John Hodrien wrote: > On Wed, 13 Dec 2017, Kern, Thomas (CONTR) wrote: > >> If your requirement is for the entire system to be encrypted then I >> think the only is a system rebuild, but if you can convince management that a >> good compromise is encrypting only the applications and their data, you >> should be >> able to add encrypted storage, copy the sensitive files and wipe the old >> allocations. I have done this for a test system encrypting a MySQL >> database >> instance and a web server instance, in anticipation of an "encrypted at >> rest" directive coming down from management. > > How about: > > Add temporary storage, encrypted, set as a PV, add to VG. Rebuild > initramfs, > and reboot, confirming that it properly unlocks the storage as expected. > pvmove, delete internal PV and replace with encrypted PV, pvmove back? > > You'd hope that'd be quite tolerant of being interrupted in the middle. > > If you're happy that works, the same recipe should work without a reboot. > Or, as we're doing, make sure everyone's off, make a final full backup (I assume you're doing nightly backups), rebuild, then restore from backup. mark