Does anyone know how to encrypt an existing partition in linux while preserving its data

11

4

If I have a partition like /dev/hd1 that is unencrypted and want it to be encrypted, but want to keep everything currently in that partition, how can I do that?

greg

Posted 2010-11-30T20:25:11.037

Reputation: 121

Answers

4

There does not seem to be an solution to do that in place. Truecrypt offers the system encryption only for windows, dm-crypt overwrites partitions. Your best bet would be to move everything from that partition into a backup with cp -a, create an encrypted partition with luks/dm-crypt and move everything back.

user54114

Posted 2010-11-30T20:25:11.037

Reputation: 457

1rsync is more suitable than cp for this kind of operations, as it has options to exclude specific folders, handle specific file types, etc. – ccpizza – 2017-12-02T22:23:12.823

14

Since this comes up near the top of google results, adding solution:

LUKS in place encryption via http://www.johannes-bauer.com/linux/luksipc/

jwilkins

Posted 2010-11-30T20:25:11.037

Reputation: 271

6

This is trivial if you choose plain dm-crypt. It's risky - if it fails part-way through (power cut or whatever) then you're stuffed!

Ensure the raw device isn't mounted then create an encrypted device for it and use dd to copy from the raw device to the encrypted one:

$ cryptsetup open /dev/sda sda-crypt --type plain
$ dd if=/dev/sda of=/dev/mapper/sda-crypt bs=512

The plaintext data is read from /dev/sda and written to the device mapper, /dev/mapper/sda-crypt, which encrypts it and writes it back to /dev/sda, overwriting the plaintext data that was read.

It will likely take some time due to it reading and writing the entire disk.

starfry

Posted 2010-11-30T20:25:11.037

Reputation: 1 169

How do you then mount? – jdborg – 2016-03-24T23:39:43.560

you mount mount /dev/mapper/sda-crypt /mnt or whatever mount-point you need. Of course, you must unlock /dev/sda first, as shown above. – starfry – 2016-03-25T10:07:54.860

1

Actually you can convert from a plain filesystem partition to dm-crypt.

But it's risky and cumbersome.

There is an out-dated tutorial here: https://help.ubuntu.com/community/EncryptedFilesystemHowto7

Dm-crypt maps one block to one block, so in theory it is doable. Luks is a user-friendly container that uses dm-crypt inside it. A luks partition contains a header and a dm-crypt partition inside it, where the encrypted filesystem really lives.

Warnings:

  1. If you choose to go Luks then your task is even harder, and you will need to know exactly how much ahead the dm-crypt data should be with respect to the begining of the official partition.

  2. In any case, if your system crashes or halts during the procedure you loose your data

More references:

http://www.richardneill.org/a22p-mdk11-0.php#encrypt2

http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptExistingDevice

user39559

Posted 2010-11-30T20:25:11.037

Reputation: 1 783

Asked: 2010-11-30T20:25:11.037

Viewed: 23 568 times

Active: 2018-03-19T14:33:24.877