Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Encrypt a physical volume using LUKS without erasing the drive.
#!/bin/bash
# Encrypt existing hard drive in place.
# Requires a second physical drive to temporarily store data. This drive will be erased.
# This script is meant to be run on Clonezilla 1.2.9-19 or later.
# The cryptsetup syntax is different in Clonezilla than in Red Hat.
# --- Variables --- #
VGNAME=VolGroup00 # Name of volume group containing physical volume to be encrypted
SOURCE=/dev/sda2 # Physical volume to be encrypted
TEMP=/dev/sdb1 # Second physical drive which the data will be copied to
# The keyfile is only used so that encryption can take place without user interaction.
# The keyfile can be removed at the end and replaced with a passphrase.
# DO NOT lose the keyfile or the drive will be inaccessible.
# Create a random keyfile using dd if=/dev/urandom of=/tmp/keyfile bs=1024 count=4
# I recommend storing the keyfile on a separate disk as a safety measure
KEYFILE=/tmp/keyfile
# --- Main Program --- #
echo -e "Creating temp storage drive on $TEMP\n"
pvcreate $TEMP
echo -e "Extending $VGNAME"
vgextend $VGNAME $TEMP
echo -e "Moving $SOURCE to $TEMP. This will take some time.\n"
pvmove $SOURCE $TEMP
echo -e "Encrypting $SOURCE\n"
vgreduce $VGNAME $SOURCE
pvremove $SOURCE
cryptsetup -q -s 256 --key-file $KEYFILE --key-slot=1 luksFormat $SOURCE
echo -e "Moving data back to encrypted drive\n"
cryptsetup --key-file $KEYFILE luksOpen $SOURCE luks-volume
pvcreate /dev/mapper/luks-volume
vgextend $VGNAME /dev/mapper/luks-volume
pvmove $TEMP /dev/mapper/luks-volume
vgreduce $VGNAME $TEMP
pvremove $TEMP
while [[ $ANSWER != "y" && $ANSWER != "n" ]] ; do
read -p "Do you wish to set the passphrase and remove the temporary keyfile? {y|n}" ANSWER
done
case $ANSWER in
y)
# Prompts for a passphrase used to encrypt the volume
cryptsetup -y --key-file $KEYFILE luksAddKey $SOURCE
# Removes the temporary keyfile from the volume
cryptsetup luksRemoveKey $SOURCE $KEYFILE
echo -e "Drive encryption compelete. Please restart your machine and make a new initrd."
exit 1
;;
n)
echo -e "Drive encryption compelete. Please restart your machine and make a new initrd."
exit 1
;;
esac
# --- Folluw Up --- #
# Once the drive has been encrypted with LUKS, you will need to remake the initrd to get it to boot properly.
#
# # 1) Reboot off of the RHEL installation disc
# shutdown -r
# # Remove the current live CD and insert the RHEL disc
# # Enter rescue mode
# boot: linux rescue
#
# 2) Follow the prompts until you get to a shell prompt
#
# 3) Change root to the found system partition
# chroot /mnt/sysimage
#
# 4) Backup the original initrd
# cd /boot
# mv initrd-[kernel].img initrd-[kernel].img.bak
#
# 5) Make a new initrd
# mkinitrd /boot/initrd-[kernel].img [kernel]
#
# 6) Exit from the changed root environment and reboot the machine
# exit
# shutdown -r now
# # Make sure to remove the disc as it does no eject automatically
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment