can we do the full disk encryption of a already installed Linux machine?

I need some information regarding any possibility to do full disk encryption for a already installed Linux system(e.g centOS or Ubuntu).

Is there any default mechanism for FDE present in Linux like "FileVault 2 in MAC OS X".

I have done some research on this and come across "dm-crypt" which is the standard device-mapper encryption functionality provided by the Linux kernel.

My need is to have a shell/bash script to be invoked in the Linux machine for doing Full Disk Encryption.

Any help/insight or suggestion will be of great help.

Govind Karmakar

Posted 2015-04-10T05:26:30.373

Reputation: 41

Since you didn't provide which distro you want to install it on. I'd probably just go with LUKS. http://www.cyberciti.biz/hardware/howto-linux-hard-disk-encryption-with-luks-cryptsetup-command/

– RoraΖ – 2015-04-10T11:15:51.467

Answers

In short, FDE would be an issue you would want to address during the install. If your partitioning schema uses LVS you could set up an encrypted volume using LUKS and copy system files to it, and reassign mount points in your /etc/fstab file, but this is ill advised, and very likely error-prone.

Now that your install is already 'mature' (in the sense that it's already installed and broken in), you might be better off concentrating on encrypting your home folder instead. For such operations you might look into cryptsetup or encryptfs. With full-disk encryption, a running machine is already in the auth'ed environment, whereas home folder encryption at least has the benefit of keeping the volume in question encrypted as long as the user isn't logged in.

But in summary, your best option to look into if still wanting full disk encryption (or at least partition encryption at this point in your install's maturity) would be LUKS.

SYANiDE

Posted 2015-04-10T05:26:30.373

Reputation: 101

Sure, no problem. Glad I could be of some help. – SYANiDE – 2015-04-10T07:19:41.247

Hi I have a question once again, for "cryptsetup" & "encryptfs" we need to install the setup to work from command line interface. Is there any such application installed by default in linux which can let me access "dm-crypt". – Govind Karmakar – 2015-04-10T09:00:37.590

Basically I need to create a shell script for this job to perform, preferably without installing any other setup in the endpoint. Thanks!! – Govind Karmakar – 2015-04-10T09:04:21.187

Scripting the creation and automated mounting of a dm-crypt managed partition. Take a look at the following writeup: http://bash.cyberciti.biz/security/linux-opens-luks-partition-mount-dm-crypt-partition/

– SYANiDE – 2015-04-10T15:43:43.287

thanks for the help, I am able to encrypt the drive using dm-crypt & cryptsetup but it is formatting the partition before encrypting it, is there any other way to encrypt the disk without formatting it as the machines are already installed so re-installing or formatting is not possible. – Govind Karmakar – 2015-04-13T08:46:40.590

As far as I'm aware, no. Full-disk encryption is an aspect you'll want to consider at the time of installation or partition/volume creation. It can't be applied as an afterthought. – SYANiDE – 2015-04-13T19:26:27.983

install cryptsetup-rencrypt (not installed by default) highly advise using from a chroot environment tho

linuxdev2013

Posted 2015-04-10T05:26:30.373

Reputation: 1 051

This might have the makings of being the definitive answer, but more details would be nice. What is this package? How do I use it? Do I use this from the system I want to encrypt or from a seperate live boot? – Journeyman Geek – 2015-04-26T22:21:02.850

the package is called " cryptsetup-reencrypt" and on a running system (assuming it is not the root drive or inclusive of it ) or from a second system or live media (aka an installer on usb /dvd) install the package on a usb instance if need be and run it on the drive / partition / lvm as desired ---in my case 1) its fire up a usb instance 2) install cryptsetup-reencrypt 3) run sudo cryptsetup-reencrypt {OPTIONS} /dev/sdXY – linuxdev2013 – 2015-04-28T10:31:07.310

This needs to be in your answer ;) – Journeyman Geek – 2015-04-28T12:36:58.160

@JourneymanGeek technically it doesn'y it is NOT for alll users even – linuxdev2013 – 2015-04-28T13:04:37.253