On Thu, Feb 28, 2013 at 09:01:29AM -0600, lxnf98mm@xxxxxxxxx wrote: > I have successfully used the procedure you describe several times to > convert to raid but never an encrypted partition > When you say "2. Copy the data over." what am I copying I realize my explanation was a bit low on detailand ambiguous. You still copy the files, not the encrypted device or the filesystem. Copying anything binarily could cause numerous problems that can be avoided by copying data on file-level. The layering is like this Filesystem | Encryption | RAID <-- This layer gets inserted in the stack | Raw partitions | Raw disks Hence the RAID does see the raw encrypted partitions and mirrors them. > Normally I would > > cd old_filesystem; tar cf - . |(cd new_filesystem; tar xf -) > > But that would just copy unencrypted data > Would you explain a bit more Say you have / on /dev/mapper/root_part decrypted from /dev/sda3 and your new disk is /dev/sdb. Yiour target md device is /dev/md3 (avoid name collisions, you specify the number of the md device and it is persistent). Then you would do somethign like below. You can do this from the running old system with a few extra things, see below: 1. Make a partition of smaller or exactly size in /dev/ sdb, e.g. /dev/sdb3, give it type fb if you want kernel-level auto-detection. I highly recommend doing this. 2. Make a new RAID1 on top of /dev/sdb3, using something like this mdadm --create -n 2 -l 1 --superblock0.90 /dev/md3 /dev/sdb3 missing 3. Make a new LUKS filesystem in top of md3 and map it to, say /dev/mapper/new_root 4. Create filesystem on new_root and mount it. 5. Copy root over with tar, just as you describe. If this is from the live installation, do not forget --one-file-system or you will get a full system copy including a memory image from /proc on the new raid partition. 6. If this is with udev and you copy using the installed system, make sure to manually create console and null in /dev/ on new_root, as it will otherwise not boot: cd /dev/mapper/new_root/dev mknod -m 660 console c 5 1 mknod -m 660 null c 1 3 Now you have a copy of your system. Try to boot it by your usual mechanism, just with /dev/md3 instead of /dev/sda3 as root and with the new LUKS passphrase, unless you use the same as before (not a security risk increase in this situation). So far, you have niot changed anything on the old drive. If you still do not have a full backuck, at the very least make one now. 7. From the new running system, change the type of the old partitions to fb for auto-detection. 8. Sync them into the new md partitons like this: mdadm --add /dev/md3 /dev/sda3 Here, all your old data will be overwritten. If the new partition is smaller, you may also want to zero the old one before this step, though killing the LUKS header makes that redundant. 9. boot again and make sure the raid device comes up in a non-degraded state. Done. Repeat for data partition at your laisure. Note that the scripts handling the encryption on boot see as only difference that it is now /dev/md<x> instead of /dev/sda<y>, that represents the encrypted partitions. Also note that you can check the state of a raid device and sync progress with a simple "cat /proc/mdstat". Before step 8, /dev/md3 will just lost one disk as present, after step 8, it should list both. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt