Migrating rootfs to a LUKS setup

rurikc · #1 28th May 2012, 08:12 PM

Hi,

I'd like to migrate my current F16 install to an encrypted rootfs.
(I want to avoid a time consuming fresh install followed by a reconfiguration)

Assuming I have a spare disk to play with

is there a how-to move an installation from a non-encrypted disk/partition to an encrypted disk/partition ?
(in a future upgrade safe mode, i.e. I want to duplicate the installer work)

Thanks,

Cheers.

***Gareth Jones*** · #2 29th May 2012, 07:02 PM

This could be quite complicated. In addition to formatting the encrypted partition and copying files across, you'll need to update /etc/fstab (unless you give the new root file-system the same UUID as the old), update /etc/crypttab, probably regenerate the initramfs image (dracut), and possibly reinstall the boot-loader (grub2-install).

Unless you're doing something clever, you probably don't need to encrypt /. Only /home, /var, /tmp and swap really need encrypting, and /boot cannot be encrypted.

rurikc · #3 30th May 2012, 08:53 AM

Quote:

Originally Posted by Gareth Jones

This could be quite complicated.

Thanks, I appreciate this. Let assume for the level of this discussion that I have 12 years of professional Linux sysadmin, RHCE x 2 (both expired by now)

and 18 years of Linux usage overall (started in 1994)

I am currently relatively new to LUKS (but I can find my way around), new to GTP (but doesn't seem to be big deal) and while I have repaired grub by hand on several occasions, I never played with grub2.

So, I just want to avoid pitfals, hard to solve problems and save as much time I can.

Quote:

Originally Posted by Gareth Jones

In addition to formatting the encrypted partition and copying files across, you'll need to update /etc/fstab (unless you give the new root file-system the same UUID as the old), update /etc/crypttab, probably regenerate the initramfs image (dracut), and possibly reinstall the boot-loader (grub2-install).

You could add: replace UUID of rootfs in grub.conf

Is that all ?

Quote:

Originally Posted by Gareth Jones

Unless you're doing something clever, you probably don't need to encrypt /. Only /home, /var, /tmp and swap really need encrypting, and /boot cannot be encrypted.

Contrary, I am doing something very simple

I don't have a separate /var, /tmp or even a swap partition. Over the years I found them to be a huge hassle for my home environment.

I am aware that /boot has to be unencrypted. I also saw some special kernel boot options in grub.conf. How about the initrd ? Same as for unencrypted ... or modified ?

Generally, re HDs and partitions, I tend to go with all in one: disk is cheap, RAM is cheap, my time is not.

I want to be able to have two disks for all filesystems: one live, one rsync-ed and kept up to date. The spare may go in "production" in 5 minutes. This setup saved my bacon on several occasions (last time was a failed upgrade from F15 to F16). And disks just accumulated over the years

Finally, anything that you consider I should know ? Stuff that I don't even know that I don't know ? Tips, warnings, etc ?

Thanks and all the best.

***Gareth Jones*** · #4 30th May 2012, 06:50 PM

I'm afraid I've never actually tried moving an installation from unencrypted to encrypted storage, that was just a list of things I'd expect to have to do. Unless anyone else has actually done this and reports here, I can only suggest giving it a try, and keeping the unencrypted system boot-able until you're happy that the encrypted system works of course. It sounds like you're capable of working it through! I would strongly recommend a separate /home partition at least, for various reasons, but it sounds like you're already aware of them and have made up your mind.