How to resize a luks partition if unlocked with clevis

[schmidp]

Hi,

I have scenario where we create VM instances from snapshots that contain an encrypted partition. The VM is then unlocked during boot via clevis and a tang server.

Now during the first boot, I would like to resize the encrypted partition to get all available space as VMs might have bigger disks then the original snapshot.

Since the encrypted partition is also the root partition, we are not able to unmount it. As far as I understand, an already unlocked partition should be able to be live resized by running:

cryptsetup resize --verbose --debug  --token-only /dev/mapper/cryptroot

which gives me the following results:

# cryptsetup 2.4.3 processing "cryptsetup resize --verbose --debug --token-only /dev/mapper/cryptroot"
# Running command resize.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating crypt device context by device /dev/mapper/cryptroot.
# Initialising device-mapper backend library.
# dm version   [ opencount flush ]   [16384] (*1)
# dm versions   [ opencount flush ]   [16384] (*1)
# Detected dm-ioctl version 4.45.0.
# Detected dm-crypt version 1.23.0.
# Device-mapper backend running with UDEV support enabled.
# dm status cryptroot  [ opencount noflush ]   [16384] (*1)
# Releasing device-mapper backend.
# Trying to open and read device /dev/sda4 with direct-io.
# Allocating context for crypt device /dev/sda4.
# Trying to open and read device /dev/sda4 with direct-io.
# Initialising device-mapper backend library.
# dm versions   [ opencount flush ]   [16384] (*1)
# dm table cryptroot  [ opencount flush securedata ]   [16384] (*1)
# Trying to open and read device /dev/sda4 with direct-io.
# dm versions   [ opencount flush ]   [16384] (*1)
# dm deps cryptroot  [ opencount flush ]   [16384] (*1)
# Crypto backend (OpenSSL 3.0.2 15 Mar 2022 [default][legacy]) initialized in cryptsetup library version 2.4.3.
# Detected kernel Linux 5.15.0-75-generic x86_64.
# Reloading LUKS2 header (repair disabled).
# Acquiring read lock for device /dev/sda4.
# Opening lock resource file /run/cryptsetup/L_8:4
# Verifying lock handle for /dev/sda4.
# Device /dev/sda4 READ lock taken.
# Trying to read primary LUKS2 header at offset 0x0.
# Opening locked device /dev/sda4
# Verifying locked device handle (bdev)
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:xxx (on-disk)
# Checksum:xxx (in-memory)
# Trying to read secondary LUKS2 header at offset 0x4000.
# Reusing open ro fd on device /dev/sda4
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:yyy (on-disk)
# Checksum:yyy (in-memory)
# Device size 39617281536, offset 16777216.
# Device /dev/sda4 READ lock released.
# Only 2 active CPUs detected, PBKDF threads decreased from 4 to 2.
# Not enough physical memory detected, PBKDF max memory decreased from 1048576kB to 980844kB.
# PBKDF argon2id, time_ms 2000 (iterations 0), max_memory_kb 980844, parallel_threads 2.
# dm versions   [ opencount flush ]   [16384] (*1)
# dm table cryptroot  [ opencount flush securedata ]   [16384] (*1)
# Trying to open and read device /dev/sda4 with direct-io.
# Checking volume passphrase using token (any type) -1.
# Token 0 unusable for segment 0 with desired keyslot priority 2.
# Trying to load /lib/x86_64-linux-gnu/cryptsetup/libcryptsetup-token-clevis.so.
# /lib/x86_64-linux-gnu/cryptsetup/libcryptsetup-token-clevis.so: cannot open shared object file: No such file or directory
No usable token is available.
# Releasing crypt device /dev/sda4 context.
# Releasing device-mapper backend.
# Closing read only fd for /dev/sda4.
# Unlocking memory.
Command failed with code -1 (wrong or missing parameters).

This is somehow supported by clevis?
Or is the only alternative to store a passphrase to a LUKS slot within the image?

[Aegeontis]

Solution:

1. Retrieve the luks password with clevis luks pass -d /dev/sdxx -s 1 (if you get an error about the slot, run cryptsetup luksDump /dev/sdxx and check which slot is used by clevis)
2. cryptsetup resize /dev/mapper/yourdevice might work (for some reason it didnt work for me; command returned 0 but the partition size didnt change)
3. Resize the partition using gparted. When prompted for the luks password, enter the one from step 1.