Is there a way to encrypt disk without formatting it?

encryption luks disk-encryption
15,755

Solution 1

Yes, there is a way. The LUKS cryptsetup utility contains the reencrypt command that you can also use to encrypt your existing unencrypted root partition, i.e. without destroying the existing filesystem.

That said, before performing such a conversion you should still backup your data. Of course, one should always perform backups on a regular schedule, because of possible hardware failure etc. Thus, this is kind of redundant advice.

Switching an existing root filesystem from unencrypted to encrypted requires quite a few steps:

  1. backup
  2. make sure that the cryptsetup package is installed
  3. make sure that your root filesystem has some free space (at least 100 MiB to be on the safe side)
  4. identify the partition your root partition is located on: e.g. with df /, lookup the UUID of the filesystem with blkid and store it somewhere
  5. boot into a rescue system where you can unmount your root filesystem (e.g. boot from an USB stick which contains - say - Grml)
  6. locate your root partition (e.g. with blkid and look for the UUID)
  7. if it's ext4 execute a filesystem check: e2fsck -f /dev/sdXY
  8. shrink the filesystem to make some room for the LUKS header, e.g. if it's an ext4 filesystem: resize2fs /dev/sdXY $smallersizeinGiB_G (you need to shrink it by at least 32 MiB)
  9. encrypt it: cryptsetup reencrypt --encrypt /dev/sdXY --reduce-device-size 32M
  10. open it: cryptsetup open /dev/sdXY root
  11. enlarge the filesystem to the maximum: resize2fs /dev/mapper/root
  12. mount it to - say - /mnt/root
  13. mount the boot filesystem on /mnt/root and bind-mount pseudo filesystems /dev, /sys, /proc under /mnt/root.
  14. chroot into your system by: chroot /mnt/root /bin/bash
  15. update kernel parameters in /etc/default/grub or some equivalent location, e.g. when your distro uses dracut (which is likely) you need to add rd.luks.uuid=$UUID_OF_LUKS_DEVICE (cf. blkid, note that this UUID is different from the root filesystem one), if you have selinux installed you should add enforcing=0 (and later remove it) because of all the edits
  16. if your distribution has selinux enabled, configure a relabeling: touch /mnt/root/.autorelabel
  17. regenerate grub config: grub2-mkconfig -o /boot/.../grub...cfg
  18. regenerate initramfs (to make sure that cryptsetup support is included): dracut -f /boot/initramfs....img kernelversion
  19. exit the chroot
  20. unmount everything
  21. cryptsetup close root
  22. reboot

As you see these are many steps, i.e. there is some potential to introduce errors. Thus, arguably it might be simpler to just reinstall and restore your backup (e.g. config files and $HOME).

Also, in my experience as of 2020, cryptsetup reencrypt is relatively slow, thus it may be faster to just cryptsetup luksFormat the device and restore a backup.

If you have an XFS filesystem, you can't just shrink it, because XFS doesn't support this, as of 2020. Thus, you would need to fstransform it before being able to shrink it. With a transformed filesystem you have another uuid to take care of. That means either change the UUID of the new filessytem to the UUID of the old one. Or update the UUID of the filesystem in /mnt/root/etc/fstab.

With a dracut based distribution you don't need to create a /etc/crypttab, other distribution might require it (also before the initramfs update, because it might need to be included there).

Solution 2

From the LUKS faq https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions#2-setup

2.5 Can I encrypt an already existing, non-empty partition to use LUKS?

There is no converter, and it is not really needed. The way to do
this is to make a backup of the device in question, securely wipe the device (as LUKS device initialization does not clear away old data),
do a luksFormat, optionally overwrite the encrypted device, create a
new filesystem and restore your backup on the now encrypted device.
Also refer to sections "Security Aspects" and "Backup and Data
Recovery".

For backup, plain GNU tar works well and backs up anything likely to be in a filesystem.*

However you may want to look into https://johndoe31415.github.io/luksipc/usage.html#plain-to-luks-conversion "Plain to LUKS conversion" which could satisfy your requirement. Disclaimer : I've never tried this, I don't know if it works, and the project doesn't appear to have been updated since 2015.

Share:
15,755

Related videos on Youtube

user
Author by

user

Updated on September 18, 2022

Comments

  • user
    user almost 2 years

    When I was installing my OS, I didn't encrypt. Is there a way to encrypt it now without formatting and without losing any data? I read a few guides how to encrypt and every one says that I need to backup all my data because I will lose it. Is there a way to encrypt it all now without losing data?

    • Philip Couling
      Philip Couling almost 5 years
      @HaukeLaging There's a difference between important (I must not lose this) and important (nobody else must know this). It's a valid assumption that some people have data which would not be a catastrophic loss, but might be catastrophic if inadvertantly disclosed.
  • maxschlepzig
    maxschlepzig about 4 years
    The luksipc author nowadays recommends the upstream cryptsetup reencrypt method. Note that as of 2020 the mentioned cryptsetup-reencrypt command is replaced by cryptsetup reencrypt.
  • jonfornari
    jonfornari over 3 years
    Hi, sorry to bother you. What do you mean on the steps 12 and 13? I'm following your tutorial/steps and got stuck at this part, since i'm not being able to mount or figure it out the right commands to do them.
  • jonfornari
    jonfornari over 3 years
    Should i just do a ""mount /dev/sdXY /mnt/root"" ? this one command says it can recognize a luks filesystem. Also, how do I mount everything of step 13 (mount the boot on /mnt/root) and the bind-mount pseudos under /mnt/root (Thanks in advance and sorry again to bother you)
  • maxschlepzig
    maxschlepzig over 3 years
    @jonfornari something like mount -o /dev/mapper/root /mnt/root - i.e. unlocked luks devices appear under /dev/mapper. For the bind mounts something like gist.github.com/gsauthof/7c0b65ffe4da38b83c8c61d79b71c6d7

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I determine what ciphers & cipher modes I can use in dm-crypt/LUKS?
System encryption LUKS: What's the strongest and most secure key size?
How to remove LUKS encryption?
"No key available with this passphrase" with a newly-created DM-CRYPT / LUKS partition
How do I move/home folder to a luks encrypted external drive?
Won't boot (drop to busybox) after kernel upgrade (with encrypted disks)
"Guided - use entire disk and set up encrypted LVM" LUKS or plain dm-crypt?
Ecrypfts to LUKS on ext4 partition
How do I get Grub2 to boot a Truecrypt-encrypted MBR?
LUKS hdd encryption: Maximum maximum password length?