You are not logged in.

#1 2018-08-08 11:04:33

Demon
Member
From: Republic of Srpska, BA
Registered: 2008-03-02
Posts: 237

[SOLVED] Migrating non-encrypted installation to another disk with FDE

Hi,

I have non-encrypted installation with /, /home and swap partitions on my old device, I want it to migrate to another device but with FDE. I do not want to reinstall to get full disk encryption, I just want to copy my old data to the new device (with partitions prepared) and to set-up what's needed for this to work. Is this possible?

I have done migrations from one disk (or device) to another in the past, but now would like to try this with FDE.

This type of FDE looks attractive to me: https://wiki.archlinux.org/index.php/Dm … .28GRUB.29

I am also not sure what type of the encryption is better for my use-case, LVM on LUKS or LUKS on LVM.

My use-case: I want to be able to decrypt and access my data offline easily (from a live USB) in case a backup or another migration is needed. I also want to be able to dual-boot [EDIT: with a GNU/Linux system] on the same disk.

Thanks for any advices you might have.

Last edited by Demon (2018-08-08 23:38:09)

Offline

#2 2018-08-08 14:15:21

nl6720
Wiki Maintainer
Registered: 2016-07-02
Posts: 86

Re: [SOLVED] Migrating non-encrypted installation to another disk with FDE

Everything you ask for is possible. smile You just need to partition the disk, set up encrypted volumes, LVM volumes and copy the data with e.g. rsync#Full system backup.

Demon wrote:

I also want to be able to dual-boot on the same disk.

With Windows? In BIOS or UEFI mode (this is important as it affects needed partitions)? Read Dual boot with Windows for details.

Demon wrote:

I am also not sure what type of the encryption is better for my use-case, LVM on LUKS or LUKS on LVM.

dm-crypt/Encrypting an entire system#Overview lists the advantages and disadvantages of both. I think LVM on LUKS is more common and possibly simpler.
Since your chosen method dm-crypt/Encrypting an entire system#Encrypted boot partition (GRUB) uses LVM on LUKS, I suggest sticking with that.
If you can live without LUKS2, it can be simplified further by keeping /boot in the root volume.
A generic layout (don't use it yet):

+---------------------+----------------------+----------------------+----------------------+----------------------+------------+
| BIOS boot partition | EFI system partition | Logical volume 1     | Logical volume 2     | Logical volume 3     | free       |
| (only for GPT/BIOS) | (only for UEFI)      |                      |                      |                      | space      |
|                     | /efi                 | /root                | [SWAP]               | /home                | for        |
|                     |                      |                      |                      |                      | other      |
|                     |                      | /dev/MyVolGroup/root | /dev/MyVolGroup/swap | /dev/MyVolGroup/home | operating  |
| /dev/sda1           | /dev/sda2            +----------------------+----------------------+----------------------+ system     |
| unencrypted         | unencrypted          | /dev/sda3 encrypted using LVM on LUKS                              | partitions |
+---------------------+----------------------+--------------------------------------------------------------------+------------+

Offline

#3 2018-08-08 16:28:48

Demon
Member
From: Republic of Srpska, BA
Registered: 2008-03-02
Posts: 237

Re: [SOLVED] Migrating non-encrypted installation to another disk with FDE

Thanks @nl6720! Just to clarify, dual boot with other Linux distros.

I am not yet sure where to even begin, I'll read everything from the wiki once again...

Offline

#4 2018-08-08 16:55:17

nl6720
Wiki Maintainer
Registered: 2016-07-02
Posts: 86

Re: [SOLVED] Migrating non-encrypted installation to another disk with FDE

Where to begin? That's simple - with partitioning. You must partition the disk according to your desired layout.
To know the desired layout you need to make some decisions:

  1. will you be booting in BIOS or UEFI mode?

  2. MBR or GPT? (I suggest using GPT)

  3. do you want to use LUKS2?

Edit:
Forgot to ask, is the other Linux distro already installed?
Are you going share any partitions between them (e. g. /home)?

Last edited by nl6720 (2018-08-08 17:19:42)

Offline

#5 2018-08-08 17:50:09

Demon
Member
From: Republic of Srpska, BA
Registered: 2008-03-02
Posts: 237

Re: [SOLVED] Migrating non-encrypted installation to another disk with FDE

nl6720 wrote:

Where to begin? That's simple - with partitioning. You must partition the disk according to your desired layout.

Thanks for your continuous help! Yes, I have started with this guide here: https://web.archive.org/web/20180117044 … encryption

It helped me better understand what actually LVM and LUKS are.

will you be booting in BIOS or UEFI mode?

BIOS.

MBR or GPT? (I suggest using GPT)

I always use GPT. 1 MB empty unformatted partition is already created.

do you want to use LUKS2?

Not sure which is better, does the guide above use LUKS1 or 2?

EDIT: Nevermind, I have converted it to type 2.

Edit:
Forgot to ask, is the other Linux distro already installed?
Are you going share any partitions between them (e. g. /home)?

No, will install it later, but I figured: I have another disk, so I will use that one for the other distro, so I guess this simplifies things a bit. /home won't be shared.

Last edited by Demon (2018-08-08 18:05:30)

Offline

#6 2018-08-08 18:07:58

Demon
Member
From: Republic of Srpska, BA
Registered: 2008-03-02
Posts: 237

Re: [SOLVED] Migrating non-encrypted installation to another disk with FDE

Okay, I think I got it now, I just need to copy my files from this laptop to the target one. Before I need to add lvm and crypt to mkinitcpio.conf and recreate kernel img. Once finished with copying, I shall recreate grub config, it should cover everything else, right? Not sure what to do with fstab, I'll think of something along the way. smile

EDIT:

Warning: GRUB does not support LUKS2 headers. Make sure you do not specify luks2 for the type parameter when creating the encrypted partition using cryptsetup luksFormat.

DOH!

Last edited by Demon (2018-08-08 18:23:36)

Offline

#7 2018-08-08 18:47:40

nl6720
Wiki Maintainer
Registered: 2016-07-02
Posts: 86

Re: [SOLVED] Migrating non-encrypted installation to another disk with FDE

Demon wrote:

Not sure which is better, does the guide above use LUKS1 or 2?

The "cryptsetup luksFormat" default is LUKS1, to use LUKS2 you must explicitly specify "--type luks2".

Demon wrote:

Warning: GRUB does not support LUKS2 headers. Make sure you do not specify luks2 for the type parameter when creating the encrypted partition using cryptsetup luksFormat.

DOH!

Why do you think I asked about LUKS2? big_smile
Your choices are either using only LUKS1 and keeping /boot in root volume or following dm-crypt/Encrypting an entire system#Encrypted boot partition (GRUB) and creating a LUKS1 partition for /boot and a LUKS2 partition for the rest of the system.


Demon wrote:

Not sure what to do with fstab, I'll think of something along the way.

Strangely I can't find any LVM specific fstab examples in the wiki. Basically use genfstab from the install image. Or if you want to edit fstab manually use the "/dev/MyVolGroup/volumename" paths for the LVM volumes.

Offline

#8 2018-08-08 21:46:27

Demon
Member
From: Republic of Srpska, BA
Registered: 2008-03-02
Posts: 237

Re: [SOLVED] Migrating non-encrypted installation to another disk with FDE

I can't believe that this actually worked! I didn't even had to touch fstab or crypttab!
I always use LABEL entries in my fstab, so this worked with this crypto setup as well!

The only problem is that swap was not activated, I'll look into this tomorrow. Also, still left to try the "BONUS" thingy (login just once).

EDIT: All good except that I need to enter my password twice. Any thoughts?

Last edited by Demon (2018-08-08 22:48:57)

Offline

#9 2018-08-08 23:37:13

Demon
Member
From: Republic of Srpska, BA
Registered: 2008-03-02
Posts: 237

Re: [SOLVED] Migrating non-encrypted installation to another disk with FDE

Edit: Actually, instructions from https://www.pavelkogan.com/2014/05/23/l … login-once worked, I just had to use larger key file (`dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin`).

I am happy with this setup now!

Once again @nl6720, thanks for the help!

Offline

Board footer

Powered by FluxBB