On 9/11/20 8:09 AM, Dev Chakraborty wrote:
Hi,
We have root volume and additional disks, I can encrypt the additional
volume but If I do root it says root is busy can't do, how can I encrypt
the root on the fly without detaching?
Say we have already on prod machines, how can we achieve this for prod
systems without affecting anything.
You can't do it while filesystem is mounted. You must take filesystem
offline for the short time to allow introduction of new device-mapper
device underneath your filesystem.
I'd recommend to read reencryption man page (especially the implications
of cryptsetup reencrypt action with --reduce-device-size argument), but
in very short you'd need following list of commands:
You can do it with detached LUKS2 header put in separate file like follows:
1) umount /dev/sdx (your fs)
2) cryptsetup reencrypt --encrypt --init-only --header file.x /dev/sdx
encrypted_sdx
This will create LUKS2 header in file.x ready for online encryption of
device /dev/sdx. It would also activate dm device 'encrypted_sdx'. Note
that unless you finish full device encryption some part of /dev/sdx are
still exposed as plaintext.
3) mount /dev/mapper/encrypted_sdx /mnt/path
4) cryptsetup reencrypt /dev/sdx --header file.x
----------------
Or if you can shrink your filesystem (or extend size of underlying
/dev/sdx), you may use this:
1) umount /dev/sdx (your fs)
2) cryptsetup reencrypt --encrypt --init-only --reduce-device-size 32m
/dev/sdx encrypted_sdx
Really, be *carefull* with --reduce-device-size. You *HAVE* to be sure
you're using it correctly. This option can destroy your fs if used
wrong. Otherwise it has same effect as step 2) above
3) mount /dev/mapper/encrypted_sdx /mnt/path
4) cryptsetup reencrypt /dev/sdx
Regards
O.
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt
