Timeline for Can LUKS2 root partition encryption with cryptsetup be done on an already fully running OS?
Current License: CC BY-SA 4.0
11 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jun 19 at 14:13 | comment | added | horsey_guy | That's the command that gave that error! Doesn't matter, just reinstate the filesystem with a fresh mkfs.btrfs and copy the backed up files to there. | |
| Jun 19 at 8:58 | comment | added | frostschutz | @horsey_guy Yeah, filesystems don't like if parts of them go missing. You might still be able to repair it though. Depends on the filesystem. btrfs rescue fix-device-size could work, never tried it though. | |
| Jun 19 at 7:08 | comment | added | horsey_guy | @frostschutz Ah, after about 10-11 hours of waiting, trying to mount the btrfs filesystem inside the encrypted device returns ERROR: block device size is smaller than total_bytes in device item, has 108026396672 expect >= 108043173888. Learned the hard way, but at least it was on a test partition on a flash drive (backed up). | |
| Jun 19 at 0:44 | comment | added | horsey_guy | What if the partition is at the end of a device? | |
| Jun 18 at 23:32 | comment | added | frostschutz | @horsey_guy You would corrupt the end of your filesystem. LUKS header needs to go somewhere. LUKS2 header by default is 16M. The original 16M are written to end of partition. So you lose first 16M to header and last 16M to preserve the original first 16M. Thus doubling the required size to 32M. If you can't shrink the filesystem, you can also find a way to make the partition larger (without growing the filesystem along with it). | |
| Jun 18 at 22:57 | comment | added | horsey_guy | The filesystem I meant | |
| Jun 18 at 22:50 | comment | added | horsey_guy | @frostschutz What happens if I do not resize the partition beforehand? Won't --reduce-device-size do that, or does it only set an offset for the encrypted data? | |
| Sep 22, 2024 at 21:05 | comment | added | frostschutz | Yeah, that's the neat part… you don't umount the running OS rootfs. You'd have to do it in a live / rescue system. And then it has to be capable of opening a LUKS device on reboot. In ArchLinux it's basically arch-chroot then edit mkinitcpio.conf, and grub.cfg to add encrypt parameters. The wiki should help you with these things. | |
| Sep 22, 2024 at 20:59 | comment | added | Kagami Sascha Rosylight | Thanks! How do you umount when OS is running there though? Do I first need to boot into live USB for this with --init-only, and then reboot and resume online? | |
| Sep 22, 2024 at 13:02 | history | edited | frostschutz | CC BY-SA 4.0 | added 251 characters in body |
| Sep 22, 2024 at 12:53 | history | answered | frostschutz | CC BY-SA 4.0 |