[dm-crypt] Encrypt underlying disks after the fact?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Omen Wild <omen.wild@gmail.com>
To: dm-crypt@saout.de
Subject: [dm-crypt] Encrypt underlying disks after the fact?
Date: Mon, 1 Apr 2013 16:25:28 -0700	[thread overview]
Message-ID: <20130401232528.GB10159@mandarb.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 1338 bytes --]

I have a mirrored ZFS on Linux pool and I am now regretting not having
encrypted the underlying disks. Can I do this after the fact, i.e.:

 - break the mirror: zpool detach tank /dev/sdb
 - wipe disk
 - cryptsetup luksFormat /dev/sdb
 - rebuild the mirror: zpool attach tank /dev/sda /dev/mapper/c1

When I created the pool I gave ZFS the entire disks so it formatted them
GPT:

----- Begin quote -----
Partition Table: gpt

Number  Start           End             Size            File system  Name  Flags
 1      1048576B        2000390528511B  2000389479936B  zfs          zfs
 9      2000390528512B  2000398917119B  8388608B
----- End quote -----

The main question is whether the LUKS disk would have at least as many
blocks as #1. Looking at the numbers is looks like there is 1MB
available at the beginning, and 8MB at the end, and the LUKS header is
1MB+4096B or 2 MB, so it looks like it will fit on the raw device. The
other route would be to use a detached header. Any recommendations
between the two methods?

Assuming this could work I suppose the safest way to do this would be to
buy a 3rd disk, encrypt it, add it to the pool, then rotate the original
2 out one at a time.

Oh, and backups, backups, and more backups.

Thanks

-- 
The world is coming to an end, SAVE YOUR BUFFERS!!!

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 4270 bytes --]

next             reply	other threads:[~2013-04-01 23:41 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-04-01 23:25 Omen Wild [this message]
2013-04-02  0:39 ` [dm-crypt] Encrypt underlying disks after the fact? Arno Wagner
2013-04-03  4:13   ` Omen Wild

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130401232528.GB10159@mandarb.com \
    --to=omen.wild@gmail.com \
    --cc=dm-crypt@saout.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.