Setup full disk encryption on running debian system
Tue 01 March 2022 sysadmin / debian /
Ecryption of a running disk on a production desktop without losing data
A first stab at a procedure to encrypt your disk on a running linux system please note this is very BETA and only works when all folders are on the same root partition which most probably are! I came up with this on a virtual machine, your distance might vary!!
luks1 was chosen as luks2 doesn’t appear to support /boot being on the same partition (NB: as of 10/02/2022 there is also a security concern over cryptsetup/luks2)
Make a full backup before you start. Boot off a live g-parted boot disk (can be any live boot disk but I choose g-parted as it has all the tools required)
lsblk/fdisk to get the root partition (X)
Prepare the current partition by making space for the luks fileinfo
e2fsck -f /dev/sdaX resize2fs -M /dev/sdaX
cryptsetup-reencrypt /dev/sdaX --new --reduce-device-size 16M --type=luks1
You will fill in a passphrase (twice) do not forget it! of you do the data on the disk can not be retrieved, oh and this might take a while.
Now the system needs to be modified to allow the disk to be booted with grub.
cryptsetup open /dev/sdaX rootfs
(you will need to enter the passphrase you created before as this opens the crypto partition)
resize2fs /dev/mapper/rootfs mount /dev/mapper/rootfs /mnt/ mount --bind /dev/ /mnt/dev/ mount --bind /sys/ /mnt/sys/ mount --bind /proc/ /mnt/proc/
change to a chroot on the disk so you are working on your laptop disk and not the gparted disk
You will need the UUID from the crypto(luks) and ext4 to be used during config further down
create a file /etc/crypttab
# <target name> <source device> <key file> <options> rootfs UUID=<luks_uuid> none luks
check that root mounts to the ext4_uuid in /etc/fstab
Unclear which one to use as they were changed on newer versions of grub, using both is overkill but it works so I left it in
echo "GRUB_ENABLE_CRYPTODISK=y" >>/etc/default/grub echo "GRUB_CRYPTODISK_ENABLE=y" >>/etc/default/grub
cryptdevice=UUID is crypto/luks partition and root=UUID is the normal drive uuid i.e uuid of /dev/sda (ext4)
echo "GRUB_CMDLINE_LINUX=cryptdevice=UUID=<luks_uuid> root=UUID=<ext4_uuid>" >>/etc/default/grub echo "GRUB_PRELOAD_MODULES="part_gpt part_msdos ext2 ext4 cryptodisk luks" >>/etc/default/grub update-grub grub-install /dev/sda apt-get install cryptsetup-initramfs update-initramfs -u -k all exit reboot pray