Thomas' Tech Tips

Convert LUKS volume from version 2 to version 1

20 September 2022 - Thomas Damgaard

I use Linux Unified Key Setup or LUKS to encrypt storage volumes on my various devices.

This post is about how to convert a LUKS volume formatted with LUKS version 2 to LUKS version 1.

First, why would you want to do this?

Because backupninja does not understand LUKS2 yet, so everyday I receive this warning:

*warning* -- /etc/backup.d/10.sys

== warnings from /etc/backup.d/10.sys ==

Info: The LUKS header of /dev/md2 was saved to /var/backups/luksheader.md2.bin.
Info: The LUKS header of /dev/sdc1 was saved to /var/backups/luksheader.sdc1.bin.
Warning: The computed size of LUKS header is not an integer, skipping /dev/sdd1
Info: The LUKS header of /dev/sdc1 was saved to /var/backups/luksheader.sdc1.bin.
Warning: The computed size of LUKS header is not an integer, skipping /dev/sdd1

The command to convert the LUKS volume to version 1 is this:

cryptsetup convert /dev/sdd1 --type luks1

This will fail, though, because LUKS2 by default uses key slot types that are not supported in LUKSv1.

Thus, we need to convert each keyslot to pbkdf2 first:

So, for each key slot, run:

cryptsetup luksConvertKey --pbkdf=pbkdf2 /dev/sdd1 

Provide the passphrase for the given keyslot.

Then we can convert to LUKS1 by running:

cryptsetup convert /dev/sdd1 --type luks1
Filed under: encryption, linux, luks, security, tips