How to resize LUKS partition (shrink or extend encrypted luks partition) in Linux


Written by - Deepak Prasad

In this article I will share the steps to resize LUKS partition. You can reduce or extend encrypted LUKS partition depending upon the backend file system and device type. I am using RHEL/CentOS 7/8 for verifying steps from this article. In my last article I shared the steps to auto mount LUKS encrypted partition during reboot stage using keys instead of passphrase in Linux.

Below are some more articles on LUKS based Disk Encryption

 

Can I resize a dm-crypt or LUKS partition?

Disclaimer: Official Page of cryptsetup

Yes, you can, as neither dm-crypt nor LUKS stores partition size. Whether you should is a different question. Personally I recommend backup, recreation of the encrypted partition with new size, recreation of the filesystem and restore. This gets around the tricky business of resizing the filesystem. Resizing a dm-crypt or LUKS container does not resize the filesystem in it. The backup is really non-optional here, as a lot can go wrong, resulting in partial or complete data loss. Using something like gparted to resize an encrypted partition is slow, but typically works. This will not change the size of the filesystem hidden under the encryption though.

You also need to be aware of size-based limitations. The one currently relevant is that aes-xts-plain should not be used for encrypted container sizes larger than 2TiB. Use aes-xts-plain64 for that.

As you see performing resize LUKS partition, extend or shrink encrypted LUKS partition are not recommend.

 

Now earlier I had shared steps to encrypt partition device /dev/sdb1 using LUKS but here I would like to use LVM as backend storage device to perform resize LUKS partition with ext4 as file system. As With LVM it is easier to reduce/shrink and extend encrypted LUKS partitions (logical volumes).

 

My Lab Environment

I am using VM running on Oracle VirtualBox installed on my Linux Server with CentOS 8 to execute these steps to resize LUKS partition and perform extend or shrink encrypted LUKS partition.

So it is safe to say the same steps would work on RHEL 8. Earlier I had executed the same set of steps on RHEL/CentOS 7. If you face any problems while executing these steps then please report the same using the comment section below this article.

 

Create LUKS Encrypted LVM with cryptsetup

So I will quickly create LVM based LUKS encrypted partition.

[root@centos-8 ~]# pvcreate /dev/sdb1
  Physical volume "/dev/sdb1" successfully created.

After adding new physical volume, verify the available list of physical volumes using pvs:

[root@centos-8 ~]# pvs
  PV         VG   Fmt  Attr PSize   PFree
  /dev/sda2  rhel lvm2 a--  <14.50g     0
  /dev/sdb1       lvm2 ---   <8.00g <8.00g

Get the list of available volume groups using vgs

[root@centos-8 ~]# vgs
  VG   #PV #LV #SN Attr   VSize   VFree
  rhel   1   2   0 wz--n- <14.50g    0

I will extend my existing VG rhel instead of creating a new one:

[root@centos-8 ~]# vgextend rhel /dev/sdb1
  Volume group "rhel" successfully extended

Verify the new size of your volume group:

[root@centos-8 ~]# vgs
  VG   #PV #LV #SN Attr   VSize   VFree
  rhel   2   2   0 wz--n- <14.50g    0

Check the list of available logical volumes:

[root@centos-8 ~]# lvs
  LV   VG   Attr       LSize   Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  root rhel -wi-ao----  13.56g
  swap rhel -wi-ao---- 956.00m

I will create a new logical volume "secret" which will act as device for LUKS encrypted partition

[root@centos-8 ~]# lvcreate -n secret -L 2G  rhel
  Logical volume "secret" created.

Check the new list of logical volumesr

[root@centos-8 ~]# lvs
  LV     VG   Attr       LSize   Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  root   rhel -wi-ao----  13.56g
  secret rhel -wi-a-----   2.00g
  swap   rhel -wi-ao---- 956.00m

 

Initialize LUKS partition

Now create the LUKS formatted encrypted volume /dev/mapper/secret that is password protected.

[root@centos-8 ~]# cryptsetup luksFormat /dev/rhel/secret

WARNING!
========
This will overwrite data on /dev/rhel/secret irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/rhel/secret:
Verify passphrase:

We will use luksOpen to open the encrypted partition and map it to /dev/mapper/secret. Here /dev/mapper/secret will be created.

[root@centos-8 ~]# cryptsetup luksOpen /dev/rhel/secret secret
Enter passphrase for /dev/rhel/secret:

I will use ext4 file system for my LUKS partition, you can choose a file system type as per your requirement to resize LUKS partition

[root@centos-8 ~]# mkfs.ext4 /dev/mapper/secret
mke2fs 1.44.3 (10-July-2018)
Creating filesystem with 522240 4k blocks and 130560 inodes
Filesystem UUID: d6b707da-04c5-4c19-9c9d-5e1df2332488
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912

Allocating group tables: done
Writing inode tables: done
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done

Now to access the LUKS partition, mount it on a mount point. I had already created a mount point /secret in my previous articles so I will use the same path:

[root@centos-8 ~]# mount /dev/mapper/secret /secret/

Verify if the LUKS partition is properly mounted

[root@centos-8 ~]# mount | grep secret
/dev/mapper/secret on /secret type ext4 (rw,relatime)

 

Resize LUKS Partition

Now this was all our pre-requisite to set up lab environment. From here on we will start with the steps to resize LUKS partition.

First let us extend encrypted LUKS partition. Currently my LUKS partition is of 2GB which we will resize and extend to 3GB. We have around 8GB space available in our rhel VG so we can easily resize and extend encrypted LUKS partition with additional 1GB.

WARNING:
I have already given a disclaimer that performing these steps to resize LUKS partition and reduce or extend encrypted LUKS partition or volume can be risky. Any time these kind of operations are undertaken, it's essential that a backup of the data is available in case anything goes wrong.

 

Grow or Extend Encrypted LUKS partition volume

Since our LUKS encrypted volume is mapped to /dev/mapper/secret volume, we will use the same volume to extend encrypted LUKS partition with additional 1GB space. Use df to inspect the file system that needs to be extended, e.g.:

[root@centos-8 ~]# df -h /secret/
Filesystem          Size  Used Avail Use% Mounted on
/dev/mapper/secret  2.0G   47M  2.0G   3% /secret

The current size of /dev/mapper/secret LUKS volume is 2GB. Figure out what the backing device is by querying the MAPPING

[root@centos-8 ~]# cryptsetup status secret
/dev/mapper/secret is active and is in use.
  type:    LUKS2
  cipher:  aes-xts-plain64
  keysize: 256 bits
  key location: keyring
  device:  /dev/mapper/rhel-secret
  sector size:  512
  offset:  16384 sectors
  size:    4177920 sectors
  mode:    read/write

The backing device will always be listed on the "device: /dev/XXXX" line. In the above example the backing device is "/dev/mapper/rhel-secret"

Un-mount the file system before we extend encrypted LUKS partition

[root@centos-8 ~]# umount /secret

Close out the dm-crypt volume with cryptsetup luksClose MAPPING

[root@centos-8 ~]# cryptsetup luksClose secret

Next extend encrypted LUKS partition using lvextend command. Here we wish to add 1GB to our existing LUKS volume

[root@centos-8 ~]# lvextend -L +1G /dev/rhel/secret
  Size of logical volume rhel/secret changed from 2.00 GiB (512 extents) to 3.00 GiB (768 extents).
  Logical volume rhel/secret successfully resized.

Verify the new size of the secret logical volume

[root@centos-8 ~]# lvs
  LV     VG   Attr       LSize   Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  root   rhel -wi-ao----  13.56g
  secret rhel -wi-a-----   3.00g
  swap   rhel -wi-ao---- 956.00m

Next open the LUKS encrypted partition /dev/mapper/secret to perform resize

[root@centos-8 ~]# cryptsetup luksOpen /dev/rhel/secret secret
Enter passphrase for /dev/rhel/secret:

Check the new size of the LUKS encrypted volume

[root@centos-8 ~]# cryptsetup status secret
/dev/mapper/secret is active.
  type:    LUKS2
  cipher:  aes-xts-plain64
  keysize: 256 bits
  key location: keyring
  device:  /dev/mapper/rhel-secret
  sector size:  512
  offset:  16384 sectors
  size:    6275072 sectors
  mode:    read/write

Compare the size with the command output from your last execution which we did earlier in this article. Earlier the size of secret volume was 4177920 while the new size is 6275072 sectors. Here resize LUKS partition is not yet complete.

Perform a file system check before performing the final steps to extend encrypted LUKS partition

[root@centos-8 ~]# e2fsck -f /dev/mapper/secret
e2fsck 1.44.3 (10-July-2018)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/mapper/secret: 11/65280 files (0.0% non-contiguous), 13574/260096 blocks

Since the file system check has passed, execute resize2fs to resize LUKS partition

[root@centos-8 ~]# resize2fs -p /dev/mapper/secret
resize2fs 1.44.3 (10-July-2018)
Resizing the filesystem on /dev/mapper/secret to 784384 (4k) blocks.
The filesystem on /dev/mapper/secret is now 784384 (4k) blocks long.

Next mount the LUKS encrypted partition to it's mount point

[root@centos-8 ~]# mount /dev/mapper/secret /secret/

Verify the new partition size

[root@centos-8 ~]# df -h /secret/
Filesystem          Size  Used Avail Use% Mounted on
/dev/mapper/secret  3.0G   54M  3.0G   2% /secret

 

Reduce or Shrink encrypted LUKS partition volume

WARNING:
- Before modifying any system, it is always recommended to create a backup first as there is an elevated risk of data corruption with reducing an LVM size.
- Shrinking is not supported on a GFS2 or XFS file system, so you cannot reduce or shrink encrypted LUKS partition volume that contains a GFS2 or XFS file system.

To shrink encrypted LUKS partition you can use lvreduce command. Make sure the disk is unmounted, so this must be done when there is no need for activity on the disk.

[root@centos-8 ~]# umount /secret

Before you resize LUKS partition, it is important to run a file system check to verify data integrity:

[root@centos-8 ~]# e2fsck -f /dev/mapper/secret
e2fsck 1.44.3 (10-July-2018)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/mapper/secret: 11/195840 files (0.0% non-contiguous), 22022/784384 blocks

I hope the LUKS partition is still in Open state to shrink LUKS encrypted partition, if not map the LUKS partition on a device mapper using luksOpen

[root@centos-8 ~]# cryptsetup luksOpen /dev/rhel/secret secret
Enter passphrase for /dev/rhel/secret:

Here we will shrink LUKS encrypted partition /dev/mapper/secret logical volume:

[root@centos-8 ~]# blkid /dev/mapper/secret
/dev/mapper/secret: UUID="d6b707da-04c5-4c19-9c9d-5e1df2332488" TYPE="ext4"

Execute lvreduce with the size of the LUKS volume which you wish to have after shrinking. Here my LUKS volume was 3GB, and I wish to remove 1GB from this volume so the final size should be 2GB for my LUKS encrypted volume.

[root@centos-8 ~]# lvreduce -r -L 2G /dev/rhel/secret
fsck from util-linux 2.32.1
/dev/mapper/secret: clean, 11/195840 files, 22022/784384 blocks
resize2fs 1.44.3 (10-July-2018)
Resizing the filesystem on /dev/mapper/secret to 522240 (4k) blocks.
The filesystem on /dev/mapper/secret is now 522240 (4k) blocks long.

Enter passphrase for /dev/mapper/rhel-secret:
  Size of logical volume rhel/secret changed from 3.00 GiB (768 extents) to 2.00 GiB (512 extents).
  Logical volume rhel/secret successfully resized.

Next mount the LUKS volume to it's mount point

[root@centos-8 ~]# mount /dev/mapper/secret /secret/

Verify the new size of secret volume to make sure you were able to shrink LUKS encrypted partition size

[root@centos-8 ~]# df -h /secret/
Filesystem          Size  Used Avail Use% Mounted on
/dev/mapper/secret  2.0G  6.0M  1.9G   1% /secret

 

Lastly I hope the steps from the article to resize LUKS volume, extend or shrink LUKS encrypted partition in CentOS/RHEL 7/8 Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

References:
How to shrink an LVM Logical Volume
How to reduce LVM size in Linux step by step (online without reboot)

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can reach out to him on his LinkedIn profile or join on Facebook page.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

11 thoughts on “How to resize LUKS partition (shrink or extend encrypted luks partition) in Linux”

  1. Thanks for the concise information. Just what I needed…I think. 🙂

    Your example uses a LVM with space available to expand.
    My situation requires that I add additional space before I can expand the LVM and then the luks container.
    The space I will expand the LVM to is not contiguous. It will be a separate partition from the existing lvm partition.
    I’m making the assumption that the process is the same except I will need to make/add the new PV to the VG and then continue with your listed steps.
    Is that assumption correct?
    This VG contains my home and swap areas and I plan to do it offline with a livedvd. I’m working with archlinux although that should have no real bearing in this situation.

    Reply
    • I hope I understood your scenario. If you have separate partition in an existing VG (which I assume you plan to use for extend) then first you must migrate the data from that physical volume to different one and then use pvmove to move that PV to this VG which is to be encrypted. Some additional steps are. You may check How to encrypt root partition and entire file system using LUKS in Linux where I free up my PV before encrypting the entire partition. It may help.

      Or please correct me if your question was different.

      Reply
      • I currently have no other pv but have extra free space on the drive to make a new one and then include it in the existing VG so it will a completely new PV. In that case I don’t think pvmove would be needed…correct?

        Reply
          • So back to the original question then, can I , in your opinion, just follow your steps as is with the extra step of using the non-contiguous space added to the VG? I feel like I can and that it would be appropriate for my needs.

            I’ve just been looking for a “list” of the process to follow although I already pretty much had the steps set in my mind. Having that validated by someone else puts my mind more at ease about the process as a whole.

            Reply
            • Hello Mike,

              Based on your first comment “It will be a separate partition from the existing lvm partition.“. I hope you know this partition needs to be formatted and any data from this partition will be lost.
              If you have a plan to add this LVM partition to existing VG then yes all should be good.

              Reply
  2. Hi everybody, this guide was awesome. I think that my situations is similar to the one explained in the comments but with xfs filesystem. I have currently my lsblk like:

    vda                                           252:0    0   80G  0 disk
    ├─vda1                                        252:1    0    2M  0 part
    ├─vda2                                        252:2    0  244M  0 part  /boot
    ├─vda3                                        252:3    0 27.3G  0 part
    │ └─luks-cbb20efb-3703-4844-bb3d-2ac8a004be8f 253:0    0 27.3G  0 crypt
    │   ├─ssd-root                                253:1    0   24G  0 lvm   /
    │   └─ssd-swap                                253:2    0    2G  0 lvm   [SWAP]
    ├─vda4                                        252:4    0 27.5G  0 part
    │ └─luks-dc9b7d63-30b3-44fa-ba34-ad4a85c880aa 253:3    0 27.5G  0 crypt
    │   └─data-root                               253:4    0 52.4G  0 lvm   /data
    └─vda5                                        252:5    0   25G  0 part
      └─data-root                                 253:4    0 52.4G  0 lvm   /data

    Being the vda5 the volumen used to extend vda4 where the luks exist. At this point when I do a cryptsetup luksOpen to vda4 it looks like the spaces was added, the point that I’m not sure how to check is to know if vda5 is encrypted as well. Somebody could give some tips for that?

    When I do the df -h command for the directory where is mounted:

     df -h /data
    Filesystem             Size  Used Avail Use% Mounted on
    /dev/mapper/data-root   53G   26G   27G  50% /data

    What exactly is what I have done here?

    Greetings and thank you all.

    Reply
    • You can use following command to list all the encrypted device

      blkid -t TYPE=crypto_LUKS -o device

      or just use blkid and look out for crypto_LUKS TYPE.

      Reply

Leave a Comment

X