disk encryption

[Robert Nichols]

On 01/15/2016 11:52 AM, Roberto Ragusa wrote:
> On 01/15/2016 04:58 PM, Robert Nichols wrote:
>> 3. Copy the decrypted data directly back to the partition at the
>>     correct offset (4096 sectors assumed here):
>>        dd if=/dev/mapper/mysource bs=$((4096*512)) of=/dev/sda1 seek=1
>> 4. Adjust the partition table to add 4096 sectors to the starting
>>     LBA for sda1 without moving the ending LBA.
>
> You are decrypting in place and then moving forward the beginning
> of the partition to skip over the missing luks header (which
> you then clean in step 5).

OOPS!! There is a nasty mistake on my part there. Zeroing out the
first two megabytes _after_ adjusting the partition table would wipe
out the first two megabytes of the filesystem. Steps 4 and 5 have
to be reversed:

1. Determine the size of the LUKS header. (I'll use /dev/sda1 as the
    encrypted partition -- yours may differ.)
       cryptsetup luksDump /dev/sda1 | grep "Payload offset"
    That offset is the number of 512-byte sectors, probably 4096. If
    different, replace "4096" with the correct number in everything
    that follows.
2. Unlock the partition:
       cryptsetup luksOpen /dev/sda1 mysource
3. Copy the decrypted data directly back to the partition at the
    correct offset (4096 sectors assumed here):
       dd if=/dev/mapper/mysource bs=$((4096*512)) of=/dev/sda1 seek=1
4. Zero out the LUKS header:
       dd if=/dev/zero bs=$((4096*512)) count=1 of=/dev/sda1
5. Adjust the partition table to add 4096 sectors to the starting
    LBA for sda1 without moving the ending LBA.
6. Make adjustments to /etc/fstab and any GRUB references to the
    formerly encrypted partition.
7. Say a prayer and boot your system.

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.