Workshops

User Tools

Site Tools

Trace: pgp_workshop
reencrypt_linux_post_install

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
reencrypt_linux_post_install [2025/05/02 14:34] – [Associate the boot partition] userareencrypt_linux_post_install [2025/07/26 09:51] (current) usera
Line 382: Line 382:
 === Do the actual reencryption === === Do the actual reencryption ===
  
-Insert your live USB key, restart your computer and boot on your live system again. Once this is done, open a command line. We will need to shrink the partition with the root filesystem by 32M in order to encrypt it. To do this, a small computation is necessary. Here are the command you will use, assuming that the partition you want to encrypt is /dev/sda2+Insert your live USB key, restart your computer and boot on your live system again. Once this is done, open a command line. We will need to shrink the partition with the root filesystem by 32M in order to encrypt it. To do this, a small computation is necessary. Here are the command you will use, if you want to encrypt the partition [ROOT_PARTITION], in my case it was sda2.
  
 <code> <code>
-sudo dumpe2fs -h /dev/sda2 | grep Block+sudo dumpe2fs -h /dev/[ROOT_PARTITION] | grep Block
 </code> </code>
  
Line 391: Line 391:
  
 <code> <code>
-dumpe2fs 1.47.0 (5-Feb-2023+dumpe2fs 1.46.5 (30-Dec-2021
-Block count:              499712 +Block count:              77883392 
-Block size:               1024 +Block size:               4096 
-Blocks per group:         8192+Blocks per group:         32768
 </code> </code>
  
-note the "Block count" and the "Block size", then use the following formula:+note the "Block count" and the "Block size", then use the following formula, where BLOCK_COUNT and BLOCK_SIZE should be replaced with their value:
 <code> <code>
-python3 -c "print((BLOCK_COUNT*BLOCK_SIZE-32*1024*1024)/1024)"+python3 -c "print(int((BLOCK_COUNT*BLOCK_SIZE-32*1024*1024)/BLOCK_SIZE))" 
 +</code> 
 + 
 +In my case, I get: 
 + 
 +<code> 
 +python3 -c "print(int((77883392*4096-32*1024*1024)/4096))" 
 +77875200
 </code> </code>
 Note this number. Note this number.
 +Now enter:
 +
 +<code>
 +sudo e2fsck -f /dev/[ROOT_PARTITION]
 +</code>
 +
 +in my case, I get:
 +<code>
 +mint@mint:~$ sudo e2fsck -f /dev/sda2
 +e2fsck 1.46.5 (30-Dec-2021)
 +Pass 1: Checking inodes, blocks, and sizes
 +Pass 2: Checking directory structure
 +Pass 3: Checking directory connectivity
 +Pass 4: Checking reference counts
 +Pass 5: Checking group summary information
 +/dev/sda2: 311972/19472384 files (0.4% non-contiguous), 4838704/77883392 blocks
 +</code>
 +
 +then you can do the actual resize of the filesystem, using the number you previously calculated, in my case 77875200.
 +<code>
 +sudo resize2fs -p /dev/[ROOT_PARTITION] 77875200
 +</code>
 +
 +I got:
 +<code>
 +resize2fs 1.46.5 (30-Dec-2021)
 +Resizing the filesystem on /dev/sda2 to 77875200 (4k) blocks.
 +The filesystem on /dev/sda2 is now 77875200 (4k) blocks long.
 +</code>
 +
 +you can now do the actual reencription:
 +<code>
 +sudo cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/[ROOT_PARTITION]
 +</code>
 +which will take a very long time, depending on the size of your disk. In my case, I got:
 +
 +<code>
 +mint@mint:~$ sudo cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/sda2
 +
 +WARNING!
 +========
 +This will overwrite data on LUKS2-temp-5c24539d-acc7-4216-bc61-0939b2d4f51f.new irrevocably.
 +
 +Are you sure? (Type 'yes' in capital letters): YES
 +Enter passphrase for LUKS2-temp-5c24539d-acc7-4216-bc61-0939b2d4f51f.new: 
 +Verify passphrase: 
 +Finished, time 358:10.876, 304216 MiB written, speed  14.2 MiB/s\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00
 +</code>
 +
 +which took 358 minutes, which is 6 hours.
 +
 +Then you can decrypt this partition, then mount the corresponding system:
 +
 +<code>
 +sudo cryptsetup luksOpen /dev/[ROOT_PARTITION] cryptodisk
 +</code>
 +
 +you will have to enter your passphrase. Then resize the filesystem there:
 +<code>
 +sudo resize2fs /dev/mapper/cryptodisk
 +</code>
 +
 +which gave in my case:
 +<code>
 +resize2fs 1.46.5 (30-Dec-2021)
 +Resizing the filesystem on /dev/mapper/cryptodisk to 77879296 (4k) blocks.
 +The filesystem on /dev/mapper/cryptodisk is now 77879296 (4k) blocks long.
 +</code>
 +
 +Now, you need to note down the content of the file /etc/resolv.conf, which is use by linux to access internet:
 +<code>
 +cat /etc/resolv.conf
 +</code>
 +
 +and you can now do a special operation to "enter" in your system. It is called a chroot operation, ,it is very convenient to recover a system that does not boot for example (boot with a live USB system, do a chroot, change some things to fix your system, and reboot).
 +Enter the following commands, where [BOOT_PARTITION] is the boot partition you created, in my case sda3, and [EFI_PARTITION] is the EFI partition, in my case sda1:
 +
 +<code>
 +sudo mount /dev/mapper/cryptodisk /mnt
 +sudo mount /dev/[BOOT_PARTITION] /mnt/boot
 +sudo mount /dev/[EFI_PARTITION] /mnt/boot/efi
 +sudo mount --bind /dev /mnt/dev
 +sudo mount --bind /dev/pts /mnt/dev/pts
 +sudo mount --bind /sys /mnt/sys
 +sudo mount --bind /proc /mnt/proc
 +sudo chroot /mnt
 +</code>
 +
 +the prompt will change a bit: you are now an administrator inside your own system! 
 +Let us first check that we are connected to internet. To do that, you need to try to ping a website:
 +
 +<code>
 +ping google.com
 +</code>
 +
 +if you see something like this:
 +<code>
 +(base) usera@debian:~$ ping google.com
 +PING google.com (142.250.74.78) 56(84) bytes of data.
 +64 bytes from arn09s23-in-f14.1e100.net (142.250.74.78): icmp_seq=1 ttl=113 time=20.3 ms
 +64 bytes from arn09s23-in-f14.1e100.net (142.250.74.78): icmp_seq=2 ttl=113 time=21.3 ms
 +64 bytes from arn09s23-in-f14.1e100.net (142.250.74.78): icmp_seq=3 ttl=113 time=20.4 ms
 +</code>
 +
 +then you are good to go, you can do CTRL+C to stop it. Otherwise, try copying the content of the /etc/resolv.conf file from before:
 +
 +<code>
 +nano /etc/resolv.conf
 +</code>
 +then paste the content, and enter CTRL+X, then Y do save the changes. Try again to ping:
 +
 +<code>
 +ping google.com
 +</code>
 +
 +It should work now.
 +
 +Now, install some required packages:
 +<code>
 +sudo apt install cryptsetup cryptsetup-initramfs
 +</code>
 +
 +and let us do some modifications.
 +Enter the following command:
 +
 +<code>
 +blkid
 +</code>
 +
 +in my case I get:
 +
 +<code>
 +/dev/sdb2: SEC_TYPE="msdos" LABEL_FATBOOT="ESP" LABEL="ESP" UUID="8D6C-A9F8" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="Appended2" PARTUUID="6d4f3559-353e-4f68-9e82-073ebfc45977"
 +/dev/sdb3: LABEL="writable" UUID="8f575917-6870-4bc8-bc52-88dca8725727" BLOCK_SIZE="4096" TYPE="ext4" PARTUUID="046f4c25-8d42-0144-8919-012dc6b514fc"
 +/dev/sdb1: BLOCK_SIZE="2048" UUID="2022-07-26-18-56-47-00" LABEL="Linux Mint 21 Xfce 64-bit" TYPE="iso9660" PARTLABEL="ISO9660" PARTUUID="6d4f3559-353e-4f68-9e81-073ebfc45977"
 +/dev/loop0: TYPE="squashfs"
 +/dev/mapper/cryptodisk: UUID="eb4337fa-a978-4aa6-a8c9-407b30af8b48" BLOCK_SIZE="4096" TYPE="ext4"
 +/dev/sda2: UUID="5c24539d-acc7-4216-bc61-0939b2d4f51f" TYPE="crypto_LUKS" PARTUUID="cd8058db-e068-404a-b4eb-e4365087e2df"
 +/dev/sda3: UUID="1185a0bc-123f-4fc0-9ff5-7bc127e559df" BLOCK_SIZE="4096" TYPE="ext4" PARTUUID="1dc8c979-f987-4330-9507-0e5c195f6c75"
 +/dev/sda1: UUID="1EF0-6BBB" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="EFI System Partition" PARTUUID="7a499615-a81d-4993-a9ab-9a6f7595812d"
 +</code>
 +
 +you should note the UUID of the encrypted disk, in my case sda2, whose UUID is 5c24539d-acc7-4216-bc61-0939b2d4f51f
 +edit the file /etc/crypttab with the following command:
 +
 +<code>
 +nano /etc/crypttab
 +</code>
 +
 +and add the following line, replacing [UUID] with the value you noted:
 +
 +<code>
 +cryptodisk UUID=[UUID] none luks,discard
 +</code>
 +
 +you can exit the editor with CTRL+X, then type Y for saving it.
 +then note the UUID of the decrypted partition, here /dev/mapper/cryptodisk, whose UUID is in my case eb4337fa-a978-4aa6-a8c9-407b30af8b48. Modify the file /etc/fstab with the command:
 +
 +<code>
 +nano /etc/fstab
 +</code>
 +
 +you should check the line that has the mount point "/", and check that it is like the following, otherwise edit it and save it:
 +
 +<code>
 +/dev/mapper/cryptodisk /               ext4    errors=remount-ro 0       1
 +</code>
 +
 +you need finally to modify the file /etc/default/grub:
 +<code>
 +nano /etc/default/grub
 +</code>
 +
 +you need to locate the entry "GRUB_CMDLINE_LINUX=" and change it to "GRUB_CMDLINE_LINUX="cryptdevice=UUID=<LUKS partition UUID>:cryptodisk root=/dev/mapper/cryptdisk"
 +where you change <LUKS partition UUID> for the UUID of your encrypted partition.
 +You can then enter:
 +
 +<code>
 +sudo update-initramfs -u
 +</code>
 +
 +and then:
 +
 +<code>
 +update-grub
 +</code>
 +
 +and finally the following commands:
 +
 +<code>
 +exit
 +sudo shutdown -r now
 +</code>
 +
 +you will then remove your USB key and boot in your encrypted system hopefully. You should see a prompt asking to unlock your disk, and then your familiar OS will boot, with all the configuration you previously had. Congratulations !
reencrypt_linux_post_install.1746196497.txt.gz · Last modified: by usera