Resize a LUKS Encryped LVM Partition

I recently had to resize the partition we use on our secure FTP server. Luckily, we use LVM on all our machines, so this was a simple task. My only concern was that it was a LUKS encrypted partition, I was afraid I would loose data due to the encryption algorithms and keys changing based upon the new size. After searching around, Here are the steps I came up with to resize a LUKS partition without loosing any data:

Assumptions and beginning info:
We have a LUKS filesystem named "encrypted" that is on alogical volume named "encrypted_LV"
The "encypted_LV" belongs to a volume group named "root_VG"
We are mounting this filesystem at /secret
We are using ext3 as the underlying filesystem
We want to extend the volume by adding 20 Gig from our root_VG volume group (It was already available as free space).

1. Unmount the filesystem:
umount /secret

2. Run a filesystem check to clean up the inode tables before working with it:
fsck.ext3 -C 0 -f /dev/mapper/encrypted

3. Close out the LUKS filesystem:
cryptsetup luksClose encrypted

4. Extend the Logical Volume like you would any other LVM (We are adding additional 20G of space):
lvextend -L +20G /dev/root_VG/encrypted_LV

5. Re-open the encrypted filesystem and resize it:
cryptsetup luksOpen /dev/root_VG/encrypted_LV encrypted
cryptsetup --verbose resize myfs

6. FSCK again (for good measure) and then resize the underlying filesystem (ext3 in this example):
fsck.ext3 -f /dev/mapper/encrypted
resize2fs /dev/mapper/encrypted

7. Mount up the newly sized LUKS filesystem and make sure everything is OK:
mount /dev/mapper/encrypted /secret

12 Comments

  1. Nate April 11, 2012 3:33 pm  Reply

    Well written, thank you.

    • Jose June 15, 2012 12:09 am  Reply

      Hey,Just done this on a Squeeze box, troubleshooting over KVM.I had to adjsut servers /etc/default/grub to have:GRUB_CMDLINE_LINUX= rootdelay=60 (60 seconds; if you need more change it)Basicaly the difference between sleep 35 and rootdelay=60 will give you 25 seconds (after the passphrase prompt shows up over ssh) to type your passphrase and exit.Otherwise the local console drops to busybox itself due to root device not found and typing your passphrase will not be enough to make the boot process progress.If you have a static IP:GRUB_CMDLINE_LINUX= ip=IP.IP.IP.IP::GW.GW.GW.GW:NM.NM.NM.NM::eth0:none rootdelay=60 otherwise dropbear tries to get one over DHCP.It might also work if you make the sleep 35 less like sleep 10 but I haven't looked further into this. As far as the system can be unlocked remotely over SSH I'm happy Thanks for this post.J.

    • Zalal June 15, 2012 9:55 am  Reply

      Yep. I can confirm this.Rebuild three + rseferis + bad sector = complete data loss.One day I issued this command to recover deleted files. Result was a disaster..There was no output after the command completed. No tree change. Only file contents.. were.. all.. corrupted! And that was single, non-RAIDed drive.

  2. Meryama June 15, 2012 5:09 pm  Reply

    Well, there's nothing sceipal in mount or fdisk -l./dev/md0 on / type ext3 (rw,errors=remount-ro)It may be caused by sparse files. This is a xen dom0 that was used for some iscsi experimentation a while back and this may be a result of that. But I don't know exactly what the person doing the iscsi testing did, so it's hard to say. It's an old 2.6.18-xen kernel. But I have loads of those running still, and this is the only box I'm seeing this on. The machine's been up for a long time 607 days currently. This is a production machine, and du -sh is normal:# du -sh8.5G.So I'm not too worried.

  3. Ashish October 9, 2012 7:50 am  Reply

    Hi, I have a RHEL 6 laptop with 500 GB HDD encrypted with LUKS. I want to create a 200 GB partiiton on my HDD to install Windows7. So, I want my laptop to be dual booth with RHEL6 & Windows7. I want my bootloader to be that of RHEL. I am a newbie in linux. Can you please help me on this.

    • CubedRoot October 9, 2012 9:22 am  Reply

      If they entire HDD is partitioned as a LUKS encrypted volume, you will need to reduce the volume by 200GB, which will create "free space" on the drive. Once you have the 200 gig of free space, you can install Windows 7 into this partition. Just remember, when you install Windows as the "second" OS, it will install its own bootloader. This is not a big deal, since you can boot the RHEL install CD and reinstall GRUB as your bootloader.

  4. mikeg9b February 16, 2013 5:18 pm  Reply

    I left off

    cryptsetup --verbose resize myfs

    and it still worked just fine. I wasn't sure what the myfs referred to and the cryptsetup wiki FAQ says "neither dm-crypt nor LUKS stores partition size." My data was backed up so I took a chance and it worked.

    • CubedRoot February 16, 2013 5:39 pm  Reply

      Cool! Thanks for the comment and letting me know that it worked. Hope it helped out in some way.

  5. Mac April 16, 2013 8:55 pm  Reply

    GREAT how to - worked perfectly!
    I will keep this in my work notes - thanks again.

    :)

  6. Seb June 16, 2013 9:26 pm  Reply

    Why that complicated? It also works mounted.

    lvextend -L+.... crypted_partition
    cryptsetup resize
    resize2fs (on mounted partition)

Leave a Reply