How to encrypt an existing archlinux LVM installation [LVM on LUKS]

Assumptions

Warning

The specific case

Steps

# create physical volume
$ pvcreate /dev/tmpDriveXY
# extend "vg-sys" to temporally drive
$ vgextend vg-sys /dev/tmpDriveXY
# move volume group to temporally drive
$ pvmove /dev/rootDriveXY /dev/tmpDriveXY
# remove physical drive from volume group
$ vgreduce vg-sys /dev/rootDriveXY
# remove physical drive
$ pvremove /dev/rootDriveXY
# change the code of root drive partition
$ gdisk /dev/rootDrive
# change type with t, choose partition number
# set type 8309 for Linux LUKS
# see changes whit p and write with w
$ gdisk -l /dev/rootDrive
# create a temporary encrypted container
$ cryptsetup open --type plain -d /dev/urandom /dev/rootDeviceXY to_be_wiped
# verify
$ lsblk
# wipe with zeros, wait til "No space left on device"
# be patient, this step takes a long time
$ dd if=/dev/zero of=/dev/mapper/to_be_wiped bs=1M status=progress
# close wiped device
$ cryptsetup close to_be_wiped
# check algorithm benchmark
$ cryptsetup benchmark
# encrypt device and set passphrase
$ cryptsetup -v --type luks --cipher aes-xts-plain64 --key-size 256 --hash sha256 --iter-time 2000 --use-urandom --verify-passphrase luksFormat /dev/rootDriveXY
# open encrypted volume
$ cryptsetup open /dev/rootDriveXY cryptarch
# create a physical LVM device
$ pvcreate /dev/mapper/cryptarch
# extend the "vg-sys" group
$ vgextend vg-sys /dev/mapper/cryptarch
# move volume group to encrypted drive
$ pvmove /dev/tmpDriveXY /dev/mapper/cryptarch
# remove temporally drive from volume group
$ vgreduce vg-sys /dev/tmpDriveXY
# remove physical volume from temporally drive
$ pvremove /dev/tmpDriveXY
HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 filesystems fsck)
$ mkinitcpio -P linux-lts
# get UUID of encrypted drive
# in this case /dev/rootDriveXY not /dev/mapper/cryptarch
$ blkid
# add this line in GRUB_CMDLINE_LINUX
cryptdevice=UUID=rootDriveXY-UUID:cryptarch root=/dev/vg-sys/root
# uncoment GRUB_ENABLE_CRYPTODISK="y"
# regenerate grub.cfg file
$ grub-mkconfig -o /boot/grub/grub.cfg

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ivan Moreno

Ivan Moreno

Engineer || MSc student || DevOps in progress