Hello again. Here is revision of the steps. Could you please read it and fix any misconceptions if there are any or suggest something different?
1) Back up the whole system into external drive from the existing OS.
Code:
# rsync -aAXv --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"} / /mnt/usbDisk/oldSys
2) Umount the /mnt/usbDisk
Code:
# umount /mnt/usbDisk
3) Boot from a live USB
4) Delete all the existing linux partitions and overwrite the merged partition (sda4) with random data
[info] /dev/sda1,2,3 are the partitions for the windows.
Code:
dd if=/dev/urandom of=/dev/sda4
5) Create new partition table a boot partition and an LVM one with cfdisk
a) /dev/sda5 - 512M - bootable - Partition type: Linux (83)
b) /dev/sda6 - 230G - no bootable - Partition type: Linux (83)
6) Load the kernel module for dm_crypt
Code:
# modprobe dm_crypt
7) Encrypt the whole partition NOT the bootable one
Code:
# cryptsetup -c aes-xts-plain64 -s 512 -h sha512 -i 5000 -y luksFormat /dev/sda6
-c specifies the algorithm (here AES with XTS)
-s specifies the length of the encryption key (XTS uses two keys, therefore the key size here is 256)
-h specifies the hashing algorithm
-i specifies the number of milliseconds to spend with PBKDF2 passphrase processing (our hashing algorithm is stronger than sha1, thus this number should be higher than the default 1000)
-y asks for the passphrase two times (as confirmation)
8) Check if everything went ok with encrypting. This should return data about encryption type etc.
Code:
# cryptsetup luksDump /dev/sda6
9) Mount the encrypted disk /dev/mapper/lvm-crypt
Code:
# cryptsetup luksOpen /dev/sda6 lvm-crypt
10) Setting up LVM in the /dev/mapper/lvm-crypt
Code:
# lvm pvcreate /dev/mapper/lvm-crypt
# lvm vgcreate lvmpool /dev/mapper/lvm-crypt
11) Create all logical volumes needed
Code:
# lvm lvcreate -L 100GB -n root lvmpool
# lvm lvcreate -L 4GB -n swap lvmpool
# lvm lvcreate -l 100%FREE -n home lvmpool
12) Format all the partitions
Code:
# mkfs.ext4 /dev/sda5 # boot partition
# mkfs.ext4 /dev/mapper/lvm-crypt/root
# mkfs.ext4 /dev/mapper/lvm-crypt/home
# mkswap /dev/mapper/lvm-crypt/swap
13) Mount back the external Disk with the backup file system
Code:
# mount /dev/sdb1 /media/usbDisk
14) Mount all LVMs and transfer the old system.
( I have doubts for this step. What is your opinion ? )
Code:
# mount /dev/mapper/lvm-crypt/root /mnt # / partition
# mkdir /mnt/home
# mount /dev/mapper/lvm-crypt/home /mnt/home # home partition
# mkdir /mnt/boot
# mount /dev/sda5 /mnt/boot # boot partition
Code:
# rsync -axX /media/usbDisk/oldSys /mnt
Also create and the folders i didn't get
Code:
mkdir /mnt/dev /mnt/proc /mnt/sys /mnt/tmp /mnt/run /mnt/mnt /mnt/media /mnt/lost+found
15) Edit bootloader
( I have doubts for this step. What is your opinion ? )
Code:
vim /mnt/boot/grub/grub.cfg
here is my current grub.cfg
http://pastebin.com/hkACD6Z8
and change the line 15
Code:
linux /vmlinuz-linux root=UUID=27ae6f98-7203-480e-abb1-097e606d9e01 rw quiet
to
Code:
linux /vmlinuz-linux cryptdevice=UUID=<u-u-i-d>:<n-a-m-e> root=/dev/mapper/lvm-crypt/root rw quiet
To take the <u-u-i-d> and <n-a-m-e> i will use lsblk -f .
If I get such a result for example :
Code:
└─sda6 crypto_LUKS e99fc375-b62d-4f45-8fd0-baf2370309d3
└─luks-e99fc375-b62d-4f45-8fd0-baf2370309d3 LVM2_member KNPfie-1mhh-eRZs-okZ0-CycS-kBsC-08Osxf
├─lvmpool-root ext4 0020cff6-d95a-4afd-921d-5c7faac83a4c /
└─lvmpool-home ext4 b202f5f3-eb1d-4f0a-ba75-bb56af91a2cd /home
The <u-u-i-d> is e99fc375-b62d-4f45-8fd0-baf2370309d3
and the <n-a-m-e> is luks-e99fc375-b62d-4f45-8fd0-baf2370309d3
so the above line becomes :
Code:
linux /vmlinuz-linux cryptdevice=UUID=e99fc375-b62d-4f45-8fd0-baf2370309d3:luks-e99fc375-b62d-4f45-8fd0-baf2370309d3 root=/dev/mapper/lvm-crypt/root rw quiet
16) Create a new fstab file
Code:
# genfstab -U -p /mnt >> /mnt/etc/fstab
17) Create a new mkinitcpio.conf
Add the appropriate hooks to the /etc/mkinitcpio.conf
Code:
HOOKS="base udev autodetect modconf block keymap encrypt lvm2 filesystems keyboard fsck"
Code:
mkinitcpio -p linux
Finally remove the /etc/machine-id so that a new one to be created.
20) Reboot
Umount all and reboot