Copyright 2021 Simon Quantrill, All Rights Reserved

Setup full disk encryption on running debian system

Tue 01 March 2022 sysadmin / debian /

Ecryption of a running disk on a production desktop without losing data

A first stab at a procedure to encrypt your disk on a running linux system please note this is very BETA and only works when all folders are on the same root partition which most probably are! I came up with this on a virtual machine, your distance might vary!!

luks1 was chosen as luks2 doesn’t appear to support /boot being on the same partition (NB: as of 10/02/2022 there is also a security concern over cryptsetup/luks2)

Make a full backup before you start. Boot off a live g-parted boot disk (can be any live boot disk but I choose g-parted as it has all the tools required)

 lsblk/fdisk to get the root partition (X)

Prepare the current partition by making space for the luks fileinfo

 e2fsck -f /dev/sdaX
 resize2fs -M /dev/sdaX

Encrypt partition

 cryptsetup-reencrypt /dev/sdaX --new --reduce-device-size 16M --type=luks1

You will fill in a passphrase (twice) do not forget it! of you do the data on the disk can not be retrieved, oh and this might take a while.

Now the system needs to be modified to allow the disk to be booted with grub.

 cryptsetup open /dev/sdaX rootfs

(you will need to enter the passphrase you created before as this opens the crypto partition)

 resize2fs /dev/mapper/rootfs
 mount /dev/mapper/rootfs /mnt/
 mount --bind /dev/ /mnt/dev/
 mount --bind /sys/ /mnt/sys/
 mount --bind /proc/ /mnt/proc/

change to a chroot on the disk so you are working on your laptop disk and not the gparted disk

 chroot /mnt

You will need the UUID from the crypto(luks) and ext4 to be used during config further down

 lsblk -f

create a file /etc/crypttab

 # <target name>   <source device>        <key file> <options>
 rootfs        UUID=<luks_uuid>       none       luks

check that root mounts to the ext4_uuid in /etc/fstab

Unclear which one to use as they were changed on newer versions of grub, using both is overkill but it works so I left it in

 echo "GRUB_ENABLE_CRYPTODISK=y" >>/etc/default/grub
 echo "GRUB_CRYPTODISK_ENABLE=y" >>/etc/default/grub

cryptdevice=UUID is crypto/luks partition and root=UUID is the normal drive uuid i.e uuid of /dev/sda (ext4)

 echo "GRUB_CMDLINE_LINUX=cryptdevice=UUID=<luks_uuid> root=UUID=<ext4_uuid>" >>/etc/default/grub
 echo "GRUB_PRELOAD_MODULES="part_gpt part_msdos ext2 ext4 cryptodisk luks" >>/etc/default/grub 
 grub-install /dev/sda
 apt-get install cryptsetup-initramfs 
 update-initramfs -u -k all

on the top