Skip to content

Instantly share code, notes, and snippets.

Last active April 24, 2024 16:02
Show Gist options
  • Save bradfa/b5d200bbf55498ca304dd59ee6989bc6 to your computer and use it in GitHub Desktop.
Save bradfa/b5d200bbf55498ca304dd59ee6989bc6 to your computer and use it in GitHub Desktop.
Encrypt rootfs after setup

After setting up a Debian system which did not choose to use encryption during the installer, do these steps to encrypt sda3 partition so we have encrypted rootfs. Follow these steps when booted from another disk so we can off-line encrypt the rootfs:

  1. Mount the btrfs rootfs to /mnt: mount /dev/sda3 /mnt
  2. See the current size and devid of the btrfs filesystem (likely your filesystem will be devid 1): btrfs filesystem show --mbytes /mnt
  3. Resize the filesystem to be 32MiB smaller so we can fit a LUKS header at the end of the partition: btrfs filesystem resize 1:-32M /mnt
  4. Verify that the filesystem is actually smaller now: btrfs filesystem show --mbytes /mnt
  5. Unmount the filesystem: umount /mnt
  6. Check the filesystem to ensure no errors: btrfs check /dev/sda3
  7. Encrypt the filesystem in-place (this will take a while): cryptsetup reencrypt --encrypt --verify-passphrase --reduce-device-size 32M /dev/sda3
  8. Unlock the partition and name it "ssd" so we can mount it: cryptsetup open /dev/sda3 ssd
  9. Mount it: mount /dev/mapper/ssd /mnt
  10. Get the UUID of the partition which we'll add to the crypttab: ls -l /dev/disk/by-uuid/ | grep sda3 | awk '{print $9}'
  11. Append to /mnt/etc/crypttab to add a line at the end: echo "ssd UUID=<uuid_from_above> none" >> /mnt/etc/crypttab
  12. Get the UUID of the filessytem which we'll need for fstab (this assumes you only have dm-0 showing up which is the encrypted partition via devmapper, adjust as needed based on output of ls -l /dev/mapper/ to see which is "ssd"): ls -l /dev/disk/by-uuid/ | grep dm-0 | awk '{print $9}'
  13. Make sure that /mnt/etc/fstab is set the filesystem UUID for the / root partition (it probably is if you've previously booted the system)
  14. Mount needed filesystems so we can chroot into the encrypted rootfs:
mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
mount --bind /run /mnt/run
mount /dev/sda1 /mnt/boot/efi
  1. Then chroot into the new encrypted rootfs: chroot /mnt
  2. Install the cryptsetup tools (this may show some errors since we're in a chroot, that's OK): apt install cryptsetup cryptsetup-initramfs
  3. Update all the initramfses: update-initramfs -u -k all
  4. Exit the chroot: exit
  5. Unmount the new filesystem: umount --recursive /mnt
  6. Close out the encrypted device: cryptsetup close ssd
  7. Reboot and cross your fingers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment