My homelab server is a NUC running Ubuntu that I previously used as a desktop. To ensure it automatically boots up after a power-failure I wanted to disable the LUKS full disk encryption that I use on all my desktops and laptops.
For some reason most how-to’s out there use this method:
- Generate a new LUKS key.
- Store the new LUKS key on the unencrypted boot partition.
- Reconfigure GRUB to use that key and decrypt the root partition automatically.
While that works, I don’t like it. You end up with the overhead of encryption without enjoying the benefits. Not to mention that a small typo in the grub.cfg can prevent GRUB from booting.
Then I ran into this solution on Ask Ubuntu. It’s simple, it’s beautiful. It’s perfect:
- Boot (Ubuntu) from a USB stick.
- Decrypt the root partition. In my case:
sudo cryptsetup-reencrypt --decrypt /dev/nvme0n1p3.
- Remove USB stick and reboot.
The first boot after decryption may show some errors and delays due to cryptsetup now failing. To fix that:
- Removed /etc/crypttab.
sudo apt remove cryptsetup.