encryption for home partition and backups

Bob Jonkman bjonkman-w5ExpX8uLjYAvxtiuMwx3w at public.gmane.org
Sat Nov 30 03:17:50 UTC 2013


Create a new partition, encrypt it with LUKS, add that as a PV to your
LVM, then remove the unencrypted PV. LVM will automatically move all the
extents from the unencrypted partition to the encrypted partition.

Be sure to copy /boot to an unencrypted partition or LV (GRUB2 is fine
with /boot on an LV). You may have to re-install GRUB so that the
computer boots off an unencrypted partition.

Of course, you need to have enough space on your drive to do that. If
you don't, then put LUKS on the external drive, add that as a PV to your
LVM, remove the PV on the internal drive's partition, wait while LVM
moves the extents, then encrypt the internal drive partition with LUKS,
add that as a PV to LVM, remove the PV for the external drive, wait
while LVM moves all the extents to the internal encrypted volume. Again,
have /boot on an unencrypted partition, and you may need to re-install GRUB.


If you can mount an encrypted filesystem on the remote system, then
rsync can just write to it (using ssh as the transport). But I'm not
sure what you need to do if you don't want to mount the encrypted FS on
the remote system (making the unencrypted files visible on that system).

--Bob.


On 13-11-29 09:02 PM, Alex Volkov wrote:
> Hello Everyone
> 
> I'm using a laptop running Debian Jesse on an LVM (with separate /home and
> swap partitions).
> 
> Is it possible to convert current system to encrypted /home and swap
> volumes without reinstalling everything from scratch? I'm fine with copying
> all the existing data to an external hard drive reformatting the partition
> to something that supports encryption and then copying everything back.
> If found cryptosetup and LUCKS being mentioned in several places, has
> anyone tried using these tools?
> 
> As a related question, is it possible to have an encrypted file on an
> existing filesystem which I can access by mounting and then dumping rsync
> stream into it? Sort of what TrueCrypt is doing only 100% open source and
> preferably implemented using fusefs.
> 
> 
> Thanks,
> 
> Alex.
> 

--
Bob Jonkman <bjonkman-w5ExpX8uLjYAvxtiuMwx3w at public.gmane.org>          Phone: +1-519-669-0388
SOBAC Microcomputer Services             http://sobac.com/sobac/
http://bob.jonkman.ca/blogs/    http://sn.jonkman.ca/bobjonkman/
Software   ---   Office & Business Automation   ---   Consulting
GnuPG Fngrprnt:04F7 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://gtalug.org/pipermail/legacy/attachments/20131129/7ab54eaf/attachment.sig>


More information about the Legacy mailing list