11
4
If I have a partition like /dev/hd1 that is unencrypted and want it to be encrypted, but want to keep everything currently in that partition, how can I do that?
11
4
If I have a partition like /dev/hd1 that is unencrypted and want it to be encrypted, but want to keep everything currently in that partition, how can I do that?
4
There does not seem to be an solution to do that in place. Truecrypt offers the system encryption only for windows, dm-crypt overwrites partitions.
Your best bet would be to move everything from that partition into a backup with cp -a
, create an encrypted partition with luks/dm-crypt and move everything back.
14
Since this comes up near the top of google results, adding solution:
LUKS in place encryption via http://www.johannes-bauer.com/linux/luksipc/
6
This is trivial if you choose plain dm-crypt
. It's risky - if it fails part-way through (power cut or whatever) then you're stuffed!
Ensure the raw device isn't mounted then create an encrypted device for it and use dd
to copy from the raw device to the encrypted one:
$ cryptsetup open /dev/sda sda-crypt --type plain
$ dd if=/dev/sda of=/dev/mapper/sda-crypt bs=512
The plaintext data is read from /dev/sda
and written to the device mapper, /dev/mapper/sda-crypt
, which encrypts it and writes it back to /dev/sda
, overwriting the plaintext data that was read.
It will likely take some time due to it reading and writing the entire disk.
How do you then mount? – jdborg – 2016-03-24T23:39:43.560
you mount mount /dev/mapper/sda-crypt /mnt
or whatever mount-point you need. Of course, you must unlock /dev/sda
first, as shown above. – starfry – 2016-03-25T10:07:54.860
1
Actually you can convert from a plain filesystem partition to dm-crypt.
But it's risky and cumbersome.
There is an out-dated tutorial here: https://help.ubuntu.com/community/EncryptedFilesystemHowto7
Dm-crypt maps one block to one block, so in theory it is doable. Luks is a user-friendly container that uses dm-crypt inside it. A luks partition contains a header and a dm-crypt partition inside it, where the encrypted filesystem really lives.
Warnings:
If you choose to go Luks then your task is even harder, and you will need to know exactly how much ahead the dm-crypt data should be with respect to the begining of the official partition.
In any case, if your system crashes or halts during the procedure you loose your data
More references:
http://www.richardneill.org/a22p-mdk11-0.php#encrypt2
http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptExistingDevice
1
rsync
is more suitable thancp
for this kind of operations, as it has options to exclude specific folders, handle specific file types, etc. – ccpizza – 2017-12-02T22:23:12.823