Introduction
Last month my workplace enforced the requirement to have our laptop disks to be fully encypted. The only niggle was that I had already been using my laptop for several years and wasn’t terribly looking forward to setting up everything from scratch. I was left with two options:
- Set a weekend aside, take a full backup and reinstall everything, along with encryption this time.
- Take a braver approach and try to encrypt in-place.
It doesn’t take a genius to figure out that it doesn’t hurt to try #2 first, and then #1 if that fails. So that’s what I did, and was successful with #2. I captured my whole process for posterity. Most of it is from this great guide: https://opencraft.com/tutorial-encrypting-an-existing-root-partition-in-ubuntu-with-dm-crypt-and-luks/ which worked out perfect for me. Except for some minor places which needed modifications.
Following is an account of what happened. This is on an Ubuntu 22.04.2 OS.
Steps
- Boot from an Ubuntu live USB.
- First, you need to find the device numbers of your partitions. You can run
fdisk -lto find them out.
This is how mine looked:
/dev/nvme0n1p1 2048 1050623 1048576 512M EFI System
/dev/nvme0n1p2 1050624 1000214527 999163904 476.4G Linux filesystem
- Resize your root filesystem
sudo e2fsck -f /dev/nvme0n1p2 # say yes to optimizing extent trees
sudo resize2fs -M /dev/nvme0n1p2
sudo cryptsetup-reencrypt /dev/nvme0n1p2 --new --reduce-device-size 16M --type=luks1
sudo cryptsetup open /dev/nvme0n1p2 rootfs
sudo resize2fs /dev/mapper/rootfs
- Post-encryption stuff
sudo mount /dev/mapper/rootfs /mnt
sudo mount /dev/nvme0n1p1 /mnt/boot/efi
sudo mount --bind /dev /mnt/dev
sudo mount --bind /dev/pts /mnt/dev/pts
sudo mount --bind /sys /mnt/sys
sudo mount --bind /proc /mnt/proc
sudo chroot /mnt
- Now inside root shell, run these:
mkdir /etc/luks
dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=4096 count=1
chmod u=rx,go-rwx /etc/luks
chmod u=r,go-rwx /etc/luks/boot_os.keyfile
cryptsetup luksAddKey /dev/nvme0n1p2 /etc/luks/boot_os.keyfile
-
Find the encrypted UUID for
/dev/nvme0n1p2by runningblkid -s UUID -o value /dev/nvme0n1p2. Note it down. -
Add the following line to /etc/crypttab:
rootfs UUID=<UUID from before> /etc/luks/boot_os.keyfile luks,discard
- Remove the existing root partition line from /etc/fstab and add the following line:
/dev/mapper/rootfs / ext4 errors=remount-ro 0 1
- In
/etc/default/grub, remove the existing reference to the root partition fromGRUB_CMDLINE_LINUXand add the following line:
GRUB_ENABLE_CRYPTODISK=y
- Then run:
grub-install
update-grub
-
Make sure that the GRUB configuration file at /boot/grub/grub.cfg was updated correctly by update-grub. In “menuentry Ubuntu”, there should be atleast
insmod cryptodisk, andinsmod luks -
Set the KEYFILE_PATTERN in
/etc/cryptsetup-initramfs/conf-hooktoKEYFILE_PATTERN="/etc/boot/*.keyfile". (You can also set the umask if you want) -
Then run:
update-initramfs -k all -c
exit
umount -a
Then remove the USB drive, and reboot your computer. Now you will be prompted to type the passphrase at boot. Enter that and Ubuntu will boot!
Hopefully that was helpful. Note that all of this was done in Ubuntu 22.04.2. It might change in the later versions. Please feel free to comment in there’s something that needs to change and I’d be glad to update them.
