A first stab at a procedure to encrypt your disk on a running linux system please note this is very BETA and only works when all folders are on the same root partition which most probably are! I came up with this on a virtual machine, your distance might vary!!
luks1 was chosen as luks2 doesn't appear to support /boot being on the same partition (NB: as of 10/02/2022 there is also a security concern over cryptsetup/luks2)
Make a full backup before you start. Boot off a live g-parted boot disk (can be any live boot disk but I choose g-parted as it has all the tools required)
lsblk/fdisk to get the root partition (X)
Prepare the current partition by making space for the luks fileinfo
e2fsck -f /dev/sdaX
resize2fs -M /dev/sdaX
Encrypt partition
cryptsetup-reencrypt /dev/sdaX --new --reduce-device-size 16M --type=luks1
You will fill in a passphrase (twice) do not forget it! of you do the data on the disk can not be retrieved, oh and this might take a while.
Now the system needs to be modified to allow the disk to be booted with grub.
cryptsetup open /dev/sdaX rootfs
(you will need to enter the passphrase you created before as this opens the crypto partition)
resize2fs /dev/mapper/rootfs
mount /dev/mapper/rootfs /mnt/
mount --bind /dev/ /mnt/dev/
mount --bind /sys/ /mnt/sys/
mount --bind /proc/ /mnt/proc/
change to a chroot on the disk so you are working on your laptop disk and not the gparted disk
chroot /mnt
You will need the UUID from the crypto(luks) and ext4 to be used during config further down
lsblk -f
create a file /etc/crypttab
# <target name> <source device> <key file> <options>
rootfs UUID=<luks_uuid> none luks
check that root mounts to the ext4_uuid in /etc/fstab
Unclear which one to use as they were changed on newer versions of grub, using both is overkill but it works so I left it in
echo "GRUB_ENABLE_CRYPTODISK=y" >>/etc/default/grub
echo "GRUB_CRYPTODISK_ENABLE=y" >>/etc/default/grub
cryptdevice=UUID is crypto/luks partition and root=UUID is the normal drive uuid i.e uuid of /dev/sda (ext4)
echo "GRUB_CMDLINE_LINUX=cryptdevice=UUID=<luks_uuid> root=UUID=<ext4_uuid>" >>/etc/default/grub
echo "GRUB_PRELOAD_MODULES="part_gpt part_msdos ext2 ext4 cryptodisk luks" >>/etc/default/grub
update-grub
grub-install /dev/sda
apt-get install cryptsetup-initramfs
update-initramfs -u -k all
exit
reboot
pray
For any feedback or corrections, please write in to: Simon Quantrill