How to enable full disk encryption after install? #58
Assignees
Benjamin_Loison
Clear assignees
Benjamin_Loison
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Benjamin_Loison/linux#58
Loading…
x
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Would help Benjamin-Loison/cinnamon/issues/179.
Wikipedia: Linux Unified Key Setup (1239229939) may help.
Reading:
would also help.
+2
Related to Benjamin_Loison/ecryptfs/issues/8.
Wikipedia: Linux Unified Key Setup#Examples (1239229939) may help otherwise I read completely this article.
gpartedhelps?Can try in a virtual machine first.
Let us try from a fresh Linux Mint 22.1:
Screenshot_Linux_Mint_2025-01-18_15:58:46.pngdoes not request an encryption password and rebooting leads to usual login prompt.DuckDuckGo search Linux Mint enable full disk encryption after install.
Could investigate the documentation of:
cryptsetup reencryptcryptsetup-reencryptBacking up before encrypting seems safer.
As there is a decryption screen, there is no need to take screenshots how to access the disk from another system.
However, a final screenshot once encrypted of
gpartedto show that it is encrypted would be nice.https://forums.linuxmint.com/viewtopic.php?t=391261 seems more about not identical backup and restore.
The Ask Ubuntu answer 369623 states quickly that it is not possible.
Source: luksipc/blob/e222ca7ff89e7465345c8ae8786096130e06a30f/README.md?plain=1#L7-L11
Source: the Ask Ubuntu comment 2501628
Let us figure out why I faced above in https://gitea.lemnoslife.com/attachments/f3fda48c-04fc-4a5c-ac80-d884d6cde31c:
Output:
DuckDuckGo and Google search
"cryptosetup-reencrypt"and"cryptosetup-reencrypt" "apt".https://man7.org/linux/man-pages/man8/cryptsetup-reencrypt.8.html
On my Debian 12 GNOME work laptop:
https://command-not-found.com/cryptsetup-reencrypt
cryptsetup
The Ask Ubuntu question 1445879 faces the same issue as me.
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/2014228/comments/5 seems to recommend instead
cryptsetup reencrypt.even if
sudo.On my Debian 12 GNOME work laptop:
Output:
Based on above Ask Ubuntu answer:
wiki.archlinux.org: dm-crypt/Device encryption#Encrypt an existing unencrypted file system (824010)
Is not shrinking the most heavier than shrinking the least possible.
Output:
Should investigate:
https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
What about Debian 12 GNOME to just encrypt ext4 with LUKS without LVM?
This would help the person:
See the Tchap message where the person states not needing it finally by proceeding to a reinstall:
Output:
Output:
Output:
does not request a password or output anything, same for
/dev/vda1and it does not return change anything during reboot.Let us try from a live ISO. Does not help
cryptsetup reencrypt.Output:
Output:
Output:
Output:
Output:
Output:
On my Debian 12 GNOME laptop:
/etc/fstab:/etc/crypttab:/mnt/etc/fstab:/mnt/etc/crypttab:Output:
Replacing in
/mnt/etc/fstab0e9a3032-7390-4a7f-8073-e690fc58839awith4ce57ca1-ca7c-4b06-abb8-eb0892d6897edoes not help booting.Let us try:
/etc/fstab:/etc/crypttab:Even if I ended up making it work the other person:
is not interested as I explain him the dis/advantages, see issues/22#issuecomment-2956.
I may have an issue with the boot partition.
Above configuration is still stuck on SeaBIOS.
/mnt/etc/mkinitcpio.confdoes not exist.Should test with:
/etc/mkinitcpio.conf:wiki.archlinux.org: Mkinitcpio#Image creation and activation (823193) makes me believe that
mkinitcpiois Arch specific.wiki.archlinux.org: Dm-crypt/System configuration#Unlocking in late userspace (822797) may help.
Improve_websites_thanks_to_open_source/issues/967 would help.
See calendar event of 04/02/25 at 14:00 to encrypt my cloud VMs.
Could reinstall OVH VPS to activate encryption but this is too heavy.
The persons:
do not know how to do so and would be interested in doing so.
Maybe can somehow access raw ext4 in encrypted container, then just copy with
dd. Just copying files and folders from/does not seem very correct to me, but may be.DuckDuckGo and Google search Ubuntu full disk encryption after install.
I quickly have read johndoe31415/luksipc/issues/{13,12}. In the latter johndoe31415/luksipc/issues/12#issuecomment-256700470 may be especially useful. Other issues and pull requests do not seem relevant based on their titles and there is no wiki.
https://johndoe31415.github.io/luksipc/testing.html may be interesting but does not manage root partition case.
Source: https://opencraft.com/tutorial-encrypting-an-existing-root-partition-in-ubuntu-with-dm-crypt-and-luks/
On Debian 12 GNOME laptop Virtual Machine Manager Ubuntu (trust) virtual machine:
Output:
Output:
I doubt that it means UEFI being supported but let us try anyway.
Well this is 2 red flags, so let us stop.
Same Firmware on Debian (trust).
On Oracle Cloud free ARM VPS:
Source: the Ask Ubuntu answer 162896
DuckDuckGo search Linux check if booted with UEFI.
https://www.ovh.com/manager/#/dedicated/vps/vps713872.ovh.net/dashboard does not seem to help switching to UEFI.
DuckDuckGo search OVH Boot UEFI.
On Debian UEFI virtual machine:
From a virtual live USB:
Output:
Face Benjamin_Loison/virt-manager/issues/84.
Output:
Output:
Should try without
--typeif it works fine.Output:
Output:
Output:
Bash script:
does not return anything.
Are all these mounts necessary?
Let us verify this fact.
So this does not seem expected.
Output:
Should investigate the permissions given.
/etc/crypttab:should investigate
discardmeaning.Initial
/etc/fstab:I added:
there was no such reference.
Initial
/etc/default/grub:I added:
Output:
I guess that the second line is due to live USB key.
In another shell:
Output:
/boot/grub/grub.cfg:I have not verified the random part but there blue rectangles match above.
Output:
Should verify these parameters.
Output:
Output:
I disabled installing pending updates when requesting on graphical shutdown.
no matter if I have provided the correct or incorrect password.
Testing on an actual computer may help, can
ddto ease resetting the unencrypted disk state.Note that I have an ad-hoc SATA SSD for such tests on my computer Pegasus.
Should investigate:
Does it actually preserve files and folders on ext4, once encrypt it? I would say so, see:
Tracked at Benjamin_Loison/ext4/issues/5.
Should read Wikipedia: Disk encryption.
Would help Benjamin_Loison/Ubuntu/issues/17.
https://ubuntuhandbook.org/index.php/2024/08/encrypt-existing-ubuntu-system/ looks promising but use a snapshot according to https://discourse.ubuntu.com/t/24-04-disk-encryption-not-available-during-install-if-using-a-partition-and-not-full-disk/55238/8.
https://ubuntuhandbook.org/index.php/2024/08/encrypt-existing-ubuntu-system/#comment-3758446 may help. However, above issue comments do not seem to face initramfs but grub.
Both on my Debian 12 GNOME laptop the Ubuntu
/boot/does not seem to have its specific partition and the Virtual Machine Manager Ubuntu (trust) virtual machine does not seem to have a/boot/partition too.So maybe can first proceed in a virtual machine even if it asks twice the password, then I'll try to add a workaround, as mentioned in https://ubuntuhandbook.org/index.php/2024/08/encrypt-existing-ubuntu-system/#comment-3757645, not to.
Well it does not seem to just be a question of asking twice the password but just following the tutorial.
https://ubuntuhandbook.org/wp-content/uploads/2024/08/encrypt-prepare.webp
Could search how to start using a partition as the tutorial for
/boot/.Would help: