How to extend a LUKS encrypted volume
Environment
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
Issue
- How to extend a LUKS encrypted volume?
Resolution
The official Content from gitlab.com is not included.cryptsetup FAQ says the following:
2.15 Can I resize a dm-crypt or LUKS partition?
Yes, you can, as neither dm-crypt nor LUKS stores partition size. Whether you should is a different question. Personally I recommend backup, recreation of the encrypted partition with new size, recreation of the filesystem and restore. This gets around the tricky business of resizing the filesystem. Resizing a dm-crypt or LUKS container does not resize the filesystem in it. The backup is really non-optional here, as a lot can go wrong, resulting in partial or complete data loss. Using something like gparted to resize an encrypted partition is slow, but typically works. This will not change the size of the filesystem hidden under the encryption though.
The most important part of that note is the very first sentence -- neither plain dm-crypt volumes, nor LUKS-formatted volumes store partition sizing info. In short, this means that when a container (e.g., logical volume, physical partition) is extended, the dm-crypt volume is effectively extended as well, leaving only the final step of extending the filesystem contained in the decrypted volume.
That said, the warnings should not be dismissed -- especially if one is considering shrinking a volume (which will not be addressed in this solution).
WARNING: Extending an encrypted LUKS-formatted volume requires very little work; however, resizing storage devices is always risky. Any time these kind of operations are undertaken, it's essential that a backup of the data is available in case anything goes wrong.
For illustration purposes, this article focuses on LUKS-formatted dm-crypt volumes only, and in the following example, the underlying device that needs to be extended is /dev/sdb1, the decrypted mapping of it is "luks-<UUID>" (where "<UUID>" is the unique ID of the dm-crypt volume), and the filesystem provided by this decrypted mapping is mounted at /encdata.
-
Prework/data-gathering
-
Use
dfto inspect the filesystem that needs to be extended, e.g.:[root@localhost]# df -h /encdata Filesystem Size Used Avail Use% Mounted on /dev/mapper/luks-376a60b9-8c25-46b3-8242-88f103a945f5 462M 432M 5.5M 99% /encdataThe last part of the /dev/mapper/XXXX name returned above (e.g.,
luks-376a60b9-8c25-46b3-8242-88f103a945f5) will be referred to from here on out asMAPPING -
Figure out what the backing device is by querying the
MAPPING, e.g.:[root@localhost]# cryptsetup status luks-376a60b9-8c25-46b3-8242-88f103a945f5 /dev/mapper/luks-376a60b9-8c25-46b3-8242-88f103a945f5 is active: cipher: aes-cbc-essiv:sha256 keysize: 128 bits device: /dev/sdb1 offset: 1032 sectors size: 975532 sectors mode: read/writeThe backing device will always be listed on the "
device: /dev/XXXX" line
In the above example the backing device is clearly "/dev/sdb1", but from here on out it will be referred to asDEV
-
-
Unmount the filesystem
Example:umount /encdata
-
Close out the dm-crypt volume with
cryptsetup luksClose MAPPING
Examples:cryptsetup luksClose luks-376a60b9-8c25-46b3-8242-88f103a945f5cryptsetup luksClose luks-$(cryptsetup luksUUID /dev/sdb1)
-
Extend the underlying device
DEV
WARNING: This is the step where the most danger lies -- improperly executing this step could easily result in loss of data; backups strongly encouraged, as Red Hat can not be held responsible for loss of data
There's no simple recipe for this step, since it depends what the underlying device is ...- If
DEVis an LVM logical volume in a volume group which has free extents, it would be trivial to extend said logical volume withlvextend - If
DEVis the last physical partition on a disk that has additional unpartitioned space,parted,fdisk,gdisk, orsfdiskcould be used to delete and recreate the partition with the end-sector shifted farther back
The following solution details one way to accomplish this: How can I extend an existing non-lvm partition without destroying data? - If
DEVis a newly-extended LUN (or a partition on one), a reboot or rescan of the scsi bus might be required prior to usingparted,fdisk,gdisk, orsfdiskas above - If
DEVis a multipath map, some of the above might be required, along with resizing the map (e.g.,multipath -k'resize map MPATHDEV')
- If
-
Re-open the dm-crypt volume with
cryptsetup luksOpen DEV MAPPING
Examples:cryptsetup luksOpen /dev/sdb1 luks-376a60b9-8c25-46b3-8242-88f103a945f5cryptsetup luksOpen /dev/sdb1 luks-$(cryptsetup luksUUID /dev/sdb1)
-
Check the size of the new dm-crypt volume with
cryptsetup status MAPPING
Examples:cryptsetup status luks-376a60b9-8c25-46b3-8242-88f103a945f5cryptsetup status luks-$(cryptsetup luksUUID /dev/sdb1)
The size in sectors should be bigger than the size reported by the
cryptsetup statuscommand performed in the prework in step 1 -
Mount up the filesystem contained in the decrypted volume and then extend it with a filesystem-specific command, e.g., with ext3 or ext4, one would use
resize2fs -p /dev/mapper/MAPPING
Examples:mount /dev/mapper/luks-$(cryptsetup luksUUID /dev/sdb1) /encdata ; resize2fs -p /dev/mapper/luks-$(cryptsetup luksUUID /dev/sdb1)mount /dev/mapper/luks-376a60b9-8c25-46b3-8242-88f103a945f5 /encdata ; xfs_growfs /encdata
-
Finally, use
dfto confirm the filesystem in question has been properly extended
Example:df -h /encdata
Important: The syntax of cryptsetup command changed in RHEL8 and we recommend checking out the solution How to grow a filesystem sitting on a LUKS volume with it remains open? for newer releases.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.