[CentOS] LUKS question
John R Pierce
pierce at hogranch.com
Tue Dec 12 23:53:46 UTC 2017
On 12/12/2017 3:42 PM, Robert Nichols wrote:
> On 12/12/2017 08:41 AM, Wells, Roger K. wrote:
>> I have existing systems with un-encrypted disks.
>> I have tried unsuccessfully to encrypt them using LUKS.
>> Has anyone out there been able to encrypt an existing system (after
>> the fact, so to speak)?
>
> You can do that with cryptsetup-reencrypt, but it needs to be able to
> make space for the ~2MB LUKS header ahead of the filesystem in the
> partition. That's a fairly risky operation -- shrinking the filesystem
> slightly and shifting it over.
the whole reencrypt process is subject to complete failure if the system
reboots partly through as there's no way to deal with partially
encrypted and partially cleartext.
> An alternative is LUKS with a detached header, but maintaining that
> relationship is an administrative headache with a severe penalty for
> error.
I'd say disk encryption in general is an admin headache with severe
penalty for error.
--
john r pierce, recycling bits in santa cruz
More information about the CentOS
mailing list