eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2026-01-06 07:25:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow --reduce-device-size and --device-size in encrypt action.

Browse Source 
Fixes: #822
This commit is contained in:
Ondrej Kozina
2025-05-20 09:54:22 +02:00
parent ad30673dc5
commit 10ab6be262
6 changed files with 91 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
man/common_options.adoc
View File

@@ -124,6 +124,13 @@ ifdef::ACTION_REENCRYPT[]
It means that only specified area (from the start of the device
to the specified size) will be reencrypted.
+
*LUKS2*:
When used together with --reduce-device-size, only the initial _size_ value
(--device-size parameter) of data is shifted backwards while being encrypted.
+
*NOTE*:
The sum of --device-size and --reduce-device-size values must not exceed real device size.
+
*WARNING:* This is destructive operation. Data beyond --device-size limit may
be lost after operation gets finished.
endif::[]
@@ -993,11 +1000,18 @@ unrecoverable.
+
*LUKS2*:
Initialize LUKS2 reencryption with data device size reduction
(currently only encryption mode is supported).
(currently only encryption mode is supported). The last _size_ sectors
on the original plaintext device is used for temporarily storing original
first data segment. The former first data segment is replaced with LUKS2
header (half the _size_ value) and plaintext data are shifted backwards (
again half the _size_ value) while being encrypted.
+
Recommended minimal size is twice the default LUKS2 header size
(--reduce-device-size 32M) for encryption mode.
+
*NOTE*:
The sum of --device-size and --reduce-device-size values must not exceed real device size.
+
*LUKS1*:
Enlarge data offset to specified value by shrinking device size.
+

7
man/cryptsetup-reencrypt.8.adoc
View File

@@ -142,6 +142,13 @@ is unused (e.g.: does not contain filesystem data):
*cryptsetup reencrypt --encrypt --type luks2 --reduce-device-size 32m /dev/plaintext_device*
Encrypt LUKS2 device (in-place). Only the initial 1 GiB of original
_/dev/plaintext_ data is encrypted while being shifted backwards.
Make sure last 32 MiB (tail) on the data device is unused (e.g.: does
not contain any data):
*cryptsetup reencrypt --encrypt --type luks2 --device-size 1g --reduce-device-size 32m /dev/plaintext_device*
Encrypt LUKS2 device (in-place) with detached header put in a file:
*cryptsetup reencrypt --encrypt --type luks2 --header my_luks2_header /dev/plaintext_device*