[CentOS] LUKS question

Wed Dec 13 15:50:35 UTC 2017
m.roth at 5-cent.us <m.roth at 5-cent.us>

John Hodrien wrote:
> On Wed, 13 Dec 2017, Kern, Thomas (CONTR) wrote:
>> If your requirement is for the entire system to be encrypted then I
>> think the only is a system rebuild, but if you can convince management
that a
>> good compromise is encrypting only the applications and their data, you
>> should be
>> able to add encrypted storage, copy the sensitive files and wipe the old
>> allocations. I have done this for a test system encrypting a MySQL
>> database
>> instance and a web server instance, in anticipation of an "encrypted at
>> rest" directive coming down from management.
> How about:
> Add temporary storage, encrypted, set as a PV, add to VG.  Rebuild
> initramfs,
> and reboot, confirming that it properly unlocks the storage as expected.
> pvmove, delete internal PV and replace with encrypted PV, pvmove back?
> You'd hope that'd be quite tolerant of being interrupted in the middle.
> If you're happy that works, the same recipe should work without a reboot.
Or, as we're doing, make sure everyone's off, make a final full backup (I
assume you're doing nightly backups), rebuild, then restore from backup.