Differences

This shows you the differences between two versions of the page.

--- reencrypt_linux_post_install [2025/05/02 14:17] – [Associate the boot partition] usera
+++ reencrypt_linux_post_install [2025/07/26 09:51] (current) – usera
@@ Line 373: / Line 373: @@
 you will be prompted with a menu saying "apply the recommanded repairs". Do not click on it, but instead on "advanced options"->GRUB location->tick the "separate /boot partition" and select the correct partition to use for it (the one you just created)->click on "Apply" and follow the instructions if some are presented.
+Now you can restart your computer, remove the USB key and let it boot on the normal OS, check that the system boots, and that the result of the command:
+<code>
+lsblk
+</code>
+shows among other lines one line for the ESP partition (Mount point /boot/efi), one for the boot parititon (Mount point /boot), and one for the root filesystem (Mount point /).
+=== Do the actual reencryption ===
+Insert your live USB key, restart your computer and boot on your live system again. Once this is done, open a command line. We will need to shrink the partition with the root filesystem by 32M in order to encrypt it. To do this, a small computation is necessary. Here are the command you will use, if you want to encrypt the partition [ROOT_PARTITION], in my case it was sda2.
-Then, open a terminal and check the unique identifier associated with your desired /boot partition. To do that, enter:
+<code>
+sudo dumpe2fs -h /dev/[ROOT_PARTITION] | grep Block
+</code>
+which will give you something like this:
+<code>
+dumpe2fs 1.46.5 (30-Dec-2021)
+Block count:              77883392
+Block size:               4096
+Blocks per group:         32768
+</code>
+note the "Block count" and the "Block size", then use the following formula, where BLOCK_COUNT and BLOCK_SIZE should be replaced with their value:
+<code>
+python3 -c "print(int((BLOCK_COUNT*BLOCK_SIZE-32*1024*1024)/BLOCK_SIZE))"
+</code>
+In my case, I get:
+<code>
+python3 -c "print(int((77883392*4096-32*1024*1024)/4096))"
+77875200
+</code>
+Note this number.
+Now enter:
+<code>
+sudo e2fsck -f /dev/[ROOT_PARTITION]
+</code>
+in my case, I get:
+<code>
+mint@mint:~$ sudo e2fsck -f /dev/sda2
+e2fsck 1.46.5 (30-Dec-2021)
+Pass 1: Checking inodes, blocks, and sizes
+Pass 2: Checking directory structure
+Pass 3: Checking directory connectivity
+Pass 4: Checking reference counts
+Pass 5: Checking group summary information
+/dev/sda2: 311972/19472384 files (0.4% non-contiguous), 4838704/77883392 blocks
+</code>
+then you can do the actual resize of the filesystem, using the number you previously calculated, in my case 77875200.
+<code>
+sudo resize2fs -p /dev/[ROOT_PARTITION] 77875200
+</code>
+I got:
+<code>
+resize2fs 1.46.5 (30-Dec-2021)
+Resizing the filesystem on /dev/sda2 to 77875200 (4k) blocks.
+The filesystem on /dev/sda2 is now 77875200 (4k) blocks long.
+</code>
+you can now do the actual reencription:
+<code>
+sudo cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/[ROOT_PARTITION]
+</code>
+which will take a very long time, depending on the size of your disk. In my case, I got:
+<code>
+mint@mint:~$ sudo cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/sda2
+WARNING!
+========
+This will overwrite data on LUKS2-temp-5c24539d-acc7-4216-bc61-0939b2d4f51f.new irrevocably.
+Are you sure? (Type 'yes' in capital letters): YES
+Enter passphrase for LUKS2-temp-5c24539d-acc7-4216-bc61-0939b2d4f51f.new:
+Verify passphrase:
+Finished, time 358:10.876, 304216 MiB written, speed  14.2 MiB/s\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00
+</code>
+which took 358 minutes, which is 6 hours.
+Then you can decrypt this partition, then mount the corresponding system:
+<code>
+sudo cryptsetup luksOpen /dev/[ROOT_PARTITION] cryptodisk
+</code>
+you will have to enter your passphrase. Then resize the filesystem there:
+<code>
+sudo resize2fs /dev/mapper/cryptodisk
+</code>
+which gave in my case:
+<code>
+resize2fs 1.46.5 (30-Dec-2021)
+Resizing the filesystem on /dev/mapper/cryptodisk to 77879296 (4k) blocks.
+The filesystem on /dev/mapper/cryptodisk is now 77879296 (4k) blocks long.
+</code>
+Now, you need to note down the content of the file /etc/resolv.conf, which is use by linux to access internet:
+<code>
+cat /etc/resolv.conf
+</code>
+and you can now do a special operation to "enter" in your system. It is called a chroot operation, ,it is very convenient to recover a system that does not boot for example (boot with a live USB system, do a chroot, change some things to fix your system, and reboot).
+Enter the following commands, where [BOOT_PARTITION] is the boot partition you created, in my case sda3, and [EFI_PARTITION] is the EFI partition, in my case sda1:
+<code>
+sudo mount /dev/mapper/cryptodisk /mnt
+sudo mount /dev/[BOOT_PARTITION] /mnt/boot
+sudo mount /dev/[EFI_PARTITION] /mnt/boot/efi
+sudo mount --bind /dev /mnt/dev
+sudo mount --bind /dev/pts /mnt/dev/pts
+sudo mount --bind /sys /mnt/sys
+sudo mount --bind /proc /mnt/proc
+sudo chroot /mnt
+</code>
+the prompt will change a bit: you are now an administrator inside your own system!
+Let us first check that we are connected to internet. To do that, you need to try to ping a website:
+<code>
+ping google.com
+</code>
+if you see something like this:
+<code>
+(base) usera@debian:~$ ping google.com
+PING google.com (142.250.74.78) 56(84) bytes of data.
+bytes from arn09s23-in-f14.1e100.net (142.250.74.78): icmp_seq=1 ttl=113 time=20.3 ms
+bytes from arn09s23-in-f14.1e100.net (142.250.74.78): icmp_seq=2 ttl=113 time=21.3 ms
+bytes from arn09s23-in-f14.1e100.net (142.250.74.78): icmp_seq=3 ttl=113 time=20.4 ms
+</code>
+then you are good to go, you can do CTRL+C to stop it. Otherwise, try copying the content of the /etc/resolv.conf file from before:
+<code>
+nano /etc/resolv.conf
+</code>
+then paste the content, and enter CTRL+X, then Y do save the changes. Try again to ping:
+<code>
+ping google.com
+</code>
+It should work now.
+Now, install some required packages:
+<code>
+sudo apt install cryptsetup cryptsetup-initramfs
+</code>
+and let us do some modifications.
+Enter the following command:
 <code>
@@ Line 384: / Line 538: @@
 </code>
-look for the line corresponding to the partition:
+in my case I get:
 <code>
-/dev/sda3: UUID="e6dd6eda-387a-4ef6-a69c-8faecfe02f04" BLOCK_SIZE="1024" TYPE="ext4" PARTUUID="d11962a0-f227-4297-9ae2-248c65f49ccf"
+/dev/sdb2: SEC_TYPE="msdos" LABEL_FATBOOT="ESP" LABEL="ESP" UUID="8D6C-A9F8" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="Appended2" PARTUUID="6d4f3559-353e-4f68-9e82-073ebfc45977"
+/dev/sdb3: LABEL="writable" UUID="8f575917-6870-4bc8-bc52-88dca8725727" BLOCK_SIZE="4096" TYPE="ext4" PARTUUID="046f4c25-8d42-0144-8919-012dc6b514fc"
+/dev/sdb1: BLOCK_SIZE="2048" UUID="2022-07-26-18-56-47-00" LABEL="Linux Mint 21 Xfce 64-bit" TYPE="iso9660" PARTLABEL="ISO9660" PARTUUID="6d4f3559-353e-4f68-9e81-073ebfc45977"
+/dev/loop0: TYPE="squashfs"
+/dev/mapper/cryptodisk: UUID="eb4337fa-a978-4aa6-a8c9-407b30af8b48" BLOCK_SIZE="4096" TYPE="ext4"
+/dev/sda2: UUID="5c24539d-acc7-4216-bc61-0939b2d4f51f" TYPE="crypto_LUKS" PARTUUID="cd8058db-e068-404a-b4eb-e4365087e2df"
+/dev/sda3: UUID="1185a0bc-123f-4fc0-9ff5-7bc127e559df" BLOCK_SIZE="4096" TYPE="ext4" PARTUUID="1dc8c979-f987-4330-9507-0e5c195f6c75"
+/dev/sda1: UUID="1EF0-6BBB" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="EFI System Partition" PARTUUID="7a499615-a81d-4993-a9ab-9a6f7595812d"
 </code>
-you want to copy the UUID="" part
+you should note the UUID of the encrypted disk, in my case sda2, whose UUID is 5c24539d-acc7-4216-bc61-0939b2d4f51f
+edit the file /etc/crypttab with the following command:
+<code>
+nano /etc/crypttab
+</code>
+and add the following line, replacing [UUID] with the value you noted:
+<code>
+cryptodisk UUID=[UUID] none luks,discard
+</code>
+you can exit the editor with CTRL+X, then type Y for saving it.
+then note the UUID of the decrypted partition, here /dev/mapper/cryptodisk, whose UUID is in my case eb4337fa-a978-4aa6-a8c9-407b30af8b48. Modify the file /etc/fstab with the command:
+<code>
+nano /etc/fstab
+</code>
+you should check the line that has the mount point "/", and check that it is like the following, otherwise edit it and save it:
+<code>
+/dev/mapper/cryptodisk /               ext4    errors=remount-ro 0       1
+</code>
+you need finally to modify the file /etc/default/grub:
+<code>
+nano /etc/default/grub
+</code>
+you need to locate the entry "GRUB_CMDLINE_LINUX=" and change it to "GRUB_CMDLINE_LINUX="cryptdevice=UUID=<LUKS partition UUID>:cryptodisk root=/dev/mapper/cryptdisk"
+where you change <LUKS partition UUID> for the UUID of your encrypted partition.
+You can then enter:
+<code>
+sudo update-initramfs -u
+</code>
+and then:
+<code>
+update-grub
+</code>
+and finally the following commands:
+<code>
+exit
+sudo shutdown -r now
+</code>
- and edit the file specifying what to mount during the startup of your computer, located at /etc/fstab:
+you will then remove your USB key and boot in your encrypted system hopefully. You should see a prompt asking to unlock your disk, and then your familiar OS will boot, with all the configuration you previously had. Congratulations !