I have existing systems with un-encrypted disks. I have tried unsuccessfully to encrypt them using LUKS. Has anyone out there been able to encrypt an existing system (after the fact, so to speak)?
TIA
On 12/12/2017 08:40 AM, Wells, Roger K. wrote:
I have existing systems with un-encrypted disks. I have tried unsuccessfully to encrypt them using LUKS. Has anyone out there been able to encrypt an existing system (after the fact, so to speak)?
TIA
You cannot encrypt an existing file system. You must wipe it out, encrypt the partition, then create your filesystem in the LUKS device.
On 12/12/2017 08:40 AM, Wells, Roger K. wrote:
I have existing systems with un-encrypted disks. I have tried unsuccessfully to encrypt them using LUKS. Has anyone out there been able to encrypt an existing system (after the fact, so to speak)?
You can do that with cryptsetup-reencrypt, but it needs to be able to make space for the ~2MB LUKS header ahead of the filesystem in the partition. That's a fairly risky operation -- shrinking the filesystem slightly and shifting it over. An alternative is LUKS with a detached header, but maintaining that relationship is an administrative headache with a severe penalty for error.
Allegedly, on or about 12 December 2017, Robert Nichols sent:
You can do that with cryptsetup-reencrypt, but it needs to be able to make space for the ~2MB LUKS header ahead of the filesystem in the partition. That's a fairly risky operation -- shrinking the filesystem slightly and shifting it over. An alternative is LUKS with a detached header, but maintaining that relationship is an administrative headache with a severe penalty for error.
If they had the spare drive space, I'd suggest shrink the existing partition in half. Make a new encrypted one in that new space. Copy the files over. Erase the previous partition, and either keep it for the next lot of jiggery-pokery, or expand your new one into the space.
On Tue, 12 Dec 2017 09:40:14 -0500 "Wells, Roger K." wellsr@leidos.com wrote:
I have existing systems with un-encrypted disks. I have tried unsuccessfully to encrypt them using LUKS. Has anyone out there been able to encrypt an existing system (after the fact, so to speak)?
I have found some ideas of how to do it, but IIRC they all include making a backup beforehand - which means - for the sake of keeping things as simple as possible - if it's important anyways to make a backup, I find it better to make that backup first, and then starting the disk encryption all over again ...
For example, I at least rather certainly wouldn't try the solution described here: http://asalor.blogspot.de/2012/08/re-encryption-of-luks-device-cryptsetup.ht... and instead stick with the LUKS FAQ:
----------- * 2.5 Can I encrypt an already existing, non-empty partition to use LUKS?
There is no converter, and it is not really needed. The way to do this is to make a backup of the device in question, securely wipe the device (as LUKS device initialization does not clear away old data), do a luksFormat, optionally overwrite the encrypted device, create a new filesystem and restore your backup on the now encrypted device. Also refer to sections "Security Aspects" and "Backup and Data Recovery".
For backup, plain GNU tar works well and backs up anything likely to be in a filesystem. -----------
Sorry.
Regards, Wolfgang
On 12/12/2017 04:17 PM, Michael Cronenworth wrote:
On 12/12/2017 08:40 AM, Wells, Roger K. wrote:
I have existing systems with un-encrypted disks. I have tried unsuccessfully to encrypt them using LUKS. Has anyone out there been able to encrypt an existing system (after the fact, so to speak)?
TIA
You cannot encrypt an existing file system. You must wipe it out, encrypt the partition, then create your filesystem in the LUKS device.
This is the kind of things LVM makes easy. Extend your VG to an additional disk (USB), move your LV there, remove your PV, turn it into encrypted, readd the PV, move the LV into the new PV, reduce the VG to let the USB disk go away. Everything possible even on the / filesystem while the system runs normally.
On 12/15/2017 10:13 AM, Roberto Ragusa wrote:
This is the kind of things LVM makes easy. Extend your VG to an additional disk (USB), move your LV there, remove your PV, turn it into encrypted, readd the PV, move the LV into the new PV, reduce the VG to let the USB disk go away. Everything possible even on the / filesystem while the system runs normally.
All of what you describe is possible without LVM, too.
On 12/18/2017 06:14 AM, Michael Cronenworth wrote:
Everything possible even on the / filesystem while the system runs normally.
All of what you describe is possible without LVM, too.
Including moving the filesystem while the system using it is live? I'm not aware of a non-LVM way to do that.
On Mon, Dec 18, 2017 at 3:28 PM, Gordon Messmer gordon.messmer@gmail.com wrote:
On 12/18/2017 06:14 AM, Michael Cronenworth wrote:
Everything possible even on the / filesystem while the system runs normally.
All of what you describe is possible without LVM, too.
Including moving the filesystem while the system using it is live? I'm not aware of a non-LVM way to do that.
Btrfs does, but in the context of the current thread it's out of scope because it also assumes the file system you want to encrypt is already Btrfs. If so, it's pretty simple:
cryptsetup luksFormat /dev/B cryptsetup open /dev/B newroot btrfs dev add /dev/mapper/newroot / btrfs dev rem /dev/A /
On Mon, Dec 18, 2017 at 14:28:11 -0800, Gordon Messmer gordon.messmer@gmail.com wrote:
On 12/18/2017 06:14 AM, Michael Cronenworth wrote:
Everything possible even on the / filesystem while the system runs normally.
All of what you describe is possible without LVM, too.
Including moving the filesystem while the system using it is live? I'm not aware of a non-LVM way to do that.
If you run it on top of md raid (mirroring) you can move stuff around, though I've never tried to change the size of raid arrays while moving them.
-
Bruno Wolff III -
Chris Murphy -
Gordon Messmer -
Michael Cronenworth -
Robert Nichols -
Roberto Ragusa -
Tim -
Wells, Roger K. -
Wolfgang Pfeiffer