From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <okozina@redhat.com>
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com
 [207.211.31.81])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
 (No client certificate requested)
 by mail.server123.net (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Mon, 14 Sep 2020 11:09:29 +0200 (CEST)
References: <CACcM9iXPzZCOh67mbwPf5mTn-cVmciTBX2hw6_fOP5NA+6WaXg@mail.gmail.com>
From: Ondrej Kozina <okozina@redhat.com>
Message-ID: <3085755d-7a3e-e9f6-aed0-5e2eaa9e9ea1@redhat.com>
Date: Mon, 14 Sep 2020 11:08:17 +0200
MIME-Version: 1.0
In-Reply-To: <CACcM9iXPzZCOh67mbwPf5mTn-cVmciTBX2hw6_fOP5NA+6WaXg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Subject: Re: [dm-crypt] LUKS Root Volume encryption.
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <https://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <https://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <https://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: Dev Chakraborty <ujjwaldev003@gmail.com>, dm-crypt@saout.de

On 9/11/20 8:09 AM, Dev Chakraborty wrote:
> Hi,
> 
> We have root volume and additional disks, I can encrypt the additional 
> volume but If I do root it says root is busy can't do, how can I encrypt 
> the root on the fly without detaching?
> Say we have already on prod machines, how can we achieve this for prod 
> systems without affecting anything.
> 

You can't do it while filesystem is mounted. You must take filesystem 
offline for the short time to allow introduction of new device-mapper 
device underneath your filesystem.

I'd recommend to read reencryption man page (especially the implications 
of cryptsetup reencrypt action with --reduce-device-size argument), but 
in very short you'd need following list of commands:

You can do it with detached LUKS2 header put in separate file like follows:

1) umount /dev/sdx (your fs)

2) cryptsetup reencrypt --encrypt --init-only --header file.x /dev/sdx 
encrypted_sdx

This will create LUKS2 header in file.x ready for online encryption of 
device /dev/sdx. It would also activate dm device 'encrypted_sdx'. Note 
that unless you finish full device encryption some part of /dev/sdx are 
still exposed as plaintext.

3) mount /dev/mapper/encrypted_sdx /mnt/path
4) cryptsetup reencrypt /dev/sdx --header file.x

----------------

Or if you can shrink your filesystem (or extend size of underlying 
/dev/sdx), you may use this:

1) umount /dev/sdx (your fs)
2) cryptsetup reencrypt --encrypt --init-only --reduce-device-size 32m 
/dev/sdx encrypted_sdx

Really, be *carefull* with --reduce-device-size. You *HAVE* to be sure 
you're using it correctly. This option can destroy your fs if used 
wrong. Otherwise it has same effect as step 2) above

3) mount /dev/mapper/encrypted_sdx /mnt/path
4) cryptsetup reencrypt /dev/sdx

Regards
O.