Skip to content

Instantly share code, notes, and snippets.

@nodswal

nodswal/luks-encrypt-in-place.sh

Forked from samdoran/luks-encrypt-in-place.sh
Created August 13, 2024 19:14
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save nodswal/144f0ec33bb83ac73edc7dc97263e241 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save nodswal/144f0ec33bb83ac73edc7dc97263e241 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. Sam Doran revised this gist Apr 4, 2013. 1 changed file with 16 additions and 7 deletions.
    23 changes: 16 additions & 7 deletions luks-encrypt-in-place.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -1,23 +1,28 @@
    #!/bin/bash

    # Encrypt existing hard drive in place
    # Requires a second physical drive to temporarily store data.
    # Encrypt existing hard drive in place.
    # Requires a second physical drive to temporarily store data. This drive will be erased.
    # This script is meant to be run on Clonezilla 1.2.9-19 or later.
    # The cryptsetup syntax is different in Clonezilla than in Red Hat.



    # --- Variables --- #
    CONFIGDIR=/tmp/
    VGNAME=VolGroup00
    SOURCE=/dev/sda2
    TEMP=/dev/sdb1

    VGNAME=VolGroup00 # Name of volume group containing physical volume to be encrypted
    SOURCE=/dev/sda2 # Physical volume to be encrypted
    TEMP=/dev/sdb1 # Second physical drive which the data will be copied to

    # The keyfile is only used so that encryption can take place without user interaction.
    # The keyfile can be removed at the end and replaced with a passphrase.
    # DO NOT lose the keyfile or the drive will be inaccessible.
    # Create a random keyfile using dd if=/dev/urandom of=/tmp/keyfile bs=1024 count=4
    # I recommend storing the keyfile on a separate disk as a safety measure
    KEYFILE=/tmp/keyfile

    cd $CONFIGDIR


    # --- Main Program --- #

    echo -e "Creating temp storage drive on $TEMP\n"
    pvcreate $TEMP
    @@ -60,6 +65,10 @@ case $ANSWER in
    ;;
    esac



    # --- Folluw Up --- #

    # Once the drive has been encrypted with LUKS, you will need to remake the initrd to get it to boot properly.
    #
    # # 1) Reboot off of the RHEL installation disc
  2. Sam Doran created this gist Apr 4, 2013.
    86 changes: 86 additions & 0 deletions luks-encrypt-in-place.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,86 @@
    #!/bin/bash

    # Encrypt existing hard drive in place
    # Requires a second physical drive to temporarily store data.
    # This script is meant to be run on Clonezilla 1.2.9-19 or later.
    # The cryptsetup syntax is different in Clonezilla than in Red Hat.

    # --- Variables --- #
    CONFIGDIR=/tmp/
    VGNAME=VolGroup00
    SOURCE=/dev/sda2
    TEMP=/dev/sdb1
    # The keyfile is only used so that encryption can take place without user interaction.
    # The keyfile can be removed at the end and replaced with a passphrase.
    # DO NOT lose the keyfile or the drive will be inaccessible.
    # Create a random keyfile using dd if=/dev/urandom of=/tmp/keyfile bs=1024 count=4
    # I recommend storing the keyfile on a separate disk as a safety measure
    KEYFILE=/tmp/keyfile

    cd $CONFIGDIR

    echo -e "Creating temp storage drive on $TEMP\n"
    pvcreate $TEMP

    echo -e "Extending $VGNAME"
    vgextend $VGNAME $TEMP

    echo -e "Moving $SOURCE to $TEMP. This will take some time.\n"
    pvmove $SOURCE $TEMP

    echo -e "Encrypting $SOURCE\n"
    vgreduce $VGNAME $SOURCE
    pvremove $SOURCE
    cryptsetup -q -s 256 --key-file $KEYFILE --key-slot=1 luksFormat $SOURCE

    echo -e "Moving data back to encrypted drive\n"
    cryptsetup --key-file $KEYFILE luksOpen $SOURCE luks-volume
    pvcreate /dev/mapper/luks-volume
    vgextend $VGNAME /dev/mapper/luks-volume
    pvmove $TEMP /dev/mapper/luks-volume
    vgreduce $VGNAME $TEMP
    pvremove $TEMP

    while [[ $ANSWER != "y" && $ANSWER != "n" ]] ; do
    read -p "Do you wish to set the passphrase and remove the temporary keyfile? {y|n}" ANSWER
    done
    case $ANSWER in
    y)
    # Prompts for a passphrase used to encrypt the volume
    cryptsetup -y --key-file $KEYFILE luksAddKey $SOURCE
    # Removes the temporary keyfile from the volume
    cryptsetup luksRemoveKey $SOURCE $KEYFILE
    echo -e "Drive encryption compelete. Please restart your machine and make a new initrd."
    exit 1
    ;;

    n)
    echo -e "Drive encryption compelete. Please restart your machine and make a new initrd."
    exit 1
    ;;
    esac

    # Once the drive has been encrypted with LUKS, you will need to remake the initrd to get it to boot properly.
    #
    # # 1) Reboot off of the RHEL installation disc
    # shutdown -r
    # # Remove the current live CD and insert the RHEL disc
    # # Enter rescue mode
    # boot: linux rescue
    #
    # 2) Follow the prompts until you get to a shell prompt
    #
    # 3) Change root to the found system partition
    # chroot /mnt/sysimage
    #
    # 4) Backup the original initrd
    # cd /boot
    # mv initrd-[kernel].img initrd-[kernel].img.bak
    #
    # 5) Make a new initrd
    # mkinitrd /boot/initrd-[kernel].img [kernel]
    #
    # 6) Exit from the changed root environment and reboot the machine
    # exit
    # shutdown -r now
    # # Make sure to remove the disc as it does no eject automatically