Skip to main content

Move LUKS Encrypted Partition to New Device

·3 mins

For Christmas, I received a new 4TB hard drive, which I used to replace my current 1TB drive in my desktop computer. My setup is that I have an SSD for my main Linux install, and then the 1TB HDD is mounted and unlocked during boot to serve as an extended home directory. I store larger Steam games on it, as well as media such as music and photos. I performed all of these steps in a live environment from a Ventoy USB of Ubuntu.

For the below steps, I will assume that your source (smaller) hard drive is located at /dev/sdX and your destination (newer) hard drive is located at /dev/sdY. Obviously replace them with your actual device locations.

BadBlocks #

When you get a new hard drive, I highly recommend running badblocks on it to verify that nothing is weird with it. This will take a long time, but it is worth it for the peace of mind. For my 4TB drive, it took about 3 days over SATA. Over USB, it most likely will take longer than that.

$ sudo badblocks -wsv /dev/sdY

I did this on a different computer, as I wanted to keep using mine for those 3 days. Once this has completed successfully, you can move the hard drive to your destination computer and load up a live environment.

Make a New Encrypted Partition #

Once you’re in the live environment, use something like GParted to create a new unformatted partition on the new hard drive. Then, use these commands to create a new luks volume in it:

$ sudo cryptsetup luksFormat /dev/sdY1

Then mount it:

$ sudo cryptsetup luksOpen /dev/sdY1 sdY1_crypt

Again, remember to replace sdY1 with the partition you created on the new hard drive.

Move the Data #

Once you’ve made a new luks volume, we can copy the old data into it. Start by opening the luks volume of the old hard drive:

$ sudo cryptsetup luksOpen /dev/sdX1 sdX1_crypt

Then, copy the data:

$ sudo dd if=/dev/mapper/sdX1_crypt of=/dev/mapper/sdY1_crypt bs=64k

Finally, expand the file system on the new hard drive to take up all the extra space:

$ sudo resize2fs /dev/mapper/sdY1_crypt

Auto Unlock #

If you had it set up where unlocking your primary drive would automatically unlock your other drives, you probably had a luks key file that would unlock it. You can simply add that key to your new luks volume as well:

$ sudo cryptsetup -v luksAddKey /dev/sdY1 /wherever/your/key/file/is/located

You might have to sudo mount /dev/boot_device /mnt the device that has your key on it (the boot device for example).

Also, don’t forget to update your /etc/crypttab to point at the new hard drive UUID, which can be found with blkid.

Complete #

At this point, you should have a new hard drive with your old hard drive contents on it, encrypted, with the original key to unlock it, and expanded to take up the whole hard drive. Now all that’s left to do is shut down the live environment, disconnect the old hard drive, and boot up your computer. If all goes well, everything should be the same as before, but with more storage!