Workshops

User Tools

Site Tools

Trace:
reencrypt_linux_post_install

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
reencrypt_linux_post_install [2025/04/30 11:58] – [STEP 2: Setup your partitioning] userareencrypt_linux_post_install [2025/07/26 09:51] (current) usera
Line 51: Line 51:
 </code> </code>
  
-If so, you are sure to have the right file. You can then proceed to flash you USB key. I recommend using Balena Etcher, which is Open Source, user friendly and cross platform. You can download it [[https://github.com/balena-io/etcher/releases/|here]].  +If so, you are sure to have the right file. You can then proceed to flash you USB key. I recommend using [[balena-etcher|Balena Etcher]], which is Open Source, user friendly and cross platform.
-For Debian based distributions (like Linux Mint, Ubuntu or Debian), download the .deb file, and the checksum file for Linux: (this is an example for the version v2.1.0, change the filenames accordingly if needed): +
- +
-<code> +
-wget https://github.com/balena-io/etcher/releases/download/v2.1.0/balena-etcher_2.1.0_amd64.deb +
-wget https://github.com/balena-io/etcher/releases/download/v2.1.0/SHA256SUMS.Linux.x64.txt +
-</code> +
- +
-Then you can check that the checksum match. The output of this command: +
- +
-<code> +
-sha256sum balena-etcher_2.1.0_amd64.deb +
-</code> +
- +
-should be contained in the output of this one: +
- +
-<code> +
-cat SHA256SUMS.Linux.x64.txt +
-</code> +
- +
-Now that you have some level of confidence that you are dealing with a genuine file, you can install it: +
- +
-<code> +
-sudo apt install ./balena-etcher_2.1.0_amd64.deb +
-</code> +
- +
-Then launch it: +
- +
-<code> +
-balena-etcher +
-</code> +
- +
-{{ :balenaetcher_1.png?600 |}} +
- +
- +
-{{ :balenaetcher_optout.png?600 |}} +
- +
-{{ :balenaetcher_clonezilla_2.png?600 |}} +
- +
-(in the two following screenshot it is an example with Tails) +
-{{ :balenaetcher_3.png?600 |}} +
- +
-{{ :balenaetcher_4.png?600 |}}+
  
 ==== STEP 1.2: prepare the external SSD ==== ==== STEP 1.2: prepare the external SSD ====
Line 372: Line 330:
   - One partition for the /boot   - One partition for the /boot
  
-You most likely have the two first one. If you do not have the last one, you need to create one ext4 partition of roughly 500MB. You will need to shrink another partition for this, and you cannot shrink a partition that you are using, You will therefore need to **boot from a live USB** +You most likely have the two first one. If you already have the last one, you can go immediately to the following step.  
- + 
 +==== In case you do not have a separate /boot partition ==== 
 + 
 +=== Create the partition === 
 + 
 + 
 +If you do not have the last one, you need to create one ext4 partition of roughly 500MB. You will need to shrink another partition for this, and you cannot shrink a partition that you are using, You will therefore need to **[[boot_live_usb|boot from a live USB]]** 
 + 
 +Once there, you can use the gparted tool again: 
 + 
 +<code> 
 +sudo gparted 
 +</code> 
 + 
 +Select your disk, then locate the partition you want to shrink (usually the one dedicated to /home if you have one, otherwise the one dedicated to /). 
 + 
 +If you see something in the "Mount point" column, right click and click on "unmount". Then right click and click on resize/move. Add 500MB at the end of this partition **(do not copy the number used in this example screenshot, as it was with partitions that were too small to create a 500MB extra one)**. Then click on resize/move 
 + 
 +{{::gparted_12.png?600 |}} 
 + 
 +You can now create a new ext4 partition of size 500MB roughly, and then click on Add, then "Apply all operations" 
 + 
 +{{ ::gparted_13.png?600 |}} 
 + 
 +{{ ::gparted_14.png?600 |}} 
 + 
 +{{ ::gparted_15.png?600 |}} 
 + 
 +=== Associate the boot partition === 
 + 
 + 
 +Then, you need to reinstall your boot partition. It is possible to do it manually, but I recommend a nice tool called boot-repair. To use it, open a command prompt and type: 
 + 
 +<code> 
 +sudo add-apt-repository ppa:yannubuntu/boot-repair 
 +sudo apt-get update 
 +sudo apt-get install boot-repair 
 +boot-repair 
 +</code> 
 + 
 +you will be prompted with a menu saying "apply the recommanded repairs". Do not click on it, but instead on "advanced options"->GRUB location->tick the "separate /boot partition" and select the correct partition to use for it (the one you just created)->click on "Apply" and follow the instructions if some are presented. 
 + 
 +Now you can restart your computer, remove the USB key and let it boot on the normal OS, check that the system boots, and that the result of the command: 
 +<code> 
 +lsblk 
 +</code> 
 + 
 +shows among other lines one line for the ESP partition (Mount point /boot/efi), one for the boot parititon (Mount point /boot), and one for the root filesystem (Mount point /). 
 + 
 +=== Do the actual reencryption === 
 + 
 +Insert your live USB key, restart your computer and boot on your live system again. Once this is done, open a command line. We will need to shrink the partition with the root filesystem by 32M in order to encrypt it. To do this, a small computation is necessary. Here are the command you will use, if you want to encrypt the partition [ROOT_PARTITION], in my case it was sda2. 
 + 
 +<code> 
 +sudo dumpe2fs -h /dev/[ROOT_PARTITION] | grep Block 
 +</code> 
 + 
 +which will give you something like this: 
 + 
 +<code> 
 +dumpe2fs 1.46.5 (30-Dec-2021) 
 +Block count:              77883392 
 +Block size:               4096 
 +Blocks per group:         32768 
 +</code> 
 + 
 +note the "Block count" and the "Block size", then use the following formula, where BLOCK_COUNT and BLOCK_SIZE should be replaced with their value: 
 +<code> 
 +python3 -c "print(int((BLOCK_COUNT*BLOCK_SIZE-32*1024*1024)/BLOCK_SIZE))" 
 +</code> 
 + 
 +In my case, I get: 
 + 
 +<code> 
 +python3 -c "print(int((77883392*4096-32*1024*1024)/4096))" 
 +77875200 
 +</code> 
 +Note this number. 
 +Now enter: 
 + 
 +<code> 
 +sudo e2fsck -f /dev/[ROOT_PARTITION] 
 +</code> 
 + 
 +in my case, I get: 
 +<code> 
 +mint@mint:~$ sudo e2fsck -f /dev/sda2 
 +e2fsck 1.46.5 (30-Dec-2021) 
 +Pass 1: Checking inodes, blocks, and sizes 
 +Pass 2: Checking directory structure 
 +Pass 3: Checking directory connectivity 
 +Pass 4: Checking reference counts 
 +Pass 5: Checking group summary information 
 +/dev/sda2: 311972/19472384 files (0.4% non-contiguous), 4838704/77883392 blocks 
 +</code> 
 + 
 +then you can do the actual resize of the filesystem, using the number you previously calculated, in my case 77875200. 
 +<code> 
 +sudo resize2fs -p /dev/[ROOT_PARTITION] 77875200 
 +</code> 
 + 
 +I got: 
 +<code> 
 +resize2fs 1.46.5 (30-Dec-2021) 
 +Resizing the filesystem on /dev/sda2 to 77875200 (4k) blocks. 
 +The filesystem on /dev/sda2 is now 77875200 (4k) blocks long. 
 +</code> 
 + 
 +you can now do the actual reencription: 
 +<code> 
 +sudo cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/[ROOT_PARTITION] 
 +</code> 
 +which will take a very long time, depending on the size of your disk. In my case, I got: 
 + 
 +<code> 
 +mint@mint:~$ sudo cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/sda2 
 + 
 +WARNING! 
 +======== 
 +This will overwrite data on LUKS2-temp-5c24539d-acc7-4216-bc61-0939b2d4f51f.new irrevocably. 
 + 
 +Are you sure? (Type 'yes' in capital letters): YES 
 +Enter passphrase for LUKS2-temp-5c24539d-acc7-4216-bc61-0939b2d4f51f.new:  
 +Verify passphrase:  
 +Finished, time 358:10.876, 304216 MiB written, speed  14.2 MiB/s\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 
 +</code> 
 + 
 +which took 358 minutes, which is 6 hours. 
 + 
 +Then you can decrypt this partition, then mount the corresponding system: 
 + 
 +<code> 
 +sudo cryptsetup luksOpen /dev/[ROOT_PARTITION] cryptodisk 
 +</code> 
 + 
 +you will have to enter your passphrase. Then resize the filesystem there: 
 +<code> 
 +sudo resize2fs /dev/mapper/cryptodisk 
 +</code> 
 + 
 +which gave in my case: 
 +<code> 
 +resize2fs 1.46.5 (30-Dec-2021) 
 +Resizing the filesystem on /dev/mapper/cryptodisk to 77879296 (4k) blocks. 
 +The filesystem on /dev/mapper/cryptodisk is now 77879296 (4k) blocks long. 
 +</code> 
 + 
 +Now, you need to note down the content of the file /etc/resolv.conf, which is use by linux to access internet: 
 +<code> 
 +cat /etc/resolv.conf 
 +</code> 
 + 
 +and you can now do a special operation to "enter" in your system. It is called a chroot operation, ,it is very convenient to recover a system that does not boot for example (boot with a live USB system, do a chroot, change some things to fix your system, and reboot). 
 +Enter the following commands, where [BOOT_PARTITION] is the boot partition you created, in my case sda3, and [EFI_PARTITION] is the EFI partition, in my case sda1: 
 + 
 +<code> 
 +sudo mount /dev/mapper/cryptodisk /mnt 
 +sudo mount /dev/[BOOT_PARTITION] /mnt/boot 
 +sudo mount /dev/[EFI_PARTITION] /mnt/boot/efi 
 +sudo mount --bind /dev /mnt/dev 
 +sudo mount --bind /dev/pts /mnt/dev/pts 
 +sudo mount --bind /sys /mnt/sys 
 +sudo mount --bind /proc /mnt/proc 
 +sudo chroot /mnt 
 +</code> 
 + 
 +the prompt will change a bit: you are now an administrator inside your own system!  
 +Let us first check that we are connected to internet. To do that, you need to try to ping a website: 
 + 
 +<code> 
 +ping google.com 
 +</code> 
 + 
 +if you see something like this: 
 +<code> 
 +(base) usera@debian:~$ ping google.com 
 +PING google.com (142.250.74.78) 56(84) bytes of data. 
 +64 bytes from arn09s23-in-f14.1e100.net (142.250.74.78): icmp_seq=1 ttl=113 time=20.3 ms 
 +64 bytes from arn09s23-in-f14.1e100.net (142.250.74.78): icmp_seq=2 ttl=113 time=21.3 ms 
 +64 bytes from arn09s23-in-f14.1e100.net (142.250.74.78): icmp_seq=3 ttl=113 time=20.4 ms 
 +</code> 
 + 
 +then you are good to go, you can do CTRL+C to stop it. Otherwise, try copying the content of the /etc/resolv.conf file from before: 
 + 
 +<code> 
 +nano /etc/resolv.conf 
 +</code> 
 +then paste the content, and enter CTRL+X, then Y do save the changes. Try again to ping: 
 + 
 +<code> 
 +ping google.com 
 +</code> 
 + 
 +It should work now. 
 + 
 +Now, install some required packages: 
 +<code> 
 +sudo apt install cryptsetup cryptsetup-initramfs 
 +</code> 
 + 
 +and let us do some modifications. 
 +Enter the following command: 
 + 
 +<code> 
 +blkid 
 +</code> 
 + 
 +in my case I get: 
 + 
 +<code> 
 +/dev/sdb2: SEC_TYPE="msdos" LABEL_FATBOOT="ESP" LABEL="ESP" UUID="8D6C-A9F8" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="Appended2" PARTUUID="6d4f3559-353e-4f68-9e82-073ebfc45977" 
 +/dev/sdb3: LABEL="writable" UUID="8f575917-6870-4bc8-bc52-88dca8725727" BLOCK_SIZE="4096" TYPE="ext4" PARTUUID="046f4c25-8d42-0144-8919-012dc6b514fc" 
 +/dev/sdb1: BLOCK_SIZE="2048" UUID="2022-07-26-18-56-47-00" LABEL="Linux Mint 21 Xfce 64-bit" TYPE="iso9660" PARTLABEL="ISO9660" PARTUUID="6d4f3559-353e-4f68-9e81-073ebfc45977" 
 +/dev/loop0: TYPE="squashfs" 
 +/dev/mapper/cryptodisk: UUID="eb4337fa-a978-4aa6-a8c9-407b30af8b48" BLOCK_SIZE="4096" TYPE="ext4" 
 +/dev/sda2: UUID="5c24539d-acc7-4216-bc61-0939b2d4f51f" TYPE="crypto_LUKS" PARTUUID="cd8058db-e068-404a-b4eb-e4365087e2df" 
 +/dev/sda3: UUID="1185a0bc-123f-4fc0-9ff5-7bc127e559df" BLOCK_SIZE="4096" TYPE="ext4" PARTUUID="1dc8c979-f987-4330-9507-0e5c195f6c75" 
 +/dev/sda1: UUID="1EF0-6BBB" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="EFI System Partition" PARTUUID="7a499615-a81d-4993-a9ab-9a6f7595812d" 
 +</code> 
 + 
 +you should note the UUID of the encrypted disk, in my case sda2, whose UUID is 5c24539d-acc7-4216-bc61-0939b2d4f51f 
 +edit the file /etc/crypttab with the following command: 
 + 
 +<code> 
 +nano /etc/crypttab 
 +</code> 
 + 
 +and add the following line, replacing [UUID] with the value you noted: 
 + 
 +<code> 
 +cryptodisk UUID=[UUID] none luks,discard 
 +</code> 
 + 
 +you can exit the editor with CTRL+X, then type Y for saving it. 
 +then note the UUID of the decrypted partition, here /dev/mapper/cryptodisk, whose UUID is in my case eb4337fa-a978-4aa6-a8c9-407b30af8b48. Modify the file /etc/fstab with the command: 
 + 
 +<code> 
 +nano /etc/fstab 
 +</code> 
 + 
 +you should check the line that has the mount point "/", and check that it is like the following, otherwise edit it and save it: 
 + 
 +<code> 
 +/dev/mapper/cryptodisk /               ext4    errors=remount-ro 0       1 
 +</code> 
 + 
 +you need finally to modify the file /etc/default/grub: 
 +<code> 
 +nano /etc/default/grub 
 +</code> 
 + 
 +you need to locate the entry "GRUB_CMDLINE_LINUX=" and change it to "GRUB_CMDLINE_LINUX="cryptdevice=UUID=<LUKS partition UUID>:cryptodisk root=/dev/mapper/cryptdisk" 
 +where you change <LUKS partition UUID> for the UUID of your encrypted partition. 
 +You can then enter: 
 + 
 +<code> 
 +sudo update-initramfs -u 
 +</code> 
 + 
 +and then: 
 + 
 +<code> 
 +update-grub 
 +</code> 
 + 
 +and finally the following commands: 
 + 
 +<code> 
 +exit 
 +sudo shutdown -r now 
 +</code> 
 + 
 +you will then remove your USB key and boot in your encrypted system hopefully. You should see a prompt asking to unlock your disk, and then your familiar OS will boot, with all the configuration you previously had. Congratulations !
reencrypt_linux_post_install.1746014310.txt.gz · Last modified: by usera