Encrypting the whole system after the installation and using an external device
Hi!
I'm running a dual boot machine with Win7 and Arch Linux. Arch linux is separated into 4 partitions. 1) SWAP 2) / 3) HOME 4) BOOT The thing is that they are not encrypted. And now i really think to encrypt them. I read on the net that the only think i can do now (as is is already installed), is to encrypt only the home with ecryptfs method. I don't want to use that method but the LUKS one. From the other hand I have my linux configured and i don't want to do format and all the configurations from the beginning. So i came here to discuss the following idea. What if I transfer the my whole system (root , boot , home ) in a portable HDD, then boot from a live USB and create the new LUCKS partitions for boot, root home and when finish transfer back the whole data from the portable HDD to the local HDD ? Is something like this going to work or not ? If yes, could you please provide me with some additional tutorials or some hints from your own experience ? Thank you. |
Yes it will work, but bootloader considerations are paramount.
Why haven't you perused the Arch wiki ? - on this subject (as most) it is one of the best resources on the web. |
Transfering the data to an external drive, reformatting the internal drive according to your needs, dumping the data back from the external system to the internal and then configuring the bootloader will do the trick (I have done it in the past with other distributions). Remember to sanitize your external drive after you do this, in order to prevent forensic analists from retrieving information from it.
|
Quote:
Quote:
It's the first time I'm dealing with something like this and i would like some better description. Thank you again for your answers. |
I have used cp -a several times to move my Gentoo to a new hard drive.
|
Forewarning: If you are not familiar with your bootloader's configuration mechanisms or with creating initrds from your kernel, it is just easier to make a backup of your /home and the most valuable configuration files and just reinstall.
@netumber, there are many options. I just boot up the workstations using System Rescue CD, mount the computer under /mnt/custom and an external device under /mnt/backup and copy everything over using rsync. Tar, partimage or fsarchive should also do the trick. Once everything is copied to the external device, you can unmount /mnt/custom, reformat the internal workstation drive as you wish, mount its filesystems again and transfer the stuff back. Code:
; Formatting the internal device - example. Code:
; Chroot the proper way, should do the trick in most systems |
Thank you very much. Your answer is very descriptive. When i'll find some time I'll try to expand it with bootloader and kernel information and discuss on them.
Thank you once more. |
I would use rsync to move the files around. You don't need to copy
Code:
/tmp, /proc, /dev, /sys, /var/run, /var/tmp, /run |
Hello again. Here is revision of the steps. Could you please read it and fix any misconceptions if there are any or suggest something different?
1) Back up the whole system into external drive from the existing OS. Code:
# rsync -aAXv --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"} / /mnt/usbDisk/oldSys Code:
# umount /mnt/usbDisk 4) Delete all the existing linux partitions and overwrite the merged partition (sda4) with random data [info] /dev/sda1,2,3 are the partitions for the windows. Code:
dd if=/dev/urandom of=/dev/sda4 a) /dev/sda5 - 512M - bootable - Partition type: Linux (83) b) /dev/sda6 - 230G - no bootable - Partition type: Linux (83) 6) Load the kernel module for dm_crypt Code:
# modprobe dm_crypt Code:
# cryptsetup -c aes-xts-plain64 -s 512 -h sha512 -i 5000 -y luksFormat /dev/sda6 -s specifies the length of the encryption key (XTS uses two keys, therefore the key size here is 256) -h specifies the hashing algorithm -i specifies the number of milliseconds to spend with PBKDF2 passphrase processing (our hashing algorithm is stronger than sha1, thus this number should be higher than the default 1000) -y asks for the passphrase two times (as confirmation) 8) Check if everything went ok with encrypting. This should return data about encryption type etc. Code:
# cryptsetup luksDump /dev/sda6 Code:
# cryptsetup luksOpen /dev/sda6 lvm-crypt Code:
# lvm pvcreate /dev/mapper/lvm-crypt Code:
# lvm lvcreate -L 100GB -n root lvmpool Code:
# mkfs.ext4 /dev/sda5 # boot partition Code:
# mount /dev/sdb1 /media/usbDisk Code:
# mount /dev/mapper/lvm-crypt/root /mnt # / partition Code:
# rsync -axX /media/usbDisk/oldSys /mnt Code:
mkdir /mnt/dev /mnt/proc /mnt/sys /mnt/tmp /mnt/run /mnt/mnt /mnt/media /mnt/lost+found Code:
vim /mnt/boot/grub/grub.cfg and change the line 15 Code:
linux /vmlinuz-linux root=UUID=27ae6f98-7203-480e-abb1-097e606d9e01 rw quiet Code:
linux /vmlinuz-linux cryptdevice=UUID=<u-u-i-d>:<n-a-m-e> root=/dev/mapper/lvm-crypt/root rw quiet If I get such a result for example : Code:
└─sda6 crypto_LUKS e99fc375-b62d-4f45-8fd0-baf2370309d3 and the <n-a-m-e> is luks-e99fc375-b62d-4f45-8fd0-baf2370309d3 so the above line becomes : Code:
linux /vmlinuz-linux cryptdevice=UUID=e99fc375-b62d-4f45-8fd0-baf2370309d3:luks-e99fc375-b62d-4f45-8fd0-baf2370309d3 root=/dev/mapper/lvm-crypt/root rw quiet Code:
# genfstab -U -p /mnt >> /mnt/etc/fstab Code:
# chroot /mnt Code:
HOOKS="base udev autodetect modconf block keymap encrypt lvm2 filesystems keyboard fsck" Code:
mkinitcpio -p linux 20) Reboot Umount all and reboot |
Most of it looks fine.
1) I would not backup from a running operating system, there is always the risk of inconsistencey. It is better to backup from a live system. 4) Seems fine, you can use the bs=1M with dd for improved speed. 14) It does not look like your way of mounting the LVMs would work. You can check the correct paths of your lvm volumes using lvscan. 15) I have disavowed grub so I don't know how that works in Arch. I am also not familiar with 17) because it looks like it is Arch specific. |
All times are GMT -5. The time now is 08:00 PM. |