システム暗号化の解除
dm-crypt と LUKSを使用してシステム暗号化を解除します。
LUKS暗号化のインプレース解除
概要
データをバックアップして、再フォーマットされたデバイスに復元するほど安全ではありませんが、cryptsetup はデバイスから LUKS 暗号化をインプレースで永久に解除することを可能にします。例えば、LUKS 暗号化されたパーティションの中に ext4 ファイルシステムが存在する場合、インプレース復号化を行うと LUKS シグネチャが削除され、パーティション上に直接 ext4 ファイルシステムが配置され、直接マウントできるようになります。何も問題が発生しなければ、ファイルシステム内のファイルはそのまま維持されます。cryptsetup のドキュメントで使用されている用語は「復号化」とされています。
cryptsetup-reencrypt(8) マニュアルを参照して、--decrypt オプションについて確認してください。
LUKS1 デバイスの非破壊オフライン復号化は、2012年にリリースされた cryptsetup バージョン 1.5.0 から利用可能になりました。LUKS1の復号化はオフラインモードでのみサポートされています。
LUKS2 デバイスの場合、オフラインおよびオンライン(アンマウント不要)の復号化がサポートされています。
Decrypting LUKS1 devices in-place
The decryption of a LUKS1 device is done in offline mode, i.e. it must not opened and mounted. If you want to decrypt the system drive, reboot into a USB live environment. Otherwise, use unmount followed by cryptsetup close dm-name.
To start, identify the device_path using blkid or lsblk.
Next, the following command performs the decryption:
# cryptsetup reencrypt --decrypt device_path Enter any existing passphrase: Finished, time 02m05s, 19 GiB written, speed 162,6 MiB/s
It will automatically identify the LUKS1 header version and not proceed for an opened device. The process might take a while, but give a progress meter. If no problems occur, the filesystem on the device can immediately be mounted directly.
Decrypting LUKS2 devices in-place
Decryption can be done in either offline or online mode, using the cryptsetup command. Since cryptsetup version 2.5.0 (2022) LUKS2 supports decryption by migrating LUKS2 header in a separate file.
The new_file to which the LUKS2 header will be migrated must not exist in the initialization phase of the decryption.
# cryptsetup reencrypt --decrypt --header new_file device_path
To resume interrupted LUKS2 in-place decryption just issue following command:
# cryptsetup reencrypt --decrypt --resume-only --header migrated_header_file device_path
If the decryption was successfully finished on active device (online decryption), the mapped device will be lazy deactivated so that linear mapping is automatically removed when no longer used. Later the original device_path can be used without device mapper mapping.
Cleaning up system files
Device names and UUIDs may change due to decryption, and you will likely need to update relevant configuration files. The files most likely to need updating are /etc/crypttab, /etc/fstab and, if your recently decrypted device appeared on the kernel command line, your bootloader's configuration (e.g, /etc/default/grub). If you edit the latter, remember to regenerate the grub configuration as described in GRUB.
Removing LUKS via Backup-Format-Restore
Prerequisites
- An encrypted root filesystem you wish to decrypt.
- Enough drive space to store a backup.
- An Arch Linux (or other) live CD/USB.
- A few hours.
Boot into a live environment
Download and burn the latest Arch ISO to a CD or USB, reboot the system, and boot to cd.
Activate partitions
Note about different setups
An example setup is shown here:
| NTFS | myvg(lvm) | NTFS | |
| Other OS | cryptswap(lv) | cryptroot(lv) | Shared |
| luks | luks | ||
| swap | root(xfs) | ||
The grey partition is a frame of reference and can be ignored. The yellow partition will be used as storage space and may be changed at will. The green partitions will be modified. Bold text must match your system's setup.
In the example system:
myvg contains lvs called cryptroot and cryptswap. They are located at /dev/myvg/cryptroot and /dev/myvg/cryptswap. Upon boot, LUKS is used along with a few crypttab entries to create /dev/mapper/root and /dev/mapper/swap.
Swap will not be unencrypted as part of this guide, as undoing the swap encryption does not require any complex backup or restoration.
The example system is not indicative of all systems. Different filesystems require different tools to effectively backup and restore their data. LVM can be ignored if not used.
Once partitions are located
Load necessary modules. For device mapper/LVM:
# modprobe dm-mod
For LUKS:
# modprobe dm-crypt
Scan for physical, volume and logical volumes:
# pvscan; vgscan; lvscan
Activate the LVM volume group:
# lvchange -ay myvg/cryptroot
Open the encrypted filesystem with LUKS so that it can be read:
# cryptsetup luksOpen /dev/myvg/cryptroot root
Enter password.
Mounting backup space
Only if using NTFS to store the backup, install ntfs-3g.
The next step is important for backup storage.
# mount -t ntfs-3g -o rw /dev/sdXY /mount/point/
or use netcat to store the backup on a remote system.
Backup data
Using xfs_copy:
# xfs_copy -db /dev/mapper/root /mount/point/backup_root.img
Using dd:
# dd if=/dev/mapper/root of=/mount/point/backup_root.img
Undo encryption
This is the point of no return. Make sure that you are ready for this step. If you plan to undo this later, you will have to start almost from scratch.
# cryptsetup luksClose root # lvm lvremove myvg/cryptroot
Restore data
We have to create a new logical volume to house our root filesystem, then we restore our filesystem.
# lvm lvcreate -l 100%FREE -n root myvg # xfs_copy -db /mount/point/backup_root.img /dev/myvg/root
The second drive name is changed now.
Adjust configurations
You need to boot into your system and edit /etc/crypttab, /etc/mkinitcpio.conf, /etc/fstab, and possibly /boot/grub/menu.lst.