How to move luks encrypted root logical volume to unencrypted plain Logical volume?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • LUKS

Issue

  • How to move luks encrypted root logical volume to unencrypted plain Logical volume?

Resolution

DISCLAIMER: The below information has been provided by Red Hat, but is outside the scope of our posted Service Level Agreements and support procedures. The information is provided as-is and any configuration settings or installed applications made from the information in solution could make your Operating System unsupported by Red Hat Support Services. The intent of this solution is to provide you with information to accomplish your system needs. Use the information in this solution at your own risk.

** Take complete backup before starting this activity and test this steps in test system first **

1. Increase/double the existing size of disk.

2. Create new logical volume under the root volume group with equal/more size and format it with file system:

# lvcreate -n lvname -L <size> <vgname>
# mkfs.xfs /dev/<vgname>/<lvname>

3. Create a directory and mount the new file system:

# mkdir <dirname>
# mount /dev/<vgname>/<lvname> /<dirname>

4. Create another directory for bind mount:

# mkdir <dirname2>
# mount -o bind / /<dirname2>

5. Copy the data:

  • If file system is XFS then you can use xfsdump and xfs restore

    # xfsdump -l 0 -f /backup-files/root.xfsdump /
# xfsrestore -f /backup-files/root.xfsdump /<dirname>/

  • If file system is EXT then you can use rsync command to sync the directories:

    # rsync -avz /<dirname2>/ /<dirname>/

Note: If you have multiple separate encrypted logical volume then repeat step 2,3,4 and 5 with the respective LV name and bind mount name.

6. Update /etc/fstab file:

Comment existing entries for root volume group and make a new entry for newly created root file system as shown below.   
/dev/mapper/<vgname>-<lvname>     / xfs defaults    0 0

7. Modify grub file by following this article:

  • Make sure to remove rd.luks.uuid parameters from the grub line.
  • Make sure to append newly configured root logical volume name.

8. Move/Remove /etc/crypttab file

9. Reboot the system and boot into Rescue Mode. You may see 2 root LV with different names so make sure you activate and mount newly configured root LV.

10. Change root to /mnt/sysimage and make sure /boot is mounted:

# chroot /mnt/sysimage

11. Recreate the grub.cfg file:

  • If Legacy boot then use:

    # grub2-mkconfig -o /boot/grub2/grub.cfg

  • If UEFI boot then use:

    # grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

12. Rebuild the initramfs:

Make backup
# cp /boot/initramfs-<kernelVersion>.img /boot/initramfs-<kernelVersion>.img.bak

Build Initramfs
# dracut -f /boot/initramfs-<kernelVersion>.img  <kernelVersion>

IMPORTANT NOTE: Replace <kernelVersion> with the full version of the kernel you wish to rebuild.

13. Exit from the rescue mode and boot the system normally.

14. Considering everything done correctly, System should boot up. Once booted up, Verify root is activated and mounted over new Logical volume. At this moment, We are good to remove old root LV:

# lvremove /dev/mapper/vgname-old_root_lv

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments