Ishan's blog
Removing Drive Encryption from a LUKS on LVM setup.
Posted on

I use full disk encryption on my computer. This requires me to enter a separate password to unlock drives when the machine boots up.

In future, I'll be accessing the machine remotely and I won't have any one to interact with the machine in person. I looked up if there was a way to integrate a network stack and a SSH Server when it asks for password but there isn't. That would've allowed me to unlock drives remotely over SSH.

I could attach a PiKVM to it but that is too much work and the more expensive option.

For these reasons, I decided to remove drive encryption. To remove drive encryption from a LUKS on LVM setup, You need to do this.

  1. Boot up the machine from a USB drive. Make sure you have cryptsetup in the OS on the USB Drive.

  2. Convert all key slots to use LUKS1 compatible parameter by running,

cryptsetup luksChangeKey  --pbkdf pbkdf2 <path-to-device>
  1. Convert LUKS2 to LUKS1 by running,
cryptsetup convert --type luks1 <path-to-device>
  1. Remove Encryption by running
cryptsetup reencrypt --decrypt <path-to-device>

This step takes a while depending on drive size and read/write speeds. After it is done, You can reboot the device and it'll boot up without asking for a password to decrypt the drive.

On bootup, It keeps getting stuck for 90s at "A start job is running for /dev/disk-by-uuid/....

To fix this, Remove luks.timeout and luks.uuid fields from your boot manager config. In my case, It's at /boot/refind_linux.conf