I use Linux Unified Key Setup or LUKS to encrypt storage volumes on my various Linux devices.
This post is about how to convert a LUKS volume formatted with LUKS version 2 to LUKS version 1.
First, why would you want to do this?
Because backupninja does not understand LUKS2 yet, so everyday I receive this warning:
*warning* -- /etc/backup.d/10.sys
== warnings from /etc/backup.d/10.sys ==
Info: The LUKS header of /dev/md2 was saved to /var/backups/luksheader.md2.bin.
Info: The LUKS header of /dev/sdc1 was saved to /var/backups/luksheader.sdc1.bin.
Warning: The computed size of LUKS header is not an integer, skipping /dev/sdd1
Info: The LUKS header of /dev/sdc1 was saved to /var/backups/luksheader.sdc1.bin.
Warning: The computed size of LUKS header is not an integer, skipping /dev/sdd1
The command to convert the LUKS volume to version 1 is this:
cryptsetup convert /dev/sdd1 --type luks1
This will fail, though, because LUKS2 by default uses key slot types that are not supported in LUKSv1.
Thus, we need to convert each keyslot to pbkdf2 first:
So, for each key slot, run:
cryptsetup luksConvertKey --pbkdf=pbkdf2 /dev/sdd1
Provide the passphrase for the given keyslot.
Then we can convert to LUKS1 by running:
cryptsetup convert /dev/sdd1 --type luks1