====== LUKS - Disk Encryption ======
===== Encryption on Debian 9 =====
- Install dm-cryptapt-get install cryptsetup
- If you encrypted data drives during initial system setup, your swap space will be encrypted as well. First remove the swap encryption.sudo mkswap -f /dev/sda6
sudo swapon /dev/sda6
- Add the swap space to /etc/fstab. If you have swap on multiple drives, where the remaining space is allocated to a software RAID, add the swap partitions with the same priority./dev/hda6 none swap sw,pri=1 0 0
- Remove the fstab entry for mounting the encrypted volume
- Add the following commands to [[deb9:setup|rc.local]] executed as rootecho "volume password" | sudo cryptsetup luksOpen /dev/mapper/vg-lv my_encrypted_volume
mount /dev/mapper/my_encrypted_volume /mount/point
- To lock the container again, it needs to be unmounted firstsudo umount /media/my_device
sudo cryptsetup luksClose my_encrypted_volume
===== Encrypt volume =====
- Find the Block Device Name of Your Partitionlsblk
- Set Up LUKS Headersudo cryptsetup luksFormat /dev/mapper/-
- Create a Filesystem on the Partition. You have to map this physical device to a virtual device. What gets written to the virtual device will be encrypted before being stored on the physical device.sudo cryptsetup luksOpen /dev/mapper/- -_crypt
sudo mkfs.ext4 /dev/mapper/-_crypt
- Mount Encrypted Partitionsudo mount /dev/mapper/-_crypt /mountpoint
- If you need a directory tree to be copied from a backup location back to the newly encrypted drive, do it with rsyncrsync -av --progress --exclude '/home/user/VirtualBox VMs' /home/user /mountpoint/
- Or, for an entire BackupPC structurersync -avxHAWX --info=progress2 /backup/ /new-backup/
- Verify the structure between source and destinationrsync -avcn /backup/ /new-backup/
===== Increase size of Raid Disk Array with LVM and LUKS =====
These steps have to be taken to increase a Raid Disk Array with the following configuration: RAID -> LVM -> LUKS -> ext4.
- Increase size of Raid explained in [[deb9:mdadm|RAID - mdadm (Software RAID)]]
- Unmount the file system:sudo umount /backup
- Close LUKS:cryptsetup luksClose vg_backup-lv_backup_crypt
- Resize the physical volume to consume all free space in LVM:pvresize /dev/md3
- Resize the logical volume to consume all free space in LVM:lvresize -l+100%FREE /dev/vg_backup/lv_backup
- Open LUKS and enter the volume password:cryptsetup luksOpen /dev/mapper/vg_backup-lv_backup vg_backup-lv_backup_crypt
- Check the filesystem:e2fsck -f /dev/mapper/vg_backup-lv_backup_crypt
- Extend the filesystem to consume all free space:resize2fs /dev/mapper/vg_backup-lv_backup_crypt
- Mount file system:mount /dev/mapper/vg_backup-lv_backup_crypt /backup
* You could do an online resize by avoiding to unmount the file system and closing LUKS, but I find this approach safer. If you decide to do an online resize, skip steps 2 and 3, and instead of step 6 (open LUKS) do a crypt resize:cryptsetup resize vg_backup-lv_backup_crypt.
===== Links =====
* [[https://bobcares.com/blog/raid-resync/]]
* [[https://www.ducea.com/2009/03/08/mdadm-cheat-sheet/]]
* [[https://unix.stackexchange.com/questions/546218/debian-full-disk-encryption-does-debian-installer-use-luks-1-or-2]]
* [[https://www.lisenet.com/2013/install-luks-and-create-an-encrypted-luks-partition-on-debian/]]
* [[https://www.lisenet.com/2013/install-luks-and-create-an-encrypted-luks-partition-on-debian/]]
* [[https://www.cyberciti.biz/security/how-to-change-luks-disk-encryption-passphrase-in-linux/]]
* [[https://www.digitalocean.com/community/tutorials/how-to-use-rsync-to-sync-local-and-remote-directories]]
===== Links =====
* [[https://www.cyberciti.biz/hardware/howto-linux-hard-disk-encryption-with-luks-cryptsetup-command/|How To: Linux Hard Disk Encryption With LUKS]]
* [[https://wiki.hackzine.org/sysadmin/linux-lvm-luks-resize.html|Resizing a LUKS volume on LVM]]
* [[https://unix.stackexchange.com/questions/320957/extend-a-luks-encrypted-partition-to-fill-disk|Extend a LUKS encrypted partition to fill disk]]
* [[https://we.riseup.net/debian/how-to-grow-ext4+lvm+luks+raid|How to grow ext4+lvm+LUKS+RAID]]
* [[https://jschumacher.info/2016/11/encrypt-an-existing-linux-installation-with-luks-and-lvm/|Encrypt an existing Linux installation with LUKS and LVM]]
* [[https://unix.stackexchange.com/questions/472114/replace-luks-partition-with-ext4-partition-with-same-contents|Replace LUKS partition with ext4 partition with same contents]]
* [[https://www.reddit.com/r/linuxquestions/comments/5a0kl7/whats_the_difference_between_luks_cryptsetup_and/|What's the difference between LUKS, cryptsetup, and dm-crypt?]]
* [[https://askubuntu.com/questions/63594/mount-encrypted-volumes-from-command-line#answer-63598|Mount encrypted volumes from command line?]]
* [[https://www.maketecheasier.com/encrypt-linux-partitions-dm-crypt/|How to Encrypt Your Partitions on Linux with dm-crypt]]
* [[https://stackoverflow.com/questions/44797694/where-is-rc-local-in-debian-9-debian-stretch|Where is rc.local in Debian 9 (Debian Stretch)]]
* [[https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system|dm-crypt/Encrypting an entire system]]
* [[https://wiki.debian.org/LVM#Encrypted_LVM|LVM (Debian Wiki)]]
* [[https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption|dm-crypt/Swap encryption]]
* [[https://www.tldp.org/HOWTO/Partition/setting_up_swap.html|Setting up swap space]]
* [[https://superuser.com/questions/19326/how-to-wipe-free-disk-space-in-linux|How to wipe free disk space in Linux?]]
* [[https://superuser.com/questions/1193290/best-order-of-raid-lvm-and-luks/1193307|Best order of RAID, LVM and LUKS
]]
* [[https://xo.tc/setting-up-full-disk-encryption-on-debian-9-stretch.html|Setting Up Full Disk Encryption on Debian 9 Stretch]]
* [[https://www.virtualbox.org/manual/ch09.html#diskencryption|VirtualBox: Encryption of Disk Images]]
* [[https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system|dm-crypt/Encrypting an entire system]]
* [[https://blog.tinned-software.net/create-a-luks-encrypted-partition-on-linux-mint/|Create a luks encrypted partition on Linux Mint]]
* [[https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption|dm-crypt/Swap encryption]]
* [[https://www.tecmint.com/clone-linux-partitions/|How to Clone a Partition or Hard drive in Linux]]
* [[https://www.makeuseof.com/tag/2-methods-to-clone-your-linux-hard-drive/|How to Clone Your Linux Hard Drive: 4 Methods]]
* [[https://smallbusiness.chron.com/clone-encrypted-hard-drive-57682.html|How to Clone an Encrypted Hard Drive]]
* [[https://superuser.com/questions/1414795/cloning-hdd-containing-boot-and-lvm-to-new-hdd|Cloning HDD containing /boot and LVM to new HDD]]
* [[https://roubert.name/joakim/migratetolargerdisks.html|Migrate Linux RAID 1+LVM System To Larger Disks HOWTO]]
* [[https://www.linuxquestions.org/questions/slackware-14/create-software-raid1-on-one-disk-later-add-second-disk-4175449017/|create software raid1 on one disk, later add second disk?]]
* [[https://www.linuxquestions.org/questions/fedora-35/how-to-resize-extend-a-volume-group-895429/|how to resize / extend a volume group]]
* [[https://serverfault.com/questions/320310/how-to-resize-raid1-array-with-mdadm|How to resize RAID1 array with mdadm?]]
* [[https://askubuntu.com/questions/944564/moving-raid-5-to-another-computer|Moving RAID 5 to another computer]]
* [[https://superuser.com/questions/307541/copy-entire-file-system-hierarchy-from-one-drive-to-another|Copy entire file system hierarchy from one drive to another]]
* [[https://forum.manjaro.org/t/how-to-clone-a-luks-encrypted-home-root-swap-partition-from-a-hdd-to-an-ssd/85741|How to clone a LUKS encrypted home/root/swap partition from a HDD to an SSD?]]