On 01/15/2016 11:52 AM, Roberto Ragusa wrote:
On 01/15/2016 04:58 PM, Robert Nichols wrote:
- Copy the decrypted data directly back to the partition at the correct offset (4096 sectors assumed here): dd if=/dev/mapper/mysource bs=$((4096*512)) of=/dev/sda1 seek=1
- Adjust the partition table to add 4096 sectors to the starting LBA for sda1 without moving the ending LBA.
You are decrypting in place and then moving forward the beginning of the partition to skip over the missing luks header (which you then clean in step 5).
OOPS!! There is a nasty mistake on my part there. Zeroing out the first two megabytes _after_ adjusting the partition table would wipe out the first two megabytes of the filesystem. Steps 4 and 5 have to be reversed:
1. Determine the size of the LUKS header. (I'll use /dev/sda1 as the encrypted partition -- yours may differ.) cryptsetup luksDump /dev/sda1 | grep "Payload offset" That offset is the number of 512-byte sectors, probably 4096. If different, replace "4096" with the correct number in everything that follows. 2. Unlock the partition: cryptsetup luksOpen /dev/sda1 mysource 3. Copy the decrypted data directly back to the partition at the correct offset (4096 sectors assumed here): dd if=/dev/mapper/mysource bs=$((4096*512)) of=/dev/sda1 seek=1 4. Zero out the LUKS header: dd if=/dev/zero bs=$((4096*512)) count=1 of=/dev/sda1 5. Adjust the partition table to add 4096 sectors to the starting LBA for sda1 without moving the ending LBA. 6. Make adjustments to /etc/fstab and any GRUB references to the formerly encrypted partition. 7. Say a prayer and boot your system.