1

I would like to turn on the disk encryption option in Debian but I do not find any option which can put it on after the system installation, since I did not choose the disk encryption initially. I know the thread Is there any way to fully encrypt my hard-drive AFTER an installation of Linux Mint? where it is pointed out that the reinstall with encryption option is the best way to go. However, I am thinking if these is any stable approach do this afterwards in Debian. I have some applications (Matlab, Mathematica, ...) which I should reinstall too, which I would like to avoid.

I do not like the partition encryption afterwards by ecryptfs-migrate-home which drawback is max 2.5x larger HDD space taken (Dustin Kirkland in the thread Is it possible to Encrypt Home drive after install w/o 2.5x the space?). My HDD's capacity will not be enough (170*2.5 > 250) in such a setting. I have never experienced such an effect in Debian installation with the encryption option on initially. This fact proposes me that the reinstall is the best option but ...

OS: Debian 8.7
HDD: 250 GB, taken 170 GB now

Community
  • 1
Léo Léopold Hertz 준영
  • 6,788
  • 29
  • 91
  • 193
  • 2.5x the space is an estimate see what the author of `ecryptfs-migrate-home` says about that and his suggestions: https://askubuntu.com/questions/95154/is-it-possible-to-encrypt-home-drive-after-install-w-o-2-5x-the-space/105475#105475 >Note that the 2.5x multiplier is perhaps an aggressive overestimation of the required disk space, but I've published that recommendation as a safety precaution – Mick T Mar 28 '22 at 21:17

1 Answers1

2

It much depends with the way your disk is partitioned, but it should be feasible if you can borrow a large enough disk to perform the migration (at least ≥170GB, ideally ≥250GB, possibly an external disk).

Things are much easier if you’re already using LVM which allows live migration. I’d also suggest you use separate unencrypted /boot partition. (It seems that grub2 can handle encrypted /boot, but I never used it myself.)

Here are the steps I’d suggest:

  1. (assuming you don’t have a separate /boot partition/volume) Use a live system to shrink your / partition/volume (or any other partition) and make enough room for a new /boot partition/volume (with resize2fs or an equivalent tool); create a new /boot partition/volume and some filesystem on it; mount your new partition somewhere and move the content of your old /boot to your new partition; update your /etc/fstab to mount the new partition at /boot; actually mount the new partition to /boot; update your ramdisk (with update-initramfs) and grub configuration (with update-grub).
  2. (assuming you’re not yet using LVM) On your second disk, create a physical volume, a volume group and as many logical volumes as partitions (except /boot) on the first disk; use a live system to copy the content of each partition of the first disk to the corresponding logical volume on the second disk; (still using your live system) update your /etc/fstab to mount the new logical volumes instead of the old partitions; (still using your live system) update your /boot/grub/grub.cfg to tell the kernel where to find the new partition.
  3. Repartition your first disk with one small partition for /boot and a large one for the encryption. You may have to update your grub configuration if the UUID of your /boot filesystem changed; if you’re not sure, update it with update-grub.
  4. Set up encryption on your new dedicated partition.
  5. Make your new encrypted volume a physical volume for LVM, make it part of your volume group, and move your logical volumes to the new physical volume (using pvmove). Update your initrd and ensure it will support encryption.
  6. Remove the physical volume on the second disk from your volume group.
  7. Enjoy!

Beware, this is complex and there are many traps, probably a few ones I forgot. If you want to give it a try, I’d urge you to first give it a try with a fake system, possibly using qemu.

user2233709
  • 1,549
  • 9
  • 18