niels / Software / #linux,#ubuntu

Removing LUKS full-disk encryption

Heads up! This post is more than a year old.

My homelab server is a NUC running Ubuntu that I previously used as a desktop. To ensure it automatically boots up after a power-failure I wanted to disable the LUKS full disk encryption that I use on all my desktops and laptops.

GRUB method

For some reason most how-to’s out there use this method:

  1. Generate a new LUKS key.
  2. Store the new LUKS key on the unencrypted boot partition.
  3. Reconfigure GRUB to use that key and decrypt the root partition automatically.

While that works, I don’t like it. You end up with the overhead of encryption without enjoying the benefits. Not to mention that a small typo in the grub.cfg can prevent GRUB from booting.

Decrypt method

Then I ran into this solution on Ask Ubuntu. It’s simple, it’s beautiful. It’s perfect:

  1. Boot (Ubuntu) from a USB stick.
  2. Decrypt the root partition. In my case: sudo cryptsetup-reencrypt --decrypt /dev/nvme0n1p3.
  3. Remove USB stick and reboot.

The first boot after decryption may show some errors and delays due to cryptsetup now failing. To fix that:

  1. Removed /etc/crypttab.
  2. Run sudo apt remove cryptsetup.