Workshops

User Tools

Site Tools

Trace: pgp_workshop
reencrypt_linux_post_install

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
reencrypt_linux_post_install [2025/05/03 17:46] – [Do the actual reencryption] userareencrypt_linux_post_install [2025/07/26 09:51] (current) usera
Line 382: Line 382:
 === Do the actual reencryption === === Do the actual reencryption ===
  
-Insert your live USB key, restart your computer and boot on your live system again. Once this is done, open a command line. We will need to shrink the partition with the root filesystem by 32M in order to encrypt it. To do this, a small computation is necessary. Here are the command you will use, assuming that the partition you want to encrypt is /dev/sda2+Insert your live USB key, restart your computer and boot on your live system again. Once this is done, open a command line. We will need to shrink the partition with the root filesystem by 32M in order to encrypt it. To do this, a small computation is necessary. Here are the command you will use, if you want to encrypt the partition [ROOT_PARTITION], in my case it was sda2.
  
 <code> <code>
-sudo dumpe2fs -h /dev/sda2 | grep Block+sudo dumpe2fs -h /dev/[ROOT_PARTITION] | grep Block
 </code> </code>
  
Line 412: Line 412:
  
 <code> <code>
-sudo e2fsck -f /dev/sda2+sudo e2fsck -f /dev/[ROOT_PARTITION]
 </code> </code>
  
Line 429: Line 429:
 then you can do the actual resize of the filesystem, using the number you previously calculated, in my case 77875200. then you can do the actual resize of the filesystem, using the number you previously calculated, in my case 77875200.
 <code> <code>
-sudo resize2fs -p /dev/sda2 77875200+sudo resize2fs -p /dev/[ROOT_PARTITION] 77875200
 </code> </code>
  
Line 441: Line 441:
 you can now do the actual reencription: you can now do the actual reencription:
 <code> <code>
-sudo cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/sda2+sudo cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/[ROOT_PARTITION]
 </code> </code>
 which will take a very long time, depending on the size of your disk. In my case, I got: which will take a very long time, depending on the size of your disk. In my case, I got:
Line 460: Line 460:
 which took 358 minutes, which is 6 hours. which took 358 minutes, which is 6 hours.
  
 +Then you can decrypt this partition, then mount the corresponding system:
  
 +<code>
 +sudo cryptsetup luksOpen /dev/[ROOT_PARTITION] cryptodisk
 +</code>
 +
 +you will have to enter your passphrase. Then resize the filesystem there:
 +<code>
 +sudo resize2fs /dev/mapper/cryptodisk
 +</code>
 +
 +which gave in my case:
 +<code>
 +resize2fs 1.46.5 (30-Dec-2021)
 +Resizing the filesystem on /dev/mapper/cryptodisk to 77879296 (4k) blocks.
 +The filesystem on /dev/mapper/cryptodisk is now 77879296 (4k) blocks long.
 +</code>
 +
 +Now, you need to note down the content of the file /etc/resolv.conf, which is use by linux to access internet:
 +<code>
 +cat /etc/resolv.conf
 +</code>
 +
 +and you can now do a special operation to "enter" in your system. It is called a chroot operation, ,it is very convenient to recover a system that does not boot for example (boot with a live USB system, do a chroot, change some things to fix your system, and reboot).
 +Enter the following commands, where [BOOT_PARTITION] is the boot partition you created, in my case sda3, and [EFI_PARTITION] is the EFI partition, in my case sda1:
 +
 +<code>
 +sudo mount /dev/mapper/cryptodisk /mnt
 +sudo mount /dev/[BOOT_PARTITION] /mnt/boot
 +sudo mount /dev/[EFI_PARTITION] /mnt/boot/efi
 +sudo mount --bind /dev /mnt/dev
 +sudo mount --bind /dev/pts /mnt/dev/pts
 +sudo mount --bind /sys /mnt/sys
 +sudo mount --bind /proc /mnt/proc
 +sudo chroot /mnt
 +</code>
 +
 +the prompt will change a bit: you are now an administrator inside your own system! 
 +Let us first check that we are connected to internet. To do that, you need to try to ping a website:
 +
 +<code>
 +ping google.com
 +</code>
 +
 +if you see something like this:
 +<code>
 +(base) usera@debian:~$ ping google.com
 +PING google.com (142.250.74.78) 56(84) bytes of data.
 +64 bytes from arn09s23-in-f14.1e100.net (142.250.74.78): icmp_seq=1 ttl=113 time=20.3 ms
 +64 bytes from arn09s23-in-f14.1e100.net (142.250.74.78): icmp_seq=2 ttl=113 time=21.3 ms
 +64 bytes from arn09s23-in-f14.1e100.net (142.250.74.78): icmp_seq=3 ttl=113 time=20.4 ms
 +</code>
 +
 +then you are good to go, you can do CTRL+C to stop it. Otherwise, try copying the content of the /etc/resolv.conf file from before:
 +
 +<code>
 +nano /etc/resolv.conf
 +</code>
 +then paste the content, and enter CTRL+X, then Y do save the changes. Try again to ping:
 +
 +<code>
 +ping google.com
 +</code>
 +
 +It should work now.
 +
 +Now, install some required packages:
 +<code>
 +sudo apt install cryptsetup cryptsetup-initramfs
 +</code>
 +
 +and let us do some modifications.
 +Enter the following command:
 +
 +<code>
 +blkid
 +</code>
 +
 +in my case I get:
 +
 +<code>
 +/dev/sdb2: SEC_TYPE="msdos" LABEL_FATBOOT="ESP" LABEL="ESP" UUID="8D6C-A9F8" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="Appended2" PARTUUID="6d4f3559-353e-4f68-9e82-073ebfc45977"
 +/dev/sdb3: LABEL="writable" UUID="8f575917-6870-4bc8-bc52-88dca8725727" BLOCK_SIZE="4096" TYPE="ext4" PARTUUID="046f4c25-8d42-0144-8919-012dc6b514fc"
 +/dev/sdb1: BLOCK_SIZE="2048" UUID="2022-07-26-18-56-47-00" LABEL="Linux Mint 21 Xfce 64-bit" TYPE="iso9660" PARTLABEL="ISO9660" PARTUUID="6d4f3559-353e-4f68-9e81-073ebfc45977"
 +/dev/loop0: TYPE="squashfs"
 +/dev/mapper/cryptodisk: UUID="eb4337fa-a978-4aa6-a8c9-407b30af8b48" BLOCK_SIZE="4096" TYPE="ext4"
 +/dev/sda2: UUID="5c24539d-acc7-4216-bc61-0939b2d4f51f" TYPE="crypto_LUKS" PARTUUID="cd8058db-e068-404a-b4eb-e4365087e2df"
 +/dev/sda3: UUID="1185a0bc-123f-4fc0-9ff5-7bc127e559df" BLOCK_SIZE="4096" TYPE="ext4" PARTUUID="1dc8c979-f987-4330-9507-0e5c195f6c75"
 +/dev/sda1: UUID="1EF0-6BBB" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="EFI System Partition" PARTUUID="7a499615-a81d-4993-a9ab-9a6f7595812d"
 +</code>
 +
 +you should note the UUID of the encrypted disk, in my case sda2, whose UUID is 5c24539d-acc7-4216-bc61-0939b2d4f51f
 +edit the file /etc/crypttab with the following command:
 +
 +<code>
 +nano /etc/crypttab
 +</code>
 +
 +and add the following line, replacing [UUID] with the value you noted:
 +
 +<code>
 +cryptodisk UUID=[UUID] none luks,discard
 +</code>
 +
 +you can exit the editor with CTRL+X, then type Y for saving it.
 +then note the UUID of the decrypted partition, here /dev/mapper/cryptodisk, whose UUID is in my case eb4337fa-a978-4aa6-a8c9-407b30af8b48. Modify the file /etc/fstab with the command:
 +
 +<code>
 +nano /etc/fstab
 +</code>
 +
 +you should check the line that has the mount point "/", and check that it is like the following, otherwise edit it and save it:
 +
 +<code>
 +/dev/mapper/cryptodisk /               ext4    errors=remount-ro 0       1
 +</code>
 +
 +you need finally to modify the file /etc/default/grub:
 +<code>
 +nano /etc/default/grub
 +</code>
 +
 +you need to locate the entry "GRUB_CMDLINE_LINUX=" and change it to "GRUB_CMDLINE_LINUX="cryptdevice=UUID=<LUKS partition UUID>:cryptodisk root=/dev/mapper/cryptdisk"
 +where you change <LUKS partition UUID> for the UUID of your encrypted partition.
 +You can then enter:
 +
 +<code>
 +sudo update-initramfs -u
 +</code>
 +
 +and then:
 +
 +<code>
 +update-grub
 +</code>
 +
 +and finally the following commands:
 +
 +<code>
 +exit
 +sudo shutdown -r now
 +</code>
 +
 +you will then remove your USB key and boot in your encrypted system hopefully. You should see a prompt asking to unlock your disk, and then your familiar OS will boot, with all the configuration you previously had. Congratulations !
reencrypt_linux_post_install.1746294361.txt.gz · Last modified: by usera