Thursday, 10 May 2012

Remove LUKS partition

I was trying to create a LUKS partition on a software raid array and I realized that I messed up (I used the wrong array), so tried to delete the LUKS partition but I wasn't as straight forward as I thought it would be so I decided to post here what I did.

The first thing to do is to find out the name of the LUKS device, this can be done with the blkid command (edited output below):
/dev/md5: UUID="d33fec62-6230-43b0-9ec5-7d5abeb1b918" TYPE="crypto_LUKS"
/dev/mapper/md5encrypted: UUID="fae9323a-d9a8-4deb-8c63-0d967c75091e" TYPE="ext4"
Note, that a LUKS device will only appear in blkid if it has been given a filesystem (i.e. formatted).

My LUKS device is called md5encrypted so I can get its status like this:
cryptsetup status md5encrypted  
/dev/mapper/md5encrypted is active.
type:  LUKS1
cipher:  aes-cbc-essiv:sha256
keysize: 256 bits
device:  /dev/md5
offset:  4096 sectors
size:    4188136 sectors
mode:    read/write
The first thing is to remove the encryption keys, which can be done by issuing the following command:
cryptsetup luksRemoveKey /dev/md5
Enter LUKS passphrase to be deleted:

WARNING!
========
This is the last keyslot. Device will become unusable after purging this key.

Are you sure? (Type uppercase yes): YES
Finally, the actual LUKS device can be removed with this command:
cryptsetup remove /dev/mapper/md5encrypted /dev/md5
At this point, you can format (give md5 a filesystem) again and there won't be any devices left hanging about. You might need to edit your /etc/fstab and /etc/crypttab files if your LUKS device was configured to mount on boot.

4 comments:

  1. thanks, this page was very usefull for me.

    Michel

    ReplyDelete
  2. Thanks, I was wondering how to remove a stale LUKS device after suspend/resume. `cryptsetup remove /dev/mapper/luks-*******` worked nicely.

    ReplyDelete
  3. Thank you for this, exactly the info I needed!

    ReplyDelete
  4. The name "md5encrypted" you refer to is given to it when you decrypt the device with "cryptsetup luksOpen /dev/md5 md5encrypted". If you want to delete it cleanly, the first thing to do would be to close it: "cryptsetup close md5encrypted", and then after that you can remove the final passphrase, or more conclusive: "cryptsetup erase /dev/md5", which erases all passphrases/files (watch out: no passphrase is required for this!).

    ReplyDelete