Differences

This shows you the differences between two versions of the page.

--- reencrypt_linux_post_install [2025/04/30 18:44] – [STEP 2: Setup your partitioning] usera
+++ reencrypt_linux_post_install [2025/07/26 09:51] (current) – usera
@@ Line 330: / Line 330: @@
   - One partition for the /boot
-You most likely have the two first one. If you do not have the last one, you need to create one ext4 partition of roughly 500MB. You will need to shrink another partition for this, and you cannot shrink a partition that you are using, You will therefore need to **[[boot_live_usb|boot from a live USB]]**
+You most likely have the two first one. If you already have the last one, you can go immediately to the following step.
+==== In case you do not have a separate /boot partition ====
+=== Create the partition ===
+If you do not have the last one, you need to create one ext4 partition of roughly 500MB. You will need to shrink another partition for this, and you cannot shrink a partition that you are using, You will therefore need to **[[boot_live_usb|boot from a live USB]]**
 Once there, you can use the gparted tool again:
@@ Line 351: / Line 358: @@
 {{ ::gparted_15.png?600 |}}
+=== Associate the boot partition ===
+Then, you need to reinstall your boot partition. It is possible to do it manually, but I recommend a nice tool called boot-repair. To use it, open a command prompt and type:
+<code>
+sudo add-apt-repository ppa:yannubuntu/boot-repair
+sudo apt-get update
+sudo apt-get install boot-repair
+boot-repair
+</code>
+you will be prompted with a menu saying "apply the recommanded repairs". Do not click on it, but instead on "advanced options"->GRUB location->tick the "separate /boot partition" and select the correct partition to use for it (the one you just created)->click on "Apply" and follow the instructions if some are presented.
+Now you can restart your computer, remove the USB key and let it boot on the normal OS, check that the system boots, and that the result of the command:
+<code>
+lsblk
+</code>
+shows among other lines one line for the ESP partition (Mount point /boot/efi), one for the boot parititon (Mount point /boot), and one for the root filesystem (Mount point /).
+=== Do the actual reencryption ===
+Insert your live USB key, restart your computer and boot on your live system again. Once this is done, open a command line. We will need to shrink the partition with the root filesystem by 32M in order to encrypt it. To do this, a small computation is necessary. Here are the command you will use, if you want to encrypt the partition [ROOT_PARTITION], in my case it was sda2.
+<code>
+sudo dumpe2fs -h /dev/[ROOT_PARTITION] | grep Block
+</code>
+which will give you something like this:
+<code>
+dumpe2fs 1.46.5 (30-Dec-2021)
+Block count:              77883392
+Block size:               4096
+Blocks per group:         32768
+</code>
+note the "Block count" and the "Block size", then use the following formula, where BLOCK_COUNT and BLOCK_SIZE should be replaced with their value:
+<code>
+python3 -c "print(int((BLOCK_COUNT*BLOCK_SIZE-32*1024*1024)/BLOCK_SIZE))"
+</code>
+In my case, I get:
+<code>
+python3 -c "print(int((77883392*4096-32*1024*1024)/4096))"
+77875200
+</code>
+Note this number.
+Now enter:
+<code>
+sudo e2fsck -f /dev/[ROOT_PARTITION]
+</code>
+in my case, I get:
+<code>
+mint@mint:~$ sudo e2fsck -f /dev/sda2
+e2fsck 1.46.5 (30-Dec-2021)
+Pass 1: Checking inodes, blocks, and sizes
+Pass 2: Checking directory structure
+Pass 3: Checking directory connectivity
+Pass 4: Checking reference counts
+Pass 5: Checking group summary information
+/dev/sda2: 311972/19472384 files (0.4% non-contiguous), 4838704/77883392 blocks
+</code>
+then you can do the actual resize of the filesystem, using the number you previously calculated, in my case 77875200.
+<code>
+sudo resize2fs -p /dev/[ROOT_PARTITION] 77875200
+</code>
+I got:
+<code>
+resize2fs 1.46.5 (30-Dec-2021)
+Resizing the filesystem on /dev/sda2 to 77875200 (4k) blocks.
+The filesystem on /dev/sda2 is now 77875200 (4k) blocks long.
+</code>
+you can now do the actual reencription:
+<code>
+sudo cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/[ROOT_PARTITION]
+</code>
+which will take a very long time, depending on the size of your disk. In my case, I got:
+<code>
+mint@mint:~$ sudo cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/sda2
+WARNING!
+========
+This will overwrite data on LUKS2-temp-5c24539d-acc7-4216-bc61-0939b2d4f51f.new irrevocably.
+Are you sure? (Type 'yes' in capital letters): YES
+Enter passphrase for LUKS2-temp-5c24539d-acc7-4216-bc61-0939b2d4f51f.new:
+Verify passphrase:
+Finished, time 358:10.876, 304216 MiB written, speed  14.2 MiB/s\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00
+</code>
+which took 358 minutes, which is 6 hours.
+Then you can decrypt this partition, then mount the corresponding system:
+<code>
+sudo cryptsetup luksOpen /dev/[ROOT_PARTITION] cryptodisk
+</code>
+you will have to enter your passphrase. Then resize the filesystem there:
+<code>
+sudo resize2fs /dev/mapper/cryptodisk
+</code>
+which gave in my case:
+<code>
+resize2fs 1.46.5 (30-Dec-2021)
+Resizing the filesystem on /dev/mapper/cryptodisk to 77879296 (4k) blocks.
+The filesystem on /dev/mapper/cryptodisk is now 77879296 (4k) blocks long.
+</code>
+Now, you need to note down the content of the file /etc/resolv.conf, which is use by linux to access internet:
+<code>
+cat /etc/resolv.conf
+</code>
+and you can now do a special operation to "enter" in your system. It is called a chroot operation, ,it is very convenient to recover a system that does not boot for example (boot with a live USB system, do a chroot, change some things to fix your system, and reboot).
+Enter the following commands, where [BOOT_PARTITION] is the boot partition you created, in my case sda3, and [EFI_PARTITION] is the EFI partition, in my case sda1:
+<code>
+sudo mount /dev/mapper/cryptodisk /mnt
+sudo mount /dev/[BOOT_PARTITION] /mnt/boot
+sudo mount /dev/[EFI_PARTITION] /mnt/boot/efi
+sudo mount --bind /dev /mnt/dev
+sudo mount --bind /dev/pts /mnt/dev/pts
+sudo mount --bind /sys /mnt/sys
+sudo mount --bind /proc /mnt/proc
+sudo chroot /mnt
+</code>
+the prompt will change a bit: you are now an administrator inside your own system!
+Let us first check that we are connected to internet. To do that, you need to try to ping a website:
+<code>
+ping google.com
+</code>
+if you see something like this:
+<code>
+(base) usera@debian:~$ ping google.com
+PING google.com (142.250.74.78) 56(84) bytes of data.
+bytes from arn09s23-in-f14.1e100.net (142.250.74.78): icmp_seq=1 ttl=113 time=20.3 ms
+bytes from arn09s23-in-f14.1e100.net (142.250.74.78): icmp_seq=2 ttl=113 time=21.3 ms
+bytes from arn09s23-in-f14.1e100.net (142.250.74.78): icmp_seq=3 ttl=113 time=20.4 ms
+</code>
+then you are good to go, you can do CTRL+C to stop it. Otherwise, try copying the content of the /etc/resolv.conf file from before:
+<code>
+nano /etc/resolv.conf
+</code>
+then paste the content, and enter CTRL+X, then Y do save the changes. Try again to ping:
+<code>
+ping google.com
+</code>
+It should work now.
+Now, install some required packages:
+<code>
+sudo apt install cryptsetup cryptsetup-initramfs
+</code>
+and let us do some modifications.
+Enter the following command:
+<code>
+blkid
+</code>
+in my case I get:
+<code>
+/dev/sdb2: SEC_TYPE="msdos" LABEL_FATBOOT="ESP" LABEL="ESP" UUID="8D6C-A9F8" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="Appended2" PARTUUID="6d4f3559-353e-4f68-9e82-073ebfc45977"
+/dev/sdb3: LABEL="writable" UUID="8f575917-6870-4bc8-bc52-88dca8725727" BLOCK_SIZE="4096" TYPE="ext4" PARTUUID="046f4c25-8d42-0144-8919-012dc6b514fc"
+/dev/sdb1: BLOCK_SIZE="2048" UUID="2022-07-26-18-56-47-00" LABEL="Linux Mint 21 Xfce 64-bit" TYPE="iso9660" PARTLABEL="ISO9660" PARTUUID="6d4f3559-353e-4f68-9e81-073ebfc45977"
+/dev/loop0: TYPE="squashfs"
+/dev/mapper/cryptodisk: UUID="eb4337fa-a978-4aa6-a8c9-407b30af8b48" BLOCK_SIZE="4096" TYPE="ext4"
+/dev/sda2: UUID="5c24539d-acc7-4216-bc61-0939b2d4f51f" TYPE="crypto_LUKS" PARTUUID="cd8058db-e068-404a-b4eb-e4365087e2df"
+/dev/sda3: UUID="1185a0bc-123f-4fc0-9ff5-7bc127e559df" BLOCK_SIZE="4096" TYPE="ext4" PARTUUID="1dc8c979-f987-4330-9507-0e5c195f6c75"
+/dev/sda1: UUID="1EF0-6BBB" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="EFI System Partition" PARTUUID="7a499615-a81d-4993-a9ab-9a6f7595812d"
+</code>
+you should note the UUID of the encrypted disk, in my case sda2, whose UUID is 5c24539d-acc7-4216-bc61-0939b2d4f51f
+edit the file /etc/crypttab with the following command:
+<code>
+nano /etc/crypttab
+</code>
+and add the following line, replacing [UUID] with the value you noted:
+<code>
+cryptodisk UUID=[UUID] none luks,discard
+</code>
+you can exit the editor with CTRL+X, then type Y for saving it.
+then note the UUID of the decrypted partition, here /dev/mapper/cryptodisk, whose UUID is in my case eb4337fa-a978-4aa6-a8c9-407b30af8b48. Modify the file /etc/fstab with the command:
+<code>
+nano /etc/fstab
+</code>
+you should check the line that has the mount point "/", and check that it is like the following, otherwise edit it and save it:
+<code>
+/dev/mapper/cryptodisk /               ext4    errors=remount-ro 0       1
+</code>
+you need finally to modify the file /etc/default/grub:
+<code>
+nano /etc/default/grub
+</code>
+you need to locate the entry "GRUB_CMDLINE_LINUX=" and change it to "GRUB_CMDLINE_LINUX="cryptdevice=UUID=<LUKS partition UUID>:cryptodisk root=/dev/mapper/cryptdisk"
+where you change <LUKS partition UUID> for the UUID of your encrypted partition.
+You can then enter:
+<code>
+sudo update-initramfs -u
+</code>
+and then:
+<code>
+update-grub
+</code>
+and finally the following commands:
+<code>
+exit
+sudo shutdown -r now
+</code>
+you will then remove your USB key and boot in your encrypted system hopefully. You should see a prompt asking to unlock your disk, and then your familiar OS will boot, with all the configuration you previously had. Congratulations !