I was trying to create a LUKS partition on a software raid array and I realized that I messed up (I used the wrong array), so tried to delete the LUKS partition but I wasn't as straight forward as I thought it would be so I decided to post here what I did.
The first thing to do is to find out the name of the LUKS device, this can be done with the blkid command (edited output below):
/dev/md5: UUID="d33fec62-6230-43b0-9ec5-7d5abeb1b918" TYPE="crypto_LUKS"Note, that a LUKS device will only appear in blkid if it has been given a filesystem (i.e. formatted).
/dev/mapper/md5encrypted: UUID="fae9323a-d9a8-4deb-8c63-0d967c75091e" TYPE="ext4"
My LUKS device is called md5encrypted so I can get its status like this:
cryptsetup status md5encrypted
/dev/mapper/md5encrypted is active.The first thing is to remove the encryption keys, which can be done by issuing the following command:
type: LUKS1
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/md5
offset: 4096 sectors
size: 4188136 sectors
mode: read/write
cryptsetup luksRemoveKey /dev/md5
Enter LUKS passphrase to be deleted:Finally, the actual LUKS device can be removed with this command:
WARNING!
========
This is the last keyslot. Device will become unusable after purging this key.
Are you sure? (Type uppercase yes): YES
cryptsetup remove /dev/mapper/md5encrypted /dev/md5
At this point, you can format (give md5 a filesystem) again and there won't be any devices left hanging about. You might need to edit your /etc/fstab and /etc/crypttab files if your LUKS device was configured to mount on boot.
thanks, this page was very usefull for me.
ReplyDeleteMichel
Thanks, I was wondering how to remove a stale LUKS device after suspend/resume. `cryptsetup remove /dev/mapper/luks-*******` worked nicely.
ReplyDeleteThank you for this, exactly the info I needed!
ReplyDeleteThe name "md5encrypted" you refer to is given to it when you decrypt the device with "cryptsetup luksOpen /dev/md5 md5encrypted". If you want to delete it cleanly, the first thing to do would be to close it: "cryptsetup close md5encrypted", and then after that you can remove the final passphrase, or more conclusive: "cryptsetup erase /dev/md5", which erases all passphrases/files (watch out: no passphrase is required for this!).
ReplyDelete