Encrypt drive using luksipc without data loss
It happens that when you install the distribution kit, for some reason you forgot to encrypt the drive. But later, you needed to encrypt it. Linux encryption uses the LUKS cryptsetup utility as standard. And if she encrypts the partition, then you need to copy the data somewhere from it, create a LUKS device, create a new file system on the connected LUKS device, copy all the data back.
It is very hemorrhoid. Fortunately, there is a luksipc utility that converts (unencrypted) block devices into (encrypted) LUKS devices in place (which is why it is called LUKS in-place conversion). This means that the conversion is performed without having to copy all the data somewhere, recreating the entire disk. Instead, the process boils down to:
- Unmount a file system
- Resize the file system to reduce
- Perform encryption with Luksipc
- Adding custom keys to the LUKS keychain
So let's get started. (I highly recommend that you do a backup before doing this).
To start, unmount the device:
sudo umount / dev / sda2
First, reduce the size of the file system. In the case of ext4, this is done as follows (I will spend everything on the / dev / sda2 partition). We look at how many blocks on the device:
e2fsck -f / dev / sda2 e2fsck 1.45.3 (14-Jul-2019) Pass 1: Checking inodes, blocks, and sizes Pass 2: Checking directory structure Pass 3: Checking directory connectivity Pass 4: Checking reference counts Pass 5: Checking group summary information / dev / sda2: 1124247/39067648 files (0.4% non-contiguous), 18242939/156262752 blocks dumpe2fs / dev / sda1 | grep 'Block count' dumpe2fs 1.45.3 (14-Jul-2019) Block count: 156262752
Reduce the size. 156262752-1024 (blocks of 4k) = 156261728
resize2fs / dev / sda2 156261728 resize2fs 1.45.3 (14-Jul-2019) Resizing the filesystem on / dev / sdc1 to 156261728 (4k) blocks. The filesystem on / dev / sdc1 is now 156261728 (4k) blocks long.
It should be noted that this will not reduce the size of the partition itself.
Now install the luksipc utility:
sudo apt update sudo apt install luksipc
Well, now let's proceed to encryption:
luksipc -d / dev / sda2 WARNING! All data on / dev / sda2 is to be LUKSified! Ensure that: 1. You have resized the contained filesystem appropriately 2. You have ensured secure storage of the keyfile 3. Power conditions are satisfied (ie your Laptop is not running off battery) 4. You have a backup of all data on that device / dev / sda2: 610401 MB = 596.1 GB Keyfile: /root/initial_keyfile.bin LUKS format parameters: None given
luksipc will create the key file /root/initial_keyfile.bin, which you can use to gain access to the newly created LUKS device.
One thing you must do is add the key that you want to use for your device, possibly subsequently deleting the original key file:
cryptsetup luksAddKey --key-file /root/initial_keyfile.bin / dev / sda2
Now you can open the encrypted device with the command:
cryptsetup luksOpen --key-file /root/initial_keyfile.bin / dev / sda2 crypt
And mount it:
mount / dev / mapper / crypt / media / hdd
That's all, you got an encrypted disk without transferring data from it somewhere.
Commentaires