How to encrypt a disk in place with Luks

NOTE: Since this was written in 2018 cryptsetup-reencrypt appeared which should be used instead of luksipc, although it works on the same principle - downsizing partition and using free space to re-encrypt

Get and compile

Reduce the file systems size by 100M. Now, do NOT reduce the PARTITION, reduce the File System inside a partition. It’s a crucial difference. Most partitioning tools, like gparted or parted treat FS and Partitions like they are the same, resizing both at the same time, so you need to use resize2fs, not a partitioning tool. If you do accidentally resize the partition together with the FS follow the directions at the end of this doc.

tune2fs -l /dev/sda1 Multiply Block count by Block size to get the current size. Now resize by 25000 blocks less (100M for 4096 byte blocks). resize2fs /dev/sda1 [new block count] Unmount your fs.

Kick in the conversion for the file system in question (aka /dev/sda1, not /dev/sda). At 40Mbps 1TB disk takes 7 hours. ./luksipc -d /dev/sda1

Once the conversion is completed resize the filesystem to its original size cryptsetup luksOpen /dev/sda1 newcryptofs –key-file=/root/initial_keyfile.bin resize2fs /dev/mapper/newcryptofs cryptsetup luksClose newcrytofs

Configure your system to mount the newly encrypted disk at boot

You can do this by using keyfiles for decryption and storing these files on your encrypted root FS that, in turn, uses a boot-time key phrase to open the disk. This way it’s secure and convenient. You can do this even while luksipc is still going. luksipc creates a the keyfile for you, all you need is to point your system to it. mkdir /root/.keyfiles chmod 0700 /root/.keyfiles cp initial_keyfile.bin /root/.keyfiles/luks_sda1 chmod 0400 /root/.keyfiles/luks_disk

After luksipc is finished get the partition UUID for partition that contains the Luks encrypted data. Do not take it before luksipc finishes - it changes the fs type and the UUID at the very end of the encryption process. add to /etc/crypttab echo "[some name like b1] UUID=$(sudo blkid -s UUID -o value /dev/[partition here]) /root/.keyfiles/[luks key file here] luks" >> /etc/crypttab add it to /etc/fstab /dev/mapper/[your name like b1] /media/[mount point] ext4 rw,suid,dev,exec,auto,user,async,relatime 0 2 Update your init file to use the crypt config at boot update-initramfs -u -k all Take a backup of your key files. If they are gone all your data will be lost. You can remove copy of your the initial_keyfile.bin now

What to do if you resized the partition with the file system.

If you accidentally resize the partition, while resizing the file system, you can recover later by deleting and re-creating the partition to encompass the now enlarged fs. To do this, run fdisk on the whole disk containing the filesystem. Hit P to see the current partition, F to check the free space, then D to delete the partition, n to create a new one, the matching the starting point and the size of the new file system. Press W to write to disk. This action only affects the partitioning table, and does not touch the filesystem itself.

It’s absolutely important that the new partition starts at the same sector as the one you delete. If the original partition starts at sector 63 fdisk may not allow you to specify 63 until you run it with the -c=dos option. The “new” file system size is the same as the size of original FS before you reduced it to let luksipc do its magic.

Based off the Stack theme.