev/mapper/testy_crypt brw-rw---- 1 root disk 253, 14 2007-06-06 00:10 /dev/mapper/monkey0-testy brw-rw---- 1 root disk 253, 15 2007-06-06 00:10 /dev/mapper/testy_crypt [0 root@monkey ~]# grep '^\s*253\s*1[45]\s' /proc/partitions 253 14 53248 dm-14 253 15 52732 dm-15 [0 root@monkey ~]# lvresize --size=150M monkey0/testy Rounding up size to full physical extent 152.00 MB Extending logical volume testy to 152.00 MB Logical volume testy successfully resized [0 root@monkey ~]# grep '^\s*253\s*1[45]\s' /proc/partitions 253 14 155648 dm-14 253 15 52732 dm-15 [0 root@monkey ~]# cryptsetup resize testy_crypt [0 root@monkey ~]# grep '^\s*253\s*1[45]\s' /proc/partitions 253 14 155648 dm-14 253 15 155132 dm-15 [0 root@monkey ~]# df -h /mnt Filesystem Size Used Avail Use% Mounted on /dev/mapper/testy_crypt 50M 5.9M 42M 13% /mnt [0 root@monkey ~]# resize2fs /dev/mapper/testy_crypt resize2fs 1.40-WIP (14-Nov-2006) Filesystem at /dev/mapper/testy_crypt is mounted on /mnt; on-line resizing required old desc_blocks = 1, new_desc_blocks = 1 Performing an on-line resize of /dev/mapper/testy_crypt to 155132 (1k) blocks. The filesystem on /dev/mapper/testy_crypt is now 155132 blocks long. [0 root@monkey ~]# df -h /mnt Filesystem Size Used Avail Use% Mounted on /dev/mapper/testy_crypt 148M 6.3M 134M 5% /mnt [0 root@monkey ~]# ls -la /mnt/ total 1046 drwxr-xr-x 3 root root 1024 2007-06-06 00:12 . drwxr-xr-x 21 root root 4096 2007-02-27 20:08 .. drwx------ 2 root root 12288 2007-06-06 00:10 lost+found -rw-r--r-- 1 root root 1048576 2007-06-06 00:12 zeroes [0 root@monkey ~]#
Here are the versions of the software used on monkey at the time i made this test, fwiw:
[0 dkg@monkey ~]$ uname -a Linux monkey 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686 GNU/Linux [0 dkg@monkey ~]$ dpkg -l e2fsprogs lvm2 cryptsetup Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-===========-=================================-========================================= ii cryptsetup 1.0.4+svn26-1 configures encrypted block devices ii e2fsprogs 1.39+1.40-WIP-2006.11.14+dfsg-2 ext2 file system utilities and libraries ii lvm2 2.02.06-4 The Linux Logical Volume Manager [0 dkg@monkey ~]$
And since no example is responsibly complete without the cleanup phase, here it is (note that this cleanup makes it nearly impossible to recover data from the filesystem so removed, particularly if you've forgotten the LUKS passphrase):
[0 root@monkey ~]# umount /mnt [0 root@monkey ~]# cryptsetup luksClose testy_crypt [0 root@monkey ~]# lvremove monkey0/testy Do you really want to remove active logical volume "testy"? [y/n]: y Logical volume "testy" successfully removed [0 root@monkey ~]#
I hope this is useful!
This article can be found online at the Debian Administration website at the following bookmarkable URL:
This article is copyright 2007 dkg - please ask for permission to republish or translate.