How to remove LUKS encryption?
- Backup
- Reformat
- Restore
cryptsetup luksRemoveKey
would only remove an encryption key if you had more than one. The encryption would still be there.
The Fedora Installation_Guide Section C.5.3 explains how luksRemoveKey
works.
That it's "impossible" to remove the encryption while keeping the contents is just an educated guess. I base that on two things:
- Because the LUKS container has a filesystem or LVM or whatever on top of it, just removing the encryption layer would require knowledge of the meaning of the data stored on top of it, which simply is not available. Also, a requirement would be that overwriting a part of the LUKS volume with its decrypted counterpart, would not break the rest of the LUKS content, and I'm not sure if that can be done.
- Implementing it would solve a problem that is about as far away from the purpose of LUKS as you can get, and I find it very unlikely that someone would take the time to do that instead of something more "meaningful".
Firstly, when removing a passphrase from a LUKS partition, you need to specify the disk partition where it resides, like:
cryptsetup luksRemoveKey /dev/sda2
And when you want the status from a LUKS-encrypted device, you need to refer to the LUKS-name, as you did.
But luksRemoveKey only removes one of the passphrases (and never the last one). If you want to permanently decrypt, you have to use cryptsetup-reencrypt:
cryptsetup-reencrypt --decrypt /dev/sda2
Removing key-slots is like forgetting a password, it has nothing to do with moving the replacing the LUKS device by the filesytem inside of it.
You CAN non-destructively remove the LUKS encryption from a device, without having to backup, reformat and restore.. cryptsetup
has supported this since version 1.5.0, released in 2012.
After succesful decryption of a LUKS device, the filesystem inside becomes available to the OS, and you can mount it directly.
Warning: This is dangerous, backup all your data first.
For LUKS1:
- Boot from a USB key
- Use `cryptsetup-reencrypt --decrypt <device_path>
For LUKS2:
- Boot from a USB key
- Convert all key-slots to use LUKS1 compatible parameters with
cryptsetup luksChangeKey --pbkdf pbkdf2 <device_path>
- Convert the LUKS2 device to a LUKS1 device using
cryptsetup convert --type luks1 <device_path>
- Perform the decryption using `cryptsetup-reencrypt --decrypt <device_path>
I've tested both of these and they work.
Current versions of cryptsetup claim to support direct decryption of LUKS2
devices. This command is cryptsetup --reencrypt --decrypt --header HEADER_FILE <device_path>
. the --header
argument is required, because
the commands assumes your device uses a detached header. If you do, it works,
and can even do the decryption online. If you don't use a detached header (quite common), and you try to either provide
a dump of the header, or passing the block device itself as the --header
value, cryptsetup
will quietly proceed and when it finishes, you'll end up with a LUKS2 device which has no key-slots and your data will be gone.
This is as of version 2.3.3 (2020), it may change in future versions.
My recommendation is to use the safer LUKS2->LUKS1->Decrypt path, which I can confirm does the job.