We encrypt the disk using luksipc without data loss

6 May 2023 3 minutes Author: D2-R2

What is disk encryption?

There are many dangers to your personal data, but there are universal protection methods, such as keeping your home personal computer away from third parties and minors, or using a PIN code to unlock your phone screen. There is another effective method – creating a message in such a way that only the person to whom it is addressed can read it. You can protect yourself from embarrassing situations and mistakes in advance by saving information in encrypted form.
Disk encryption protects files by preventing access to the operating system. This allows you to protect the content from being infected by malicious programs that can bypass authorization when entering the operating system. It is also a data protection tool that encrypts the contents of a computer’s hard drive and makes files unreadable by unauthorized users. The encryption process uses a specific key. The correct key decrypts the contents and allows the files to be read.

The luksipc utility

It happens that for some reason you forgot to encrypt the disk when installing the distribution. But later you needed to encrypt it. By default, the LUKS cryptsetup utility is used for encryption in Linux. And if she wants to encrypt a partition, she needs to copy the data from it somewhere, create a LUKS device, create a new file system on the connected LUKS device, copy all the data back. This is very problematic. Fortunately there is a luksipc utility that serves to convert (unencrypted) block devices to (encrypted) LUKS devices in place (hence the name LUKS in-place conversion). This means that the conversion is done without having to copy all the data anywhere, playing the entire disc. Instead, the process boils down to:

  • unmounting the file system;

  • perform encryption using Luksipc;

  • resizing the file system to shrink;

  • adding user keys to the LUKS key chain.

So, let’s begin. (I strongly recommend you make a backup first).

 

 

1. First, we disassemble the device:


2. First of all, let’s reduce the size of the file system. In the case of ext4, it’s done like this (I’ll keep everything on the /dev/sda2 partition). Let’s see how many blocks are on the device:



3. We reduce the size. 156262752-1024 (4k blocks) = 156261728



4. Now let’s install the luksipc utility:



5. Well, now let’s get down to encryption. luksipc will create a key file /root/initial_keyfile.bin that can be used to access the newly created LUKS device.


6. One thing you should definitely do is add the key you want to use for your device, possibly deleting the original key file afterwards:



7. You can now open the encrypted device using the command:



8. And mount it:



Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.