Skip to content

Instantly share code, notes, and snippets.

@noslin005

noslin005/remove_luks.md

Created February 18, 2026 03:06
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save noslin005/d7cad2e50cdd54db3492a5a357161e77 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save noslin005/d7cad2e50cdd54db3492a5a357161e77 to your computer and use it in GitHub Desktop.
Download ZIP
Remove LUKS Encryption from a Encrypted Rocky Linux 9
Raw
remove_luks.md

Remove LUKS Encryption from a Encrypted Rocky Linux 9

DISCLAIMER: USE AT YOUR OWN RISK

This procedure converts a LUKS2 container to LUKS1 and then decrypts it in place using cryptsetup reencrypt --decrypt.

Warning

  • This is a destructive block-level transformation.
  • Ensure verified backup exists.
  • Power loss during reencrypt --decrypt may corrupt the device.
  • Ensure the system is on stable power (UPS recommended).

Steps:

Recsue Environment

  1. Boot up the machine into a Rescue Environment Using a bootable Rocky DVD install, edit grub and add inst.rescue then press CTRL+X

  2. Once into the rescue environment, press CTRL + B, 2 to switch the Tmux windows 2.

  3. Once on Window 2, run the operations below:

Downgrade to Luks1

  1. Inspect the Luks Partition by running:

    lsblk -f
cryptsetup luksDump <path-to-device>

  2. Convert all key slots to use LUKS1 compatible parameter by running, (if using short password add --force-password)

    cryptsetup luksChangeKey --pbkdf pbkdf2 <path-to-device>

  3. Convert LUKS2 to LUKS1 by running,

    cryptsetup convert --type luks1 <path-to-device>

  4. Remove Encryption by running

    cryptsetup reencrypt --decrypt <path-to-device>

    This step takes a while depending on drive size and read/write speeds.

  5. Run the command below to probe partition change:

    partprobe -s

Post Operations

  1. Press CTRL+B, 1 to use windows 1.

  2. Choose option 1, which will auto mount the partitions and setup a chroot environment.

  3. If all goes well, you'll get instruction to press enter and run the command

    chroot /mnt/sysroot

  4. Truncate the /etc/crypttab file

    cat /dev/null > /etc/crypttab

  5. Edit the file /etc/default/grub and:

    • Remove luks.timeout, luks.uuid, rd.luks.uuid=... rd.luks.name=..., luks.uuid=..., luks.timeout fields from your boot manager config.
    • Make sure all the lvm volumes are present in the form on rd.lvm.lv=VolGroup/lv_Name
    • Example:
    GRUB_CMDLINE_LINUX="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none resume=/dev/mapper/VolGroup-swap rd.lvm.lv=VolGroup/root rd.lvm.lv=VolGroup/swap rd.lvm.lv=VolGroup/home rd.lvm.lv=VolGroup/var rd.lvm.lv=VolGroup/varlog rd.lvm.lv=VolGroup/vartmp rd.lvm.lv=VolGroup/varlog rd.lvm.lv=VolGroup/tmp rd.lvm.lv=VolGroup/varlogaudit rd.shell=0 pti=on"

  6. Remake initramfs

    dracut -fv --kver $(ls -1 /usr/lib/modules)

  7. Regenerate the grub configuration

    grub2-mkconfig -o /boot/grub2/grub.cfg

  8. Exit chroot and rescue environment. The system will reboot and encryption removed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment