Arch Linux

deepfuchsia

Member

Registered: 2018-11-01

Posts: 16

Encrypt an exsiting btrfs filesystem?

I have an SSD disk that has two partitions, one is for /boot and another is for everything else, lsblk looks like this

zram0       254:0    0     4G  0 disk [SWAP]
nvme0n1     259:0    0 476.9G  0 disk 
├─nvme0n1p1 259:1    0   511M  0 part /boot
└─nvme0n1p2 259:2    0 476.4G  0 part /var/log
                                      /var/cache/pacman/pkg
                                      /home
                                      /.snapshots
                                      /

During installation I used btrfs filesystem.

Is it possible to encrypt the nvme0n1p2 parition (everything but /boot) without reinstalling the whole system?
If so, could you please point me into the right direction, what should I google for and read?
All info I found is about how to Install arch linux with btrfs with encryption, but not how to encrypt an existing btrfs partition.

Strike0

Member

From: Germany

Registered: 2011-09-05

Posts: 1,489

Re: Encrypt an exsiting btrfs filesystem?

It's possible, but things may go wrong easily. The crucial point is you have to shrink the existing filesystem a little, check if this wiki part explains the procedure. You basically boot another system (iso) to manipulate the root filesystem and device to add the encryption. Usually, it should be faster and safer to backup the system, create an encrypted device and restore the system into it, then updating the boot config for the new encryption. You can also practise it by creating an encrypted USB system/drive and restore/sync your existing system (or relevant part) into it.

deepfuchsia

Member

Registered: 2018-11-01

Posts: 16

Re: Encrypt an exsiting btrfs filesystem?

Usually, it should be faster and safer to backup the system, create an encrypted device and restore the system into it, then updating the boot config for the new encryption

Do I need an external device to make it work, or I can use the same SSD but a different partition?

For example, I have two partitions

nvme0n1p1
nvme0n1p2

and I wanna backup the second one - nvme0n1p2. There's enough space on the disk to have another partition of the same size.
Can I create the third partition - nvme0n1p3, then use it to backup the second partition, then encrypt the second partition and restore it using the third one?

Strike0

Member

From: Germany

Registered: 2011-09-05

Posts: 1,489

Re: Encrypt an exsiting btrfs filesystem?

Yes, dm-crypt is always addressed to one partition/block device (p2). It need not touch your (new) p3. If all goes well you don't even have to restore, because the encryption header is added to your partition and the data can be encrypted in-place. In any case, don't do it without a full backup. Read the section of the wiki link I posted. Also, the manual: The command to add encryption is the first example here, I suggest you read the full manual page. Prior to encrypting, you need to shrink your btrfs partition a little to make space for the 32MB LUKS2 header. You can theoretically (1) shrink the btrfs and (2) encrypt the partition from the running system. Still, nothing must go wrong (kernel crash, etc) and before rebooting you need to configure your system so it can boot from the encrypted root. It's good to practise the steps at least once, e.g. with an USB - no risk.

deepfuchsia

Member

Registered: 2018-11-01

Posts: 16

Re: Encrypt an exsiting btrfs filesystem?

Yes, dm-crypt is always addressed to one partition/block device (p2). It need not touch your (new) p3. If all goes well you don't even have to restore, because the encryption header is added to your partition and the data can be encrypted in-place. In any case, don't do it without a full backup. Read the section of the wiki link I posted. Also, the manual: The command to add encryption is the first example here, I suggest you read the full manual page. Prior to encrypting, you need to shrink your btrfs partition a little to make space for the 32MB LUKS2 header. You can theoretically (1) shrink the btrfs and (2) encrypt the partition from the running system. Still, nothing must go wrong (kernel crash, etc) and before rebooting you need to configure your system so it can boot from the encrypted root. It's good to practise the steps at least once, e.g. with an USB - no risk.

I don't have such a large USB unfortunately.
So far I've resized the btrfs filesystem, used the freed space to resize the parition of the filesystem, created a new partition with btrfs filesystem, and now I've created a snapshot of the main filesystem and sent (copied) it to the newly created partiton/subsystem.
I still have some space left, so I assume I can try and encrypt the main partition.

Strike0

Member

From: Germany

Registered: 2011-09-05

Posts: 1,489

Re: Encrypt an exsiting btrfs filesystem?

I did not mean to practise with your full data on USB, but practise to create a bootable encrypted system with btrfs as filesystem. Once you run the command to encrypt your p2 data, you need to adjust the boot chain prior to rebooting, i.e. follow a selection of steps from the relevant install guide to update your existing /boot initramfs etc.

deepfuchsia

Member

Registered: 2018-11-01

Posts: 16

Re: Encrypt an exsiting btrfs filesystem?

I did not mean to practise with your full data on USB, but practise to create a bootable encrypted system with btrfs as filesystem. Once you run the command to encrypt your p2 data, you need to adjust the boot chain prior to rebooting, i.e. follow a selection of steps from the relevant install guide to update your existing /boot initramfs etc.

Congratulate me, I've booted using the encrypted partition.
I guess I lost a few millions of nerve cells though, because in arch wiki it says

The device-UUID refers to the UUID of the LUKS superblock, in this case /dev/sda2

so I wasn't thinking much and typed

...UUID=/dev/nvme0n1p2:root

and had a problem that wasn't so obvious to fix. So I googled a bit and found this topic https://bbs.archlinux.org/viewtopic.php?id=215077
then I tried the

ls -l /dev/disk/by-uuid/

and noticed that there is no such UUID. Good thing - I made a backup of the old config, so I simply changed UUID=/dev... with the string from the old config which looks like PARTUUID=<actual partuuid> and it worked!
Resizing the filesystem and partition, and encrypting all the stuff wasn't a problem, but I had to read about it a few time before doing the actual thing.

Last edited by deepfuchsia (2023-01-12 12:38:22)

Strike0

Member

From: Germany

Registered: 2011-09-05

Posts: 1,489

Re: Encrypt an exsiting btrfs filesystem?

Ah, great - sure, congrats!
The UUID business can indeed be confusing, but consistency of available options also got much better over the years! What they mean in the wiki, is that LUKS acquires the UUID of the device - and is not be confused with the UUID the filesystem itself gets (unavailable for a locked dm-crypt at rest). When you execute

lsblk -f

now, you will see both.

Any case, one question from me: Did you execute the cryptsetup encrypt command online (i.e. from within the booted system), or offline (/dev/nvme0n1p2 not mounted)?

And one tip: Once you have verified your now encrypted data is complete and want to remove the safety copy on your third partition, the fastest way is to overwrite the whole partition with dm-crypt crypted data. After dd has finished with "no space left on device", you can reuse it for whatever. Btw, you could later also enlarge the partition/dm-crypt device and expand the btrfs filesystem to a size it had previously, as long as you don't use space adjacent to nvme0n1p2 for other purposes in the meantime.

deepfuchsia

Member

Registered: 2018-11-01

Posts: 16

Re: Encrypt an exsiting btrfs filesystem?

Any case, one question from me: Did you execute the cryptsetup encrypt command online (i.e. from within the booted system), or offline (/dev/nvme0n1p2 not mounted)?

Offline, from arch iso on a USB stick.

I'm not sure how to override the third partition with dd tbh. I was thinking about removing the partition in gparted, then expanding the root partition while it's being decrypted, and then also simply fitting the filesystem's size so it uses all the free space.

Strike0

Member

From: Germany

Registered: 2011-09-05

Posts: 1,489

Re: Encrypt an exsiting btrfs filesystem?

I posted a link above about how to wipe the device with dd. Do that before removing the partition to reuse it, you don't want remnants of a full backup of your data on the device, when you go through the trouble to encrypt it.
With expanding it then, you indeed use a partitioning tool to expand the device while it is active/mounted. Next, there is cryptsetup-resize, and what that is done, btrfs filesystem resize.