You are not logged in.
- Topics: Active | Unanswered
#1 2013-07-30 12:38:45
- ThatPerson
- Member
- Registered: 2013-05-25
- Posts: 9
Setting up encryption on an already installed Arch setup?
Recently I have been thinking about setting up encryption on my already installed Arch setup. I would reinstall and encrypt it that way, however I do not have an external HDD big enough to back up everything, so I was wondering if it is possible to encrypt a hard disk on an already installed Arch setup. I have two partitions, /dev/sda1 and /dev/sda2, and would like to encrypt both while not having to reinstall.
Can anyone help? Thanks!
Edit:
Alternatively, could I reinstall it and use encryption in the install in such a way that it retains my file contents?
Last edited by ThatPerson (2013-07-30 12:41:13)
Offline
#2 2013-07-30 12:47:50
- 84081
- Member
- Registered: 2013-07-30
- Posts: 5
Re: Setting up encryption on an already installed Arch setup?
As far as I know it's not possible to do a live migration to LUKS encryption.
Offline
#3 2013-07-30 12:53:10
- ThatPerson
- Member
- Registered: 2013-05-25
- Posts: 9
Re: Setting up encryption on an already installed Arch setup?
Oh, ok, thats a pity. I might as well try and reinstall it, and put my important files on other storage spaces or make a 3rd partition for them. Thanks anyway!
Offline
#4 2013-07-30 14:02:39
- tomk
- Forum Fellow
- From: Ireland
- Registered: 2004-07-21
- Posts: 9,839
Re: Setting up encryption on an already installed Arch setup?
You don't need to back up everything, just your data and configs.
Offline
#5 2013-07-30 15:45:03
- Stebalien
- Member
- Registered: 2010-04-27
- Posts: 1,239
- Website
Re: Setting up encryption on an already installed Arch setup?
You can still do an offline migration without reinstalling. That is, tar up your entire system and back it up onto an external drive, encrypt your partitions, untar your system, and then adjust your mkinitcpio as necessary.
Offline
#6 2013-07-30 16:31:48
- WonderWoofy
- Member
- From: Los Gatos, CA
- Registered: 2012-05-19
- Posts: 8,414
Re: Setting up encryption on an already installed Arch setup?
I use rsync rather than tar to do what Stebalien is suggesting here. I use btrfs, and my root filesystem is actually a subvolume. So I mount the entire btrfs filesystem (from subvolid=0) at /var/lib/btrfs-root. By doing this, it makes it much easier to simply rsync (or tar) from that mountpoint to the backup mountpoint. This makes it so that I can actually backup the system I am running off of without explicitly excluding all the volatile directories (like /sys, /tmp, /proc, etc.) Though I think a more sane approach, since I use btrfs, would be to snapshot each subvol and rsync those instead.
I guess what I am trying to get at, is that if you were to create something like /mnt/system and /mnt/backup. If you mounted your rootfs to /mnt/system (and then possibly your home partition to /mnt/system/home), then mount the backup destination to /mnt/backup, you could simply do something like:
# rsync -aAXv /mnt/system/* /mnt/backup Then of course you would have to put it all back after you set up Luks/dmcrypt.
This installation I use has been through a few different drives and trying and removing Luks/dmcrypt. I have also changed filesystems, switched to LVM2, tried mdadm RAID0, mdadm RAID1, and eventually went back to btrfs. So as mentioned above, there is really no need to reinstall just to change the underlying layout of the HDD/SSD. Of course this assumes that you have a spare drive with the space to copy your entire filesystem to... but then you should have backups anyway, right?
Offline
#7 2013-07-30 18:26:36
- ThatPerson
- Member
- Registered: 2013-05-25
- Posts: 9
Re: Setting up encryption on an already installed Arch setup?
Of course this assumes that you have a spare drive with the space to copy your entire filesystem to... but then you should have backups anyway, right?
Well, I have an external disk which is big enough for most of my files and config, but then again I do have quite a few ISO files I don't really need, so I could probably get rid of them.
Thanks both of you, I am planning on rsyncing it to the disk and making the new partitions tommorow.
Offline
#8 2013-07-31 18:51:15
- Strike0
- Member
- From: Germany
- Registered: 2011-09-05
- Posts: 1,487
Re: Setting up encryption on an already installed Arch setup?
I have two partitions, /dev/sda1 and /dev/sda2, and would like to encrypt both while not having to reinstall.
Can anyone help?
Actually a tool has been added to cryptsetup (a while back, in 1.5.0) which can do what you want. It can be used to switch encryption of a partition around and also (important sometimes) to re-encrypt a partition with a new key. However, it is still marked experimental and you are well advised to read the warning (particularly the bit in CAPS) carefully:
man cryptsetup-reencryptGiven your reliable backup is done, it is dead simple to encrypt your partition with that. An example for your partition layout you find right at the end of the manpage. Of course you also have to change your mkinitcpio and bootloader config too, these steps (wiki) you would do before running the tool.
edit: I overread you want to encrypt /dev/sda1 too, which is presumably your /boot and cannot be encrypted of course .. So for clarity above only applies to your root partition.
Last edited by Strike0 (2013-07-31 19:02:22)
Offline