-2

Seen few questions on this, but the general answer was just reinstall. Although that is the best and easiest solution, this unfortunately is not possible in my situation.

I was thinking of the following solution.

current partition layout

/dev/vda1      linux/boot  250mb
/dev/vda2      extended    15GiB
  |_/dev/vda5  Linux LVM   15GiB

LVM has 2 LVs 13GiB /root and 2GiB /swap

it's a clean minimum vps install with a <1gb footprint. So my idea is to

  1. remove the swap drive
  2. shrink LVM partition
  3. create a new temp 2gb partition
  4. move root to temp partition
  5. remove LVM, set up new LVM on LUKS partition.
  6. move temp root to the new LVM on LUKS
  7. remove temp root, Resize LUKS/LVM partition back to 15gb to set up 2GB swap again.

Any reason this would not work? and if not.. I'm stuck on step 2/3

after removing swap lv I resized PV /dev/vda5 to 13GiB pvdisplay shows 13GiB correctly.

However when I go to cfdisk to create a new temp root partition, it still shows /dev/vda5 as 15GiB

I have the feeling I'm missing a step here to get that 2GiB from the removed swap drive into unpartitioned space?

Jowski
  • 53
  • 4
  • I wouldn't even bother reinstalling. It is not going to help you with the real problem. Encrypting a VPS doesn't make any sense. It's the host system that must be encrypted. If you are trying to protect your data from the VPS host, [unfortunately it is not possible](https://serverfault.com/q/484707/126632). – Michael Hampton May 03 '19 at 03:05
  • Right you are ofcourse. and pointing out the limitations is certainly noteworthy (nothing is more dangerous then a false sense of security). But this VM isn't hiding anything from government agencies or anything worthy of hackers attention. Its a secondary development server and this is just to keep casual Joes out and and prevent any offline qcow backups to be readable. and I must admit..at least 20% of my motivation is that it bothers me I couldn't get it done. – Jowski May 03 '19 at 04:24

1 Answers1

0

I ended up solving this by making a 1gb ramdrive and pivoting root + the whole system in there. Then removing the LVM partition, recreatinging LVM on luks and moving root onto the new drive.

For anybody interested.

  1. Create tmpfs ramdisk and move root
  2. remove/create partitions (run partprobe if anything in the layout changed)
  3. Set up new encrypted luks LVM, copy everything back and make system bootable again

Be careful doing this in VMs where you don't own the host. as Michael Hampton correctly pointed out

It is not going to help you with the real problem. Encrypting a VPS doesn't make any sense. It's the host system that must be encrypted. If you are trying to protect your data from the VPS host, unfortunately it is not possible.

Anybody with access to the host could take RAM snapshots which will have the LUKS decryption key.

Jowski
  • 53
  • 4