Benjamin_Loison/linux
1
0
Code Issues 63 Packages Projects Wiki

How to enable full disk encryption after install? #58

New Issue
Open
opened 2025-01-18 14:20:56 +01:00 by Benjamin_Loison · 48 comments
Benjamin_Loison commented 2025-01-18 14:20:56 +01:00
Owner
Copy Link

Would help Benjamin-Loison/cinnamon/issues/179.

Wikipedia: Linux Unified Key Setup (1239229939) may help.

Reading:

would also help.

Would help [Benjamin-Loison/cinnamon/issues/179](https://github.com/Benjamin-Loison/cinnamon/issues/179). [Wikipedia: Linux Unified Key Setup (1239229939)](https://en.wikipedia.org/w/index.php?title=Linux_Unified_Key_Setup&oldid=1239229939) may help. Reading: - [Wikipedia: Comparison of disk encryption software](https://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software) - [Wikipedia: dm-crypt](https://en.wikipedia.org/wiki/Dm-crypt) - [Wikipedia: Device mapper](https://en.wikipedia.org/wiki/Device_mapper) would also help.
Benjamin_Loison commented 2025-01-18 14:24:03 +01:00
Author
Owner
Copy Link

Related to Benjamin_Loison/ecryptfs/issues/8.

Related to [Benjamin_Loison/ecryptfs/issues/8](https://codeberg.org/Benjamin_Loison/ecryptfs/issues/8).
Benjamin_Loison commented 2025-01-18 14:38:25 +01:00
Author
Owner
Copy Link

Wikipedia: Linux Unified Key Setup#Examples (1239229939) may help otherwise I read completely this article.

[Wikipedia: Linux Unified Key Setup#Examples (1239229939)](https://en.wikipedia.org/w/index.php?title=Linux_Unified_Key_Setup&oldid=1239229939#Examples) may help otherwise I read completely this article.
Benjamin_Loison commented 2025-01-18 14:38:58 +01:00
Author
Owner
Copy Link

gparted helps?

`gparted` helps?
Benjamin_Loison commented 2025-01-18 14:39:05 +01:00
Author
Owner
Copy Link

Can try in a virtual machine first.

Can try in a virtual machine first.
Benjamin_Loison commented 2025-01-18 15:15:45 +01:00
Author
Owner
Copy Link

Let us try from a fresh Linux Mint 22.1:

Screenshot_Linux_Mint_2025-01-18_15:58:46.png does not request an encryption password and rebooting leads to usual login prompt.

Let us try from a fresh Linux Mint 22.1: `Screenshot_Linux_Mint_2025-01-18_15:58:46.png` does not request an encryption password and rebooting leads to usual login prompt.
Screenshot_Linux_Mint_2025-01-18_15:08:36.png
146 KiB
Screenshot_Linux_Mint_2025-01-18_15:08:31.png
131 KiB
Screenshot_Linux_Mint_2025-01-18_15:10:25.png
152 KiB
Screenshot_Linux_Mint_2025-01-18_15:13:55.png
138 KiB
Screenshot_Linux_Mint_2025-01-18_15:42:15.png
47 KiB
Screenshot_Linux_Mint_2025-01-18_15:20:11.png
84 KiB
Screenshot_Linux_Mint_2025-01-18_15:47:53.png
44 KiB
Screenshot_Linux_Mint_2025-01-18_15:42:29.png
65 KiB
Screenshot_Linux_Mint_2025-01-18_15:48:04.png
74 KiB
Screenshot_Linux_Mint_2025-01-18_15:56:56.png
4.4 KiB
Screenshot_Linux_Mint_2025-01-18_15:55:56.png
120 KiB
Screenshot_Linux_Mint_2025-01-18_15:58:46.png
80 KiB
Screenshot_Linux_Mint_2025-01-18_16:00:28.png
75 KiB
Screenshot_Linux_Mint_2025-01-18_15:08:36.png Screenshot_Linux_Mint_2025-01-18_15:08:31.png Screenshot_Linux_Mint_2025-01-18_15:10:25.png Screenshot_Linux_Mint_2025-01-18_15:13:55.png Screenshot_Linux_Mint_2025-01-18_15:42:15.png Screenshot_Linux_Mint_2025-01-18_15:20:11.png Screenshot_Linux_Mint_2025-01-18_15:47:53.png Screenshot_Linux_Mint_2025-01-18_15:42:29.png Screenshot_Linux_Mint_2025-01-18_15:48:04.png Screenshot_Linux_Mint_2025-01-18_15:56:56.png Screenshot_Linux_Mint_2025-01-18_15:55:56.png Screenshot_Linux_Mint_2025-01-18_15:58:46.png Screenshot_Linux_Mint_2025-01-18_16:00:28.png
Benjamin_Loison commented 2025-01-18 16:02:58 +01:00
Author
Owner
Copy Link

DuckDuckGo search Linux Mint enable full disk encryption after install.

DuckDuckGo search *Linux Mint enable full disk encryption after install*.
Benjamin_Loison commented 2025-01-18 16:03:59 +01:00
Author
Owner
Copy Link

Could investigate the documentation of:

  • cryptsetup reencrypt
  • cryptsetup-reencrypt
Could investigate the documentation of: - `cryptsetup reencrypt` - `cryptsetup-reencrypt`
Benjamin_Loison commented 2025-01-18 16:06:00 +01:00
Author
Owner
Copy Link

Backing up before encrypting seems safer.

As there is a decryption screen, there is no need to take screenshots how to access the disk from another system.

However, a final screenshot once encrypted of gparted to show that it is encrypted would be nice.

Backing up before encrypting seems safer. As there is a decryption screen, there is no need to take screenshots how to access the disk from another system. However, a final screenshot once encrypted of `gparted` to show that it is encrypted would be nice.
Benjamin_Loison commented 2025-01-18 16:07:42 +01:00
Author
Owner
Copy Link

https://forums.linuxmint.com/viewtopic.php?t=391261 seems more about not identical backup and restore.

https://forums.linuxmint.com/viewtopic.php?t=391261 seems more about not identical backup and restore.
Benjamin_Loison commented 2025-01-18 16:09:32 +01:00
Author
Owner
Copy Link

The Ask Ubuntu answer 369623 states quickly that it is not possible.

[The Ask Ubuntu answer 369623](https://askubuntu.com/a/369623) states quickly that it is not possible.
Benjamin_Loison commented 2025-01-18 16:12:22 +01:00
Author
Owner
Copy Link

I recommend switching to cryptsetup-reencrypt, which is properly maintained and tested upstream even when the format of the LUKS header changes (to my knowledge, this has at least happened twice and can cause luksipc to catastrophically fail, i.e., destroy all your data in the worst case).

Source: luksipc/blob/e222ca7ff89e7465345c8ae8786096130e06a30f/README.md?plain=1#L7-L11
Source: the Ask Ubuntu comment 2501628

> I recommend switching to cryptsetup-reencrypt, which is properly maintained and tested upstream even when the format of the LUKS header changes (to my knowledge, this has at least happened twice and can cause luksipc to catastrophically fail, i.e., destroy all your data in the worst case). Source: [luksipc/blob/e222ca7ff89e7465345c8ae8786096130e06a30f/README.md?plain=1#L7-L11](https://github.com/johndoe31415/luksipc/blob/e222ca7ff89e7465345c8ae8786096130e06a30f/README.md?plain=1#L7-L11) Source: [the Ask Ubuntu comment 2501628](https://askubuntu.com/questions/96870/is-there-a-way-to-do-full-disk-encryption-after-the-install#comment2501628_675543)
Benjamin_Loison commented 2025-01-18 16:15:56 +01:00
Author
Owner
Copy Link

Let us figure out why I faced above in https://gitea.lemnoslife.com/attachments/f3fda48c-04fc-4a5c-ac80-d884d6cde31c:

cryptosetup-reencrypt /dev/vda3

cryptosetup-reencrypt: command not found
Let us figure out why I faced above in https://gitea.lemnoslife.com/attachments/f3fda48c-04fc-4a5c-ac80-d884d6cde31c: ```bash cryptosetup-reencrypt /dev/vda3 ``` ``` cryptosetup-reencrypt: command not found ```
Benjamin_Loison commented 2025-01-18 16:16:55 +01:00
Author
Owner
Copy Link
sudo apt install -y cryptosetup-reencrypt
Output: 
...
E: Unable to locate package cryptosetup-reencrypt
```bash sudo apt install -y cryptosetup-reencrypt ``` <details> <summary>Output:</summary> ``` ... E: Unable to locate package cryptosetup-reencrypt ``` </details>
Benjamin_Loison commented 2025-01-18 16:17:15 +01:00
Author
Owner
Copy Link

DuckDuckGo and Google search "cryptosetup-reencrypt" and "cryptosetup-reencrypt" "apt".

https://man7.org/linux/man-pages/man8/cryptsetup-reencrypt.8.html

DuckDuckGo and Google search `"cryptosetup-reencrypt"` and `"cryptosetup-reencrypt" "apt"`. https://man7.org/linux/man-pages/man8/cryptsetup-reencrypt.8.html
Benjamin_Loison commented 2025-01-18 16:18:18 +01:00
Author
Owner
Copy Link

On my Debian 12 GNOME work laptop:

command-not-found --ignore-installed cryptsetup-reencrypt

cryptsetup-reencrypt: command not found
On my Debian 12 GNOME work laptop: ```bash command-not-found --ignore-installed cryptsetup-reencrypt ``` ``` cryptsetup-reencrypt: command not found ```
Benjamin_Loison commented 2025-01-18 16:21:14 +01:00
Author
Owner
Copy Link

https://command-not-found.com/cryptsetup-reencrypt

https://command-not-found.com/cryptsetup-reencrypt
Benjamin_Loison commented 2025-01-18 16:24:05 +01:00
Author
Owner
Copy Link

cryptsetup

[cryptsetup](https://gitlab.com/cryptsetup/cryptsetup)
Benjamin_Loison commented 2025-01-18 16:24:43 +01:00
Author
Owner
Copy Link

The Ask Ubuntu question 1445879 faces the same issue as me.

[The Ask Ubuntu question 1445879](https://askubuntu.com/q/1445879) faces the same issue as me.
Benjamin_Loison commented 2025-01-18 16:26:30 +01:00
Author
Owner
Copy Link

https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/2014228/comments/5 seems to recommend instead cryptsetup reencrypt.

https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/2014228/comments/5 seems to recommend instead `cryptsetup reencrypt`.
Benjamin_Loison commented 2025-01-18 16:27:25 +01:00
Author
Owner
Copy Link
cryptsetup reencrypt

Command requires device as argument.

even if sudo.

```bash cryptsetup reencrypt ``` ``` Command requires device as argument. ``` even if `sudo`.
Benjamin_Loison commented 2025-01-18 16:28:06 +01:00
Author
Owner
Copy Link

On my Debian 12 GNOME work laptop:

cryptsetup reencrypt --help
Output: 
cryptsetup 2.6.1 flags: UDEV BLKID KEYRING KERNEL_CAPI 
Usage: cryptsetup [OPTION...] <action> <action-specific>

Help options:
  -?, --help                            Show this help message
      --usage                           Display brief usage
  -V, --version                         Print package version
      --active-name=STRING              Override device autodetection of dm
                                        device to be reencrypted
      --align-payload=SECTORS           Align payload at <n> sector boundaries
                                        - for luksFormat
      --allow-discards                  Allow discards (aka TRIM) requests for
                                        device
  -q, --batch-mode                      Do not ask for confirmation
      --cancel-deferred                 Cancel a previously set deferred
                                        device removal
  -c, --cipher=STRING                   The cipher used to encrypt the disk
                                        (see /proc/crypto)
      --debug                           Show debug messages
      --debug-json                      Show debug messages including JSON
                                        metadata
      --deferred                        Device removal is deferred until the
                                        last user closes it
      --device-size=bytes               Use only specified device size (ignore
                                        rest of device). DANGEROUS!
      --decrypt                         Decrypt LUKS2 device (remove
                                        encryption).
      --disable-external-tokens         Disable loading of external LUKS2
                                        token plugins
      --disable-keyring                 Disable loading volume keys via kernel
                                        keyring
      --disable-locks                   Disable locking of on-disk metadata
      --disable-veracrypt               Do not scan for VeraCrypt compatible
                                        device
      --dump-json-metadata              Dump info in JSON format (LUKS2 only)
      --dump-volume-key                 Dump volume key instead of keyslots
                                        info
      --encrypt                         Encrypt LUKS2 device (in-place
                                        encryption).
      --force-password                  Disable password quality check (if
                                        enabled)
      --force-offline-reencrypt         Force offline LUKS2 reencryption and
                                        bypass active device detection.
  -h, --hash=STRING                     The hash used to create the encryption
                                        key from the passphrase
      --header=STRING                   Device or file with separated LUKS
                                        header
      --header-backup-file=STRING       File with LUKS header and keyslots
                                        backup
      --hotzone-size=bytes              Maximal reencryption hotzone size.
      --init-only                       Initialize LUKS2 reencryption in
                                        metadata only.
  -I, --integrity=STRING                Data integrity algorithm (LUKS2 only)
      --integrity-legacy-padding        Use inefficient legacy padding (old
                                        kernels)
      --integrity-no-journal            Disable journal for integrity device
      --integrity-no-wipe               Do not wipe device after format
  -i, --iter-time=msecs                 PBKDF iteration time for LUKS (in ms)
      --iv-large-sectors                Use IV counted in sector size (not in
                                        512 bytes)
      --json-file=STRING                Read or write the json from or to a
                                        file
      --keep-key                        Do not change volume key.
      --key-description=STRING          Key description
  -d, --key-file=STRING                 Read the key from a file
  -s, --key-size=BITS                   The size of the encryption key
  -S, --key-slot=INT                    Slot number for new key (default is
                                        first free)
      --keyfile-offset=bytes            Number of bytes to skip in keyfile
  -l, --keyfile-size=bytes              Limits the read from keyfile
      --keyslot-cipher=STRING           LUKS2 keyslot: The cipher used for
                                        keyslot encryption
      --keyslot-key-size=BITS           LUKS2 keyslot: The size of the
                                        encryption key
      --label=STRING                    Set label for the LUKS2 device
      --luks2-keyslots-size=bytes       LUKS2 header keyslots area size
      --luks2-metadata-size=bytes       LUKS2 header metadata area size
      --volume-key-file=STRING          Use the volume key from file.
      --new-keyfile=STRING              Read the key for a new slot from a file
      --new-key-slot=INT                Slot number for new key (default is
                                        first free)
      --new-keyfile-offset=bytes        Number of bytes to skip in newly added
                                        keyfile
      --new-keyfile-size=bytes          Limits the read from newly added
                                        keyfile
      --new-token-id=INT                Token number (default: any)
  -o, --offset=SECTORS                  The start offset in the backend device
      --pbkdf=STRING                    PBKDF algorithm (for LUKS2): argon2i,
                                        argon2id, pbkdf2
      --pbkdf-force-iterations=LONG     PBKDF iterations cost (forced,
                                        disables benchmark)
      --pbkdf-memory=kilobytes          PBKDF memory cost limit
      --pbkdf-parallel=threads          PBKDF parallel cost
      --perf-no_read_workqueue          Bypass dm-crypt workqueue and process
                                        read requests synchronously
      --perf-no_write_workqueue         Bypass dm-crypt workqueue and process
                                        write requests synchronously
      --perf-same_cpu_crypt             Use dm-crypt same_cpu_crypt
                                        performance compatibility option
      --perf-submit_from_crypt_cpus     Use dm-crypt submit_from_crypt_cpus
                                        performance compatibility option
      --persistent                      Set activation flags persistent for
                                        device
      --priority=STRING                 Keyslot priority: ignore, normal,
                                        prefer
      --progress-json                   Print progress data in json format
                                        (suitable for machine processing)
      --progress-frequency=secs         Progress line update (in seconds)
  -r, --readonly                        Create a readonly mapping
      --reduce-device-size=bytes        Reduce data device size (move data
                                        offset). DANGEROUS!
      --refresh                         Refresh (reactivate) device with new
                                        parameters
      --resilience=STRING               Reencryption hotzone resilience type
                                        (checksum,journal,none)
      --resilience-hash=STRING          Reencryption hotzone checksums hash
      --resume-only                     Resume initialized LUKS2 reencryption
                                        only.
      --sector-size=INT                 Encryption sector size (default: 512
                                        bytes)
      --serialize-memory-hard-pbkdf     Use global lock to serialize memory
                                        hard PBKDF (OOM workaround)
      --shared                          Share device with another
                                        non-overlapping crypt segment
  -b, --size=SECTORS                    The size of the device
  -p, --skip=SECTORS                    How many sectors of the encrypted data
                                        to skip at the beginning
      --subsystem=STRING                Set subsystem label for the LUKS2
                                        device
      --tcrypt-backup                   Use backup (secondary) TCRYPT header
      --tcrypt-hidden                   Use hidden header (hidden TCRYPT
                                        device)
      --tcrypt-system                   Device is system TCRYPT drive (with
                                        bootloader)
      --test-args                       Do not run action, just validate all
                                        command line parameters
      --test-passphrase                 Do not activate device, just check
                                        passphrase
  -t, --timeout=secs                    Timeout for interactive passphrase
                                        prompt (in seconds)
      --token-id=INT                    Token number (default: any)
      --token-only                      Do not ask for passphrase if
                                        activation by token fails
      --token-replace                   Replace the current token
      --token-type=STRING               Restrict allowed token types used to
                                        retrieve LUKS2 key
  -T, --tries=INT                       How often the input of the passphrase
                                        can be retried
  -M, --type=STRING                     Type of device metadata: luks, luks1,
                                        luks2, plain, loopaes, tcrypt, bitlk
      --unbound                         Create or dump unbound LUKS2 keyslot
                                        (unassigned to data segment) or LUKS2
                                        token (unassigned to keyslot)
      --use-random                      Use /dev/random for generating volume
                                        key
      --use-urandom                     Use /dev/urandom for generating volume
                                        key
      --uuid=STRING                     UUID for device to use
      --veracrypt                       Scan also for VeraCrypt compatible
                                        device
      --veracrypt-pim=INT               Personal Iteration Multiplier for
                                        VeraCrypt compatible device
      --veracrypt-query-pim             Query Personal Iteration Multiplier
                                        for VeraCrypt compatible device
  -v, --verbose                         Shows more detailed error messages
  -y, --verify-passphrase               Verifies the passphrase by asking for
                                        it twice
  -B, --block-size=MiB                  Reencryption block size
  -N, --new                             Create new header on not encrypted
                                        device
      --use-directio                    Use direct-io when accessing devices
      --use-fsync                       Use fsync after each block
      --write-log                       Update log file after every block
      --dump-master-key                 Alias for --dump-volume-key
      --master-key-file=STRING          Alias for --dump-volume-key-file

<action> is one of:
	open <device> [--type <type>] [<name>] - open device as <name>
	close <name> - close device (remove mapping)
	resize <name> - resize active device
	status <name> - show device status
	benchmark [--cipher <cipher>] - benchmark cipher
	repair <device> - try to repair on-disk metadata
	reencrypt <device> - reencrypt LUKS2 device
	erase <device> - erase all keyslots (remove encryption key)
	convert <device> - convert LUKS from/to LUKS2 format
	config <device> - set permanent configuration options for LUKS2
	luksFormat <device> [<new key file>] - formats a LUKS device
	luksAddKey <device> [<new key file>] - add key to LUKS device
	luksRemoveKey <device> [<key file>] - removes supplied key or key file from LUKS device
	luksChangeKey <device> [<key file>] - changes supplied key or key file of LUKS device
	luksConvertKey <device> [<key file>] - converts a key to new pbkdf parameters
	luksKillSlot <device> <key slot> - wipes key with number <key slot> from LUKS device
	luksUUID <device> - print UUID of LUKS device
	isLuks <device> - tests <device> for LUKS partition header
	luksDump <device> - dump LUKS partition information
	tcryptDump <device> - dump TCRYPT device information
	bitlkDump <device> - dump BITLK device information
	fvault2Dump <device> - dump FVAULT2 device information
	luksSuspend <device> - Suspend LUKS device and wipe key (all IOs are frozen)
	luksResume <device> - Resume suspended LUKS device
	luksHeaderBackup <device> - Backup LUKS device header and keyslots
	luksHeaderRestore <device> - Restore LUKS device header and keyslots
	token <add|remove|import|export> <device> - Manipulate LUKS2 tokens

You can also use old <action> syntax aliases:
	open: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open
	close: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close

<name> is the device to create under /dev/mapper
<device> is the encrypted device
<key slot> is the LUKS key slot number to modify
<key file> optional key file for the new key for luksAddKey action

Default compiled-in metadata format is LUKS2 (for luksFormat action).

LUKS2 external token plugin support is compiled-in.
LUKS2 external token plugin path: /lib/x86_64-linux-gnu/cryptsetup.

Default compiled-in key and passphrase parameters:
	Maximum keyfile size: 8192kB, Maximum interactive passphrase length 512 (characters)
Default PBKDF for LUKS1: pbkdf2, iteration time: 2000 (ms)
Default PBKDF for LUKS2: argon2id
	Iteration time: 2000, Memory required: 1048576kB, Parallel threads: 4

Default compiled-in device cipher parameters:
	loop-AES: aes, Key 256 bits
	plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
	LUKS: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom
	LUKS: Default keysize with XTS mode (two internal keys) will be doubled.
On my Debian 12 GNOME work laptop: ```bash cryptsetup reencrypt --help ``` <details> <summary>Output:</summary> ``` cryptsetup 2.6.1 flags: UDEV BLKID KEYRING KERNEL_CAPI Usage: cryptsetup [OPTION...] <action> <action-specific> Help options: -?, --help Show this help message --usage Display brief usage -V, --version Print package version --active-name=STRING Override device autodetection of dm device to be reencrypted --align-payload=SECTORS Align payload at <n> sector boundaries - for luksFormat --allow-discards Allow discards (aka TRIM) requests for device -q, --batch-mode Do not ask for confirmation --cancel-deferred Cancel a previously set deferred device removal -c, --cipher=STRING The cipher used to encrypt the disk (see /proc/crypto) --debug Show debug messages --debug-json Show debug messages including JSON metadata --deferred Device removal is deferred until the last user closes it --device-size=bytes Use only specified device size (ignore rest of device). DANGEROUS! --decrypt Decrypt LUKS2 device (remove encryption). --disable-external-tokens Disable loading of external LUKS2 token plugins --disable-keyring Disable loading volume keys via kernel keyring --disable-locks Disable locking of on-disk metadata --disable-veracrypt Do not scan for VeraCrypt compatible device --dump-json-metadata Dump info in JSON format (LUKS2 only) --dump-volume-key Dump volume key instead of keyslots info --encrypt Encrypt LUKS2 device (in-place encryption). --force-password Disable password quality check (if enabled) --force-offline-reencrypt Force offline LUKS2 reencryption and bypass active device detection. -h, --hash=STRING The hash used to create the encryption key from the passphrase --header=STRING Device or file with separated LUKS header --header-backup-file=STRING File with LUKS header and keyslots backup --hotzone-size=bytes Maximal reencryption hotzone size. --init-only Initialize LUKS2 reencryption in metadata only. -I, --integrity=STRING Data integrity algorithm (LUKS2 only) --integrity-legacy-padding Use inefficient legacy padding (old kernels) --integrity-no-journal Disable journal for integrity device --integrity-no-wipe Do not wipe device after format -i, --iter-time=msecs PBKDF iteration time for LUKS (in ms) --iv-large-sectors Use IV counted in sector size (not in 512 bytes) --json-file=STRING Read or write the json from or to a file --keep-key Do not change volume key. --key-description=STRING Key description -d, --key-file=STRING Read the key from a file -s, --key-size=BITS The size of the encryption key -S, --key-slot=INT Slot number for new key (default is first free) --keyfile-offset=bytes Number of bytes to skip in keyfile -l, --keyfile-size=bytes Limits the read from keyfile --keyslot-cipher=STRING LUKS2 keyslot: The cipher used for keyslot encryption --keyslot-key-size=BITS LUKS2 keyslot: The size of the encryption key --label=STRING Set label for the LUKS2 device --luks2-keyslots-size=bytes LUKS2 header keyslots area size --luks2-metadata-size=bytes LUKS2 header metadata area size --volume-key-file=STRING Use the volume key from file. --new-keyfile=STRING Read the key for a new slot from a file --new-key-slot=INT Slot number for new key (default is first free) --new-keyfile-offset=bytes Number of bytes to skip in newly added keyfile --new-keyfile-size=bytes Limits the read from newly added keyfile --new-token-id=INT Token number (default: any) -o, --offset=SECTORS The start offset in the backend device --pbkdf=STRING PBKDF algorithm (for LUKS2): argon2i, argon2id, pbkdf2 --pbkdf-force-iterations=LONG PBKDF iterations cost (forced, disables benchmark) --pbkdf-memory=kilobytes PBKDF memory cost limit --pbkdf-parallel=threads PBKDF parallel cost --perf-no_read_workqueue Bypass dm-crypt workqueue and process read requests synchronously --perf-no_write_workqueue Bypass dm-crypt workqueue and process write requests synchronously --perf-same_cpu_crypt Use dm-crypt same_cpu_crypt performance compatibility option --perf-submit_from_crypt_cpus Use dm-crypt submit_from_crypt_cpus performance compatibility option --persistent Set activation flags persistent for device --priority=STRING Keyslot priority: ignore, normal, prefer --progress-json Print progress data in json format (suitable for machine processing) --progress-frequency=secs Progress line update (in seconds) -r, --readonly Create a readonly mapping --reduce-device-size=bytes Reduce data device size (move data offset). DANGEROUS! --refresh Refresh (reactivate) device with new parameters --resilience=STRING Reencryption hotzone resilience type (checksum,journal,none) --resilience-hash=STRING Reencryption hotzone checksums hash --resume-only Resume initialized LUKS2 reencryption only. --sector-size=INT Encryption sector size (default: 512 bytes) --serialize-memory-hard-pbkdf Use global lock to serialize memory hard PBKDF (OOM workaround) --shared Share device with another non-overlapping crypt segment -b, --size=SECTORS The size of the device -p, --skip=SECTORS How many sectors of the encrypted data to skip at the beginning --subsystem=STRING Set subsystem label for the LUKS2 device --tcrypt-backup Use backup (secondary) TCRYPT header --tcrypt-hidden Use hidden header (hidden TCRYPT device) --tcrypt-system Device is system TCRYPT drive (with bootloader) --test-args Do not run action, just validate all command line parameters --test-passphrase Do not activate device, just check passphrase -t, --timeout=secs Timeout for interactive passphrase prompt (in seconds) --token-id=INT Token number (default: any) --token-only Do not ask for passphrase if activation by token fails --token-replace Replace the current token --token-type=STRING Restrict allowed token types used to retrieve LUKS2 key -T, --tries=INT How often the input of the passphrase can be retried -M, --type=STRING Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk --unbound Create or dump unbound LUKS2 keyslot (unassigned to data segment) or LUKS2 token (unassigned to keyslot) --use-random Use /dev/random for generating volume key --use-urandom Use /dev/urandom for generating volume key --uuid=STRING UUID for device to use --veracrypt Scan also for VeraCrypt compatible device --veracrypt-pim=INT Personal Iteration Multiplier for VeraCrypt compatible device --veracrypt-query-pim Query Personal Iteration Multiplier for VeraCrypt compatible device -v, --verbose Shows more detailed error messages -y, --verify-passphrase Verifies the passphrase by asking for it twice -B, --block-size=MiB Reencryption block size -N, --new Create new header on not encrypted device --use-directio Use direct-io when accessing devices --use-fsync Use fsync after each block --write-log Update log file after every block --dump-master-key Alias for --dump-volume-key --master-key-file=STRING Alias for --dump-volume-key-file <action> is one of: open <device> [--type <type>] [<name>] - open device as <name> close <name> - close device (remove mapping) resize <name> - resize active device status <name> - show device status benchmark [--cipher <cipher>] - benchmark cipher repair <device> - try to repair on-disk metadata reencrypt <device> - reencrypt LUKS2 device erase <device> - erase all keyslots (remove encryption key) convert <device> - convert LUKS from/to LUKS2 format config <device> - set permanent configuration options for LUKS2 luksFormat <device> [<new key file>] - formats a LUKS device luksAddKey <device> [<new key file>] - add key to LUKS device luksRemoveKey <device> [<key file>] - removes supplied key or key file from LUKS device luksChangeKey <device> [<key file>] - changes supplied key or key file of LUKS device luksConvertKey <device> [<key file>] - converts a key to new pbkdf parameters luksKillSlot <device> <key slot> - wipes key with number <key slot> from LUKS device luksUUID <device> - print UUID of LUKS device isLuks <device> - tests <device> for LUKS partition header luksDump <device> - dump LUKS partition information tcryptDump <device> - dump TCRYPT device information bitlkDump <device> - dump BITLK device information fvault2Dump <device> - dump FVAULT2 device information luksSuspend <device> - Suspend LUKS device and wipe key (all IOs are frozen) luksResume <device> - Resume suspended LUKS device luksHeaderBackup <device> - Backup LUKS device header and keyslots luksHeaderRestore <device> - Restore LUKS device header and keyslots token <add|remove|import|export> <device> - Manipulate LUKS2 tokens You can also use old <action> syntax aliases: open: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open close: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close <name> is the device to create under /dev/mapper <device> is the encrypted device <key slot> is the LUKS key slot number to modify <key file> optional key file for the new key for luksAddKey action Default compiled-in metadata format is LUKS2 (for luksFormat action). LUKS2 external token plugin support is compiled-in. LUKS2 external token plugin path: /lib/x86_64-linux-gnu/cryptsetup. Default compiled-in key and passphrase parameters: Maximum keyfile size: 8192kB, Maximum interactive passphrase length 512 (characters) Default PBKDF for LUKS1: pbkdf2, iteration time: 2000 (ms) Default PBKDF for LUKS2: argon2id Iteration time: 2000, Memory required: 1048576kB, Parallel threads: 4 Default compiled-in device cipher parameters: loop-AES: aes, Key 256 bits plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160 LUKS: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom LUKS: Default keysize with XTS mode (two internal keys) will be doubled. ``` </details>
Benjamin_Loison commented 2025-01-18 16:31:52 +01:00
Author
Owner
Copy Link
Based on above Ask Ubuntu answer: 
      --reduce-device-size=bytes        Reduce data device size (move data
                                        offset). DANGEROUS!
...
  -M, --type=STRING                     Type of device metadata: luks, luks1,
                                        luks2, plain, loopaes, tcrypt, bitlk
...
  -N, --new                             Create new header on not encrypted
                                        device
<details> <summary>Based on above Ask Ubuntu answer:</summary> ``` --reduce-device-size=bytes Reduce data device size (move data offset). DANGEROUS! ... -M, --type=STRING Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk ... -N, --new Create new header on not encrypted device ``` </details>
Benjamin_Loison commented 2025-01-18 16:41:03 +01:00
Author
Owner
Copy Link

wiki.archlinux.org: dm-crypt/Device encryption#Encrypt an existing unencrypted file system (824010)

[wiki.archlinux.org: dm-crypt/Device encryption#Encrypt an existing unencrypted file system (824010)](https://wiki.archlinux.org/index.php?title=Dm-crypt/Device_encryption&oldid=824010#Encrypt_an_existing_unencrypted_file_system)
Benjamin_Loison commented 2025-01-18 16:47:50 +01:00
Author
Owner
Copy Link

Screenshot_Linux_Mint_2025-01-18_16:23:12.png

![Screenshot_Linux_Mint_2025-01-18_16:23:12.png](/attachments/f4e8d384-5b21-46d8-ae69-60530e2e0432)
Screenshot_Linux_Mint_2025-01-18_16:23:12.png
94 KiB
Benjamin_Loison commented 2025-01-18 16:53:58 +01:00
Author
Owner
Copy Link
2fsck 2>&1 | grep '\-f'

 -f                   Force checking even if filesystem is marked clean
```bash 2fsck 2>&1 | grep '\-f' ``` ``` -f Force checking even if filesystem is marked clean ```
Benjamin_Loison commented 2025-01-18 16:55:27 +01:00
Author
Owner
Copy Link

Is not shrinking the most heavier than shrinking the least possible.

Is not shrinking the most heavier than shrinking the least possible.
Benjamin_Loison commented 2025-01-18 16:56:46 +01:00
Author
Owner
Copy Link
man resize2fs
Output: 
...
       -M     Shrink the file system to minimize its size as much as possible, given the files stored in the file system.

       -p     Print out percentage completion bars for each resize2fs phase during an offline (non-trivial) resize operation, so that the user can keep track of what the program is doing.  (For  very  fast
              resize operations, no progress bars may be displayed.)
...
```bash man resize2fs ``` <details> <summary>Output:</summary> ``` ... -M Shrink the file system to minimize its size as much as possible, given the files stored in the file system. -p Print out percentage completion bars for each resize2fs phase during an offline (non-trivial) resize operation, so that the user can keep track of what the program is doing. (For very fast resize operations, no progress bars may be displayed.) ... ``` </details>
Benjamin_Loison commented 2025-01-18 17:05:16 +01:00
Author
Owner
Copy Link

Screenshot_Linux_Mint_2025-01-18_16:55:36.png

Screenshot_Linux_Mint_2025-01-18_17:04:47.png

![Screenshot_Linux_Mint_2025-01-18_16:55:36.png](/attachments/7d6764ba-f9f2-4e5d-b3e7-385debdc77b8) ![Screenshot_Linux_Mint_2025-01-18_17:04:47.png](/attachments/234dee66-cec5-4e01-baf1-386b560200c3)
Screenshot_Linux_Mint_2025-01-18_16:55:36.png
134 KiB
Screenshot_Linux_Mint_2025-01-18_17:04:47.png
132 KiB
Benjamin_Loison commented 2025-01-18 17:47:01 +01:00
Author
Owner
Copy Link

Create a initramfs hoock script which copies cryptestup via copy-exec

P.S The troubleshooting guide was written from memory, so there might be some missing pieces.

Should investigate:

https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html

But as of Buster cryptsetup(8) defaults to a new LUKS header format version, which isn’t supported by GRUB as of 2.04. Hence the pre-Buster workarounds won’t work anymore. Until LUKS version 2 support is added to GRUB2, the device(s) holding /boot needs to be in LUKS format version 1 to be unlocked from the boot loader.

Guilhem Moulin guilhem@debian.org, Sun, 09 Jun 2019 16:35:20 +0200

> Create a initramfs hoock script which copies cryptestup via copy-exec > P.S The troubleshooting guide was written from memory, so there might be some missing pieces. Should investigate: https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html > But as of Buster cryptsetup(8) defaults to a new LUKS header format version, which isn’t supported by GRUB as of 2.04. Hence the pre-Buster workarounds won’t work anymore. Until LUKS version 2 support is added to GRUB2, the device(s) holding /boot needs to be in LUKS format version 1 to be unlocked from the boot loader. > Guilhem Moulin guilhem@debian.org, Sun, 09 Jun 2019 16:35:20 +0200
Screenshot_Linux_Mint_2025-01-18_17:08:39.png
5.3 KiB
Screenshot_Linux_Mint_2025-01-18_17:26:27.png
137 KiB
Screenshot_Linux_Mint_2025-01-18_17:32:26.png
115 KiB
Screenshot_Linux_Mint_2025-01-18_17:26:32.png
142 KiB
Screenshot_Linux_Mint_2025-01-18_17:40:34.png
128 KiB
Screenshot_Linux_Mint_2025-01-18_17:08:39.png Screenshot_Linux_Mint_2025-01-18_17:26:27.png Screenshot_Linux_Mint_2025-01-18_17:32:26.png Screenshot_Linux_Mint_2025-01-18_17:26:32.png Screenshot_Linux_Mint_2025-01-18_17:40:34.png
Benjamin_Loison commented 2025-01-25 22:51:17 +01:00
Author
Owner
Copy Link

What about Debian 12 GNOME to just encrypt ext4 with LUKS without LVM?

This would help the person: 
-----BEGIN PGP MESSAGE-----

hF4DTQa9Wom5MBgSAQdAkFeKpINt90ePvuqcXZWafRH9EcVJjujCtlJNuMMJBkww
Ji6igV8YIebX/NEDp87Tkd//6Yb7Wft+fyc4M5hNcxawx7DxW4HNwPAzK2O42bpx
0kABiurBTGj5rSV1ms7bUFaJIU5C3VcvAASllQIgAWMvlglob6XrvrPmaYPf3bXO
TmS/OCxBQfsKYQ0mfL7/yCnn
=kEFt
-----END PGP MESSAGE-----
See the Tchap message where the person states not needing it finally by proceeding to a reinstall: 
-----BEGIN PGP MESSAGE-----

hF4DTQa9Wom5MBgSAQdANT2B5VHY4tt0YWphixyQ9lEA66Khc/vHYlbxSDGUZxAw
p9RSsi9+D6/rVQemnwLDw2s+e2ZUS4DpsuCzOSPHni9zUAUzsl9PvPFvPgjP3pav
0qoB6CW2V8J4Z55AoXEaR6tX+oWf32UhkBXJqd79p/Thn1QORhF2mfkRKessR00o
Ah1QGgnIyH+0499RwGHT/gMKTppfaH2DcGAqSRkHS1YQkAjU6d2pjH3mxwaGWpJ8
f4rmAEIg5SL+MwBDDyiGWVjgtNEELLCBvlSzXX/fEkDPIY2y7sstXue4ERjZWPj1
pbl+fci+ddK/mEjq6I0jrinXvxIqBigyLILyUQ==
=kdpZ
-----END PGP MESSAGE-----

sudo fdisk -l
Output: 
Disk /dev/vda: 30 GiB, 32212254720 bytes, 62914560 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xfefb7d07

Device     Boot Start      End  Sectors Size Id Type
/dev/vda1  *     2048 62912511 62910464  30G 83 Linux

df -h
Output: 
Filesystem      Size  Used Avail Use% Mounted on
udev            7.6G     0  7.6G   0% /dev
tmpfs           1.6G  1.4M  1.6G   1% /run
/dev/vda1        30G   11G   18G  37% /
tmpfs           7.7G     0  7.7G   0% /dev/shm
tmpfs           5.0M  8.0K  5.0M   1% /run/lock
tmpfs           1.6G   96K  1.6G   1% /run/user/1000

sudo gparted
Output: 
GParted 1.3.1
configuration --enable-libparted-dmraid --enable-online-resize
libparted 3.5

sudo cryptsetup reencrypt /dev/vda

does not request a password or output anything, same for /dev/vda1 and it does not return change anything during reboot.

Let us try from a live ISO. Does not help cryptsetup reencrypt.

What about Debian 12 GNOME to just encrypt ext4 with LUKS without LVM? <details> <summary>This would help the person:</summary> ``` -----BEGIN PGP MESSAGE----- hF4DTQa9Wom5MBgSAQdAkFeKpINt90ePvuqcXZWafRH9EcVJjujCtlJNuMMJBkww Ji6igV8YIebX/NEDp87Tkd//6Yb7Wft+fyc4M5hNcxawx7DxW4HNwPAzK2O42bpx 0kABiurBTGj5rSV1ms7bUFaJIU5C3VcvAASllQIgAWMvlglob6XrvrPmaYPf3bXO TmS/OCxBQfsKYQ0mfL7/yCnn =kEFt -----END PGP MESSAGE----- ``` </details> <details> <summary>See the Tchap message where the person states not needing it finally by proceeding to a reinstall:</summary> ``` -----BEGIN PGP MESSAGE----- hF4DTQa9Wom5MBgSAQdANT2B5VHY4tt0YWphixyQ9lEA66Khc/vHYlbxSDGUZxAw p9RSsi9+D6/rVQemnwLDw2s+e2ZUS4DpsuCzOSPHni9zUAUzsl9PvPFvPgjP3pav 0qoB6CW2V8J4Z55AoXEaR6tX+oWf32UhkBXJqd79p/Thn1QORhF2mfkRKessR00o Ah1QGgnIyH+0499RwGHT/gMKTppfaH2DcGAqSRkHS1YQkAjU6d2pjH3mxwaGWpJ8 f4rmAEIg5SL+MwBDDyiGWVjgtNEELLCBvlSzXX/fEkDPIY2y7sstXue4ERjZWPj1 pbl+fci+ddK/mEjq6I0jrinXvxIqBigyLILyUQ== =kdpZ -----END PGP MESSAGE----- ``` </details> ```bash sudo fdisk -l ``` <details> <summary>Output:</summary> ``` Disk /dev/vda: 30 GiB, 32212254720 bytes, 62914560 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0xfefb7d07 Device Boot Start End Sectors Size Id Type /dev/vda1 * 2048 62912511 62910464 30G 83 Linux ``` </details> ```bash df -h ``` <details> <summary>Output:</summary> ``` Filesystem Size Used Avail Use% Mounted on udev 7.6G 0 7.6G 0% /dev tmpfs 1.6G 1.4M 1.6G 1% /run /dev/vda1 30G 11G 18G 37% / tmpfs 7.7G 0 7.7G 0% /dev/shm tmpfs 5.0M 8.0K 5.0M 1% /run/lock tmpfs 1.6G 96K 1.6G 1% /run/user/1000 ``` </details> ```bash sudo gparted ``` <details> <summary>Output:</summary> ``` GParted 1.3.1 configuration --enable-libparted-dmraid --enable-online-resize libparted 3.5 ``` </details> ```bash sudo cryptsetup reencrypt /dev/vda ``` does not request a password or output anything, same for `/dev/vda1` and it does not return change anything during reboot. Let us try from a live ISO. Does not help `cryptsetup reencrypt`.
Screenshot_Debian_encryption_2025-01-26_00:46:54.png
73 KiB
Screenshot_Debian_encryption_2025-01-26_00:47:16.png
73 KiB
Screenshot_Debian_encryption_2025-01-26_00:47:21.png
64 KiB
Screenshot_Debian_encryption_2025-01-26_00:47:25.png
83 KiB
Screenshot_Debian_encryption_2025-01-26_00:47:29.png
62 KiB
Screenshot_Debian_encryption_2025-01-26_00:47:33.png
63 KiB
Screenshot_Debian_encryption_2025-01-26_00:47:37.png
56 KiB
Screenshot_Debian_encryption_2025-01-26_00:47:41.png
75 KiB
Screenshot_Debian_encryption_2025-01-26_00:47:48.png
83 KiB
Screenshot_Debian_encryption_2025-01-26_00:47:52.png
69 KiB
Screenshot_Debian_encryption_2025-01-26_01:03:31.png
62 KiB
Screenshot_Debian_encryption_2025-01-26_00:47:57.png
69 KiB
Screenshot_Debian_encryption_2025-01-26_01:03:41.png
78 KiB
Screenshot_Debian_encryption_2025-01-26_01:03:36.png
77 KiB
Screenshot_Debian_encryption_2025-01-26_01:03:58.png
65 KiB
Screenshot_Debian_encryption_2025-01-26_01:03:49.png
68 KiB
Screenshot_Debian_encryption_2025-01-26_01:04:45.png
38 KiB
Screenshot_Debian_encryption_2025-01-26_01:04:11.png
86 KiB
Screenshot_Debian_encryption_2025-01-26_01:04:52.png
59 KiB
Screenshot_Debian_encryption_2025-01-26_01:09:25.png
67 KiB
Screenshot_Debian_encryption_2025-01-26_01:10:51.png
59 KiB
Screenshot_Debian_encryption_2025-01-26_01:09:28.png
82 KiB
Screenshot_Debian_encryption_2025-01-26_01:11:15.png
57 KiB
Screenshot_Debian_encryption_2025-01-26_01:11:10.png
72 KiB
Screenshot_Debian_encryption_2025-01-26_01:11:27.png
72 KiB
Screenshot_Debian_encryption_2025-01-26_00:46:54.png Screenshot_Debian_encryption_2025-01-26_00:47:16.png Screenshot_Debian_encryption_2025-01-26_00:47:21.png Screenshot_Debian_encryption_2025-01-26_00:47:25.png Screenshot_Debian_encryption_2025-01-26_00:47:29.png Screenshot_Debian_encryption_2025-01-26_00:47:33.png Screenshot_Debian_encryption_2025-01-26_00:47:37.png Screenshot_Debian_encryption_2025-01-26_00:47:41.png Screenshot_Debian_encryption_2025-01-26_00:47:48.png Screenshot_Debian_encryption_2025-01-26_00:47:52.png Screenshot_Debian_encryption_2025-01-26_01:03:31.png Screenshot_Debian_encryption_2025-01-26_00:47:57.png Screenshot_Debian_encryption_2025-01-26_01:03:41.png Screenshot_Debian_encryption_2025-01-26_01:03:36.png Screenshot_Debian_encryption_2025-01-26_01:03:58.png Screenshot_Debian_encryption_2025-01-26_01:03:49.png Screenshot_Debian_encryption_2025-01-26_01:04:45.png Screenshot_Debian_encryption_2025-01-26_01:04:11.png Screenshot_Debian_encryption_2025-01-26_01:04:52.png Screenshot_Debian_encryption_2025-01-26_01:09:25.png Screenshot_Debian_encryption_2025-01-26_01:10:51.png Screenshot_Debian_encryption_2025-01-26_01:09:28.png Screenshot_Debian_encryption_2025-01-26_01:11:15.png Screenshot_Debian_encryption_2025-01-26_01:11:10.png Screenshot_Debian_encryption_2025-01-26_01:11:27.png
Benjamin_Loison commented 2025-01-25 23:15:09 +01:00
Author
Owner
Copy Link
sudo e2fsck -f /dev/vda1
Output: 
e2fsck 1.47.0 (5-Feb-2023)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/vda1: 314300/1966080 files (0.2% non-contiguous), 2815025/7863808 blocks
```bash sudo e2fsck -f /dev/vda1 ``` <details> <summary>Output:</summary> ``` e2fsck 1.47.0 (5-Feb-2023) Pass 1: Checking inodes, blocks, and sizes Pass 2: Checking directory structure Pass 3: Checking directory connectivity Pass 4: Checking reference counts Pass 5: Checking group summary information /dev/vda1: 314300/1966080 files (0.2% non-contiguous), 2815025/7863808 blocks ``` </details>
Benjamin_Loison commented 2025-01-25 23:16:26 +01:00
Author
Owner
Copy Link
sudo resize2fs -p -M /dev/vda1
Output: 
resize2fs 1.47.0 (5-Feb-2023)
Resizing the filesystem on /dev/vda1 to 3039933 (4k) blocks.
Begin pass 2 (max = 1313608)
Relocating blocks             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Begin pass 3 (max = 240)
Scanning inode table          XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Begin pass 4 (max = 21658)
Updating inode references     XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
The filesystem on /dev/vda1 is now 3039933 (4k) blocks long.
```bash sudo resize2fs -p -M /dev/vda1 ``` <details> <summary>Output:</summary> ``` resize2fs 1.47.0 (5-Feb-2023) Resizing the filesystem on /dev/vda1 to 3039933 (4k) blocks. Begin pass 2 (max = 1313608) Relocating blocks XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Begin pass 3 (max = 240) Scanning inode table XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Begin pass 4 (max = 21658) Updating inode references XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX The filesystem on /dev/vda1 is now 3039933 (4k) blocks long. ``` </details>
Benjamin_Loison commented 2025-01-25 23:18:52 +01:00
Author
Owner
Copy Link
sudo cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/vda1
Output: 
WARNING!
========
This will overwrite data on LUKS2-temp-4ce57ca1-ca7c-4b06-abb8-eb0892d6897e.new irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for LUKS2-temp-4ce57ca1-ca7c-4b06-abb8-eb0892d6897e.new: 
Verify passphrase: 
Finished, time 01m10s,   29 GiB written, speed 434.1 MiB/s
```bash sudo cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/vda1 ``` <details> <summary>Output:</summary> ``` WARNING! ======== This will overwrite data on LUKS2-temp-4ce57ca1-ca7c-4b06-abb8-eb0892d6897e.new irrevocably. Are you sure? (Type 'yes' in capital letters): YES Enter passphrase for LUKS2-temp-4ce57ca1-ca7c-4b06-abb8-eb0892d6897e.new: Verify passphrase: Finished, time 01m10s, 29 GiB written, speed 434.1 MiB/s ``` </details>
Benjamin_Loison commented 2025-01-25 23:19:53 +01:00
Author
Owner
Copy Link
sudo cryptsetup open /dev/vda1 recrypt

Enter passphrase for /dev/vda1:

sudo resize2fs /dev/mapper/recrypt
Output: 
resize2fs 1.47.0 (5-Feb-2023)
Resizing the filesystem on /dev/mapper/recrypt to 7859712 (4k) blocks.
The filesystem on /dev/mapper/recrypt is now 7859712 (4k) blocks long.
```bash sudo cryptsetup open /dev/vda1 recrypt ``` ``` Enter passphrase for /dev/vda1: ``` ```bash sudo resize2fs /dev/mapper/recrypt ``` <details> <summary>Output:</summary> ``` resize2fs 1.47.0 (5-Feb-2023) Resizing the filesystem on /dev/mapper/recrypt to 7859712 (4k) blocks. The filesystem on /dev/mapper/recrypt is now 7859712 (4k) blocks long. ``` </details>
Benjamin_Loison commented 2025-01-25 23:23:33 +01:00
Author
Owner
Copy Link
sudo fdisk -l
Output: 
Disk /dev/vda: 30 GiB, 32212254720 bytes, 62914560 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xfefb7d07

Device     Boot Start      End  Sectors Size Id Type
/dev/vda1  *     2048 62912511 62910464  30G 83 Linux


Disk /dev/loop0: 2.73 GiB, 2934968320 bytes, 5732360 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
```bash sudo fdisk -l ``` <details> <summary>Output:</summary> ``` Disk /dev/vda: 30 GiB, 32212254720 bytes, 62914560 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0xfefb7d07 Device Boot Start End Sectors Size Id Type /dev/vda1 * 2048 62912511 62910464 30G 83 Linux Disk /dev/loop0: 2.73 GiB, 2934968320 bytes, 5732360 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes ``` </details>
Benjamin_Loison commented 2025-01-25 23:26:17 +01:00
Author
Owner
Copy Link
df -h /mnt/
Output: 
Filesystem           Size  Used Avail Use% Mounted on
/dev/mapper/recrypt   30G   11G   18G  37% /mnt
```bash df -h /mnt/ ``` <details> <summary>Output:</summary> ``` Filesystem Size Used Avail Use% Mounted on /dev/mapper/recrypt 30G 11G 18G 37% /mnt ``` </details>
Benjamin_Loison commented 2025-01-25 23:28:10 +01:00
Author
Owner
Copy Link

On my Debian 12 GNOME laptop:

/etc/fstab: 
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# systemd generates mount units based on this file, see systemd.mount(5).
# Please run 'systemctl daemon-reload' after making changes here.
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/mapper/nvme0n1p8_crypt /               ext4    errors=remount-ro 0       1
# /boot was on /dev/nvme0n1p9 during installation
UUID=457a754f-11ce-4fe8-8e3e-1fab836e1522 /boot           ext4    defaults        0       2
# /boot/efi was on /dev/nvme0n1p1 during installation
UUID=1CCC-5836  /boot/efi       vfat    umask=0077      0       1
/dev/mapper/cryptswap1 none swap sw 0 0
/etc/crypttab: 
nvme0n1p8_crypt UUID=7acc5e49-df7d-48c2-a3a2-7c29c2fe88bd none luks,discard
cryptswap1   /dev/nvme0n1p10   none   luks
On my Debian 12 GNOME laptop: <details> <summary><code>/etc/fstab</code>:</summary> ``` # /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # systemd generates mount units based on this file, see systemd.mount(5). # Please run 'systemctl daemon-reload' after making changes here. # # <file system> <mount point> <type> <options> <dump> <pass> /dev/mapper/nvme0n1p8_crypt / ext4 errors=remount-ro 0 1 # /boot was on /dev/nvme0n1p9 during installation UUID=457a754f-11ce-4fe8-8e3e-1fab836e1522 /boot ext4 defaults 0 2 # /boot/efi was on /dev/nvme0n1p1 during installation UUID=1CCC-5836 /boot/efi vfat umask=0077 0 1 /dev/mapper/cryptswap1 none swap sw 0 0 ``` </details> <details> <summary><code>/etc/crypttab</code>:</summary> ``` nvme0n1p8_crypt UUID=7acc5e49-df7d-48c2-a3a2-7c29c2fe88bd none luks,discard cryptswap1 /dev/nvme0n1p10 none luks ``` </details>
Benjamin_Loison commented 2025-01-25 23:30:38 +01:00
Author
Owner
Copy Link
/mnt/etc/fstab: 
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# systemd generates mount units based on this file, see systemd.mount(5).
# Please run 'systemctl daemon-reload' after making changes here.
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/vda1 during installation
UUID=0e9a3032-7390-4a7f-8073-e690fc58839a /               ext4    errors=remount-ro 0       1
/dev/sr0        /media/cdrom0   udf,iso9660 user,noauto     0       0
/mnt/etc/crypttab: 
# <target name>	<source device>		<key file>	<options>
<details> <summary><code>/mnt/etc/fstab</code>:</summary> ``` # /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # systemd generates mount units based on this file, see systemd.mount(5). # Please run 'systemctl daemon-reload' after making changes here. # # <file system> <mount point> <type> <options> <dump> <pass> # / was on /dev/vda1 during installation UUID=0e9a3032-7390-4a7f-8073-e690fc58839a / ext4 errors=remount-ro 0 1 /dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0 ``` </details> <details> <summary><code>/mnt/etc/crypttab</code>:</summary> ``` # <target name> <source device> <key file> <options> ``` </details>
Benjamin_Loison commented 2025-01-25 23:31:59 +01:00
Author
Owner
Copy Link
sudo blkid
Output: 
/dev/sr0: BLOCK_SIZE="2048" UUID="2025-01-11-10-25-55-00" LABEL="d-live 12.9.0 gn amd64" TYPE="iso9660" PTUUID="98418538" PTTYPE="dos"
/dev/loop0: TYPE="squashfs"
/dev/vda1: UUID="4ce57ca1-ca7c-4b06-abb8-eb0892d6897e" TYPE="crypto_LUKS" PARTUUID="fefb7d07-01"
/dev/mapper/recrypt: UUID="0e9a3032-7390-4a7f-8073-e690fc58839a" BLOCK_SIZE="4096" TYPE="ext4"
```bash sudo blkid ``` <details> <summary>Output:</summary> ``` /dev/sr0: BLOCK_SIZE="2048" UUID="2025-01-11-10-25-55-00" LABEL="d-live 12.9.0 gn amd64" TYPE="iso9660" PTUUID="98418538" PTTYPE="dos" /dev/loop0: TYPE="squashfs" /dev/vda1: UUID="4ce57ca1-ca7c-4b06-abb8-eb0892d6897e" TYPE="crypto_LUKS" PARTUUID="fefb7d07-01" /dev/mapper/recrypt: UUID="0e9a3032-7390-4a7f-8073-e690fc58839a" BLOCK_SIZE="4096" TYPE="ext4" ``` </details>
Screenshot_Debian_encryption_2025-01-26_01:23:51.png
38 KiB
Screenshot_Debian_encryption_2025-01-26_01:21:40.png
4.7 KiB
Screenshot_Debian_encryption_2025-01-26_01:23:57.png
59 KiB
Screenshot_Debian_encryption_2025-01-26_01:24:02.png
49 KiB
Screenshot_Debian_encryption_2025-01-26_01:24:16.png
38 KiB
Screenshot_Debian_encryption_2025-01-26_01:24:28.png
60 KiB
Screenshot_Debian_encryption_2025-01-26_01:24:35.png
81 KiB
Screenshot_Debian_encryption_2025-01-26_01:23:51.png Screenshot_Debian_encryption_2025-01-26_01:21:40.png Screenshot_Debian_encryption_2025-01-26_01:23:57.png Screenshot_Debian_encryption_2025-01-26_01:24:02.png Screenshot_Debian_encryption_2025-01-26_01:24:16.png Screenshot_Debian_encryption_2025-01-26_01:24:28.png Screenshot_Debian_encryption_2025-01-26_01:24:35.png
Benjamin_Loison commented 2025-01-25 23:35:25 +01:00
Author
Owner
Copy Link

Replacing in /mnt/etc/fstab 0e9a3032-7390-4a7f-8073-e690fc58839a with 4ce57ca1-ca7c-4b06-abb8-eb0892d6897e does not help booting.

Replacing in `/mnt/etc/fstab` `0e9a3032-7390-4a7f-8073-e690fc58839a` with `4ce57ca1-ca7c-4b06-abb8-eb0892d6897e` does not help booting.
Benjamin_Loison commented 2025-01-25 23:49:48 +01:00
Author
Owner
Copy Link

Let us try:

/etc/fstab: 
/dev/mapper/crypt /               ext4    errors=remount-ro 0       1
/etc/crypttab: 
crypt UUID=4ce57ca1-ca7c-4b06-abb8-eb0892d6897e none luks,discard
Even if I ended up making it work the other person: 
-----BEGIN PGP MESSAGE-----

hF4DTQa9Wom5MBgSAQdASXJgMVKdFtUMDUXDlcgT7Xh9anL/r0e9IzjRD3qRkkkw
ZpkwedyIw6BDrAanQokG7n3O/VpSqSfh841p8TU29bZbjsSeIUI5f3cAAqd3JG1i
0kAB91sZ4apcbyw/MxP9f2k1ZJXjeatq1wfY8ncu7SsPq2jJ3R4+oSGVKhNnq99L
4ac40hEcUnSyVlcXwjlSM6FS
=6/of
-----END PGP MESSAGE-----

is not interested as I explain him the dis/advantages, see issues/22#issuecomment-2956.

Let us try: <details> <summary><code>/etc/fstab</code>:</summary> ``` /dev/mapper/crypt / ext4 errors=remount-ro 0 1 ``` </details> <details> <summary><code>/etc/crypttab</code>:</summary> ``` crypt UUID=4ce57ca1-ca7c-4b06-abb8-eb0892d6897e none luks,discard ``` </details> <details> <summary>Even if I ended up making it work the other person:</summary> ``` -----BEGIN PGP MESSAGE----- hF4DTQa9Wom5MBgSAQdASXJgMVKdFtUMDUXDlcgT7Xh9anL/r0e9IzjRD3qRkkkw ZpkwedyIw6BDrAanQokG7n3O/VpSqSfh841p8TU29bZbjsSeIUI5f3cAAqd3JG1i 0kAB91sZ4apcbyw/MxP9f2k1ZJXjeatq1wfY8ncu7SsPq2jJ3R4+oSGVKhNnq99L 4ac40hEcUnSyVlcXwjlSM6FS =6/of -----END PGP MESSAGE----- ``` </details> is not interested as I explain him the dis/advantages, see [issues/22#issuecomment-2956](issues/22#issuecomment-2956).
Benjamin_Loison commented 2025-01-26 00:07:22 +01:00
Author
Owner
Copy Link

I may have an issue with the boot partition.

I may have an issue with the boot partition.
Benjamin_Loison commented 2025-01-26 00:25:21 +01:00
Author
Owner
Copy Link

Above configuration is still stuck on SeaBIOS.

Above configuration is still stuck on *SeaBIOS*.
Benjamin_Loison commented 2025-01-26 00:25:57 +01:00
Author
Owner
Copy Link

/mnt/etc/mkinitcpio.conf does not exist.

`/mnt/etc/mkinitcpio.conf` does not exist.
Benjamin_Loison commented 2025-01-26 00:55:02 +01:00
Author
Owner
Copy Link

Should test with:

/etc/mkinitcpio.conf: 
HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt lvm2 filesystems fsck)

wiki.archlinux.org: Mkinitcpio#Image creation and activation (823193) makes me believe that mkinitcpio is Arch specific.

Should test with: <details> <summary><code>/etc/mkinitcpio.conf</code>:</summary> ``` HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt lvm2 filesystems fsck) ``` </details> [wiki.archlinux.org: Mkinitcpio#Image creation and activation (823193)](https://wiki.archlinux.org/index.php?title=Mkinitcpio&oldid=823193#Image_creation_and_activation) makes me believe that `mkinitcpio` is Arch specific.
Benjamin_Loison commented 2025-01-26 00:56:26 +01:00
Author
Owner
Copy Link

wiki.archlinux.org: Dm-crypt/System configuration#Unlocking in late userspace (822797) may help.

[wiki.archlinux.org: Dm-crypt/System configuration#Unlocking in late userspace (822797)](https://wiki.archlinux.org/index.php?title=Dm-crypt/System_configuration&oldid=822797#Unlocking_in_late_userspace) may help.
Benjamin_Loison commented 2025-02-04 15:22:05 +01:00
Author
Owner
Copy Link

Improve_websites_thanks_to_open_source/issues/967 would help.

[Improve_websites_thanks_to_open_source/issues/967](https://codeberg.org/Benjamin_Loison/Improve_websites_thanks_to_open_source/issues/967) would help.
Benjamin_Loison commented 2025-02-04 15:23:32 +01:00
Author
Owner
Copy Link

See calendar event of 04/02/25 at 14:00 to encrypt my cloud VMs.

Could reinstall OVH VPS to activate encryption but this is too heavy.

See calendar event of 04/02/25 at 14:00 to encrypt my cloud VMs. Could reinstall OVH VPS to activate encryption but this is too heavy.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Benjamin_Loison
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Benjamin_Loison/linux#58
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?