path: root/src/guide/cryptexisting.md

% Encrypting existing drives

# Disclaimer
**It is not easily possible to use most of the methods described here
to encrypt existing drives without having to make and restore a backup.**

# Preparation: Making a backup
It is necessary to create a backup of your drive as encrypting will
erase your data.

## SquashFS
I like to use SquashFS as I don't have much backup
space:

```sh
apt update
apt install squashfs-tools

mksquashfs /media/drive/mountpoint /media/backup/mountpoint/drive.sqsh
```

The above commands all need to be run as root.

A major disadvantage of SquashFS is its slowness. It uses all CPU cores
but still takes a long time to complete depending on how much data is
being squashed.

## tar
If you can afford to store a raw copy, you can create it with `tar`.
The `tar` command is faster than `cp` or `rsync` for copying many
large files. Here's how to use it:

```sh
tar -c -C /media/drive/mountpoint . | \
tar --same-owner -xp -C /media/backup/location
```

Make sure you run this as root.

This is much faster compared to squashing but it requires much more
storage space.

# Wiping
This is optional but it's highly recommended to do if unencrypted data
used to be stored on the drive.
Some encryption tools such as OS installers do this automatically, but
pure cryptsetup does not. To be safe, wipe manually:

```sh
dd bs=1M if=/dev/urandom of=/dev/sdX
```

Once again only root can do this.

Replace `/dev/sdX` with the device file of the drive you want to encrypt.
You can specify a partition number if you only want to wipe a single
partition.

If you're still using an old kernel (<4.8) this is going to be slow.
Replace `/dev/urandom` with `/dev/zero` to counter this.

# Encrypting
There are three methods I have used.

## LVM + LUKS
This is recommended for drives with an operating system.

Do a complete reinstall and select the "encrypted LVM" option when
partitioning. Make sure to use a secure passphrase that you can still
remember.

This sets up LVM and LUKS.

## LUKS
Use this for external drives that are always connected to the same
machine.

Run the following commands as root:

```sh
cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 -y /dev/sdXY
cryptsetup luksOpen /dev/sdXY sdXY-crypt
mkfs.ext4 /dev/mapper/sdXY-crypt
cryptsetup luksClose sdXY-crypt
```

where sdXY is the name of the device file of the partition.

## VeraCrypt volume
This is useful if you want to use your drive in other places or on
other platforms. Follow the VeraCrypt instructions for this.

# Restoring the backup
No matter how you made your backup, `tar` is the way to restore it.
Before you do that you have to take care of some other things.

## SquashFS
Mount the SquashFS image:

```sh
mount /media/squashfs/location/drive.sqsh /media/backup/mountpoint
```

You now need to mount the encrypted device. This is quite easy to do
with VeraCrypt volumes. When you mount one the mountpoint is usually
`/media/veracryptX`. For LUKS it works like this:

```sh
cryptsetup luksOpen /dev/sdXY sdXY-crypt
mount /dev/mapper/sdXY-crypt /media/drive/mountpoint
```

LVM + LUKS is slightly different:

```sh
cryptsetup luksOpen /dev/sdXY sdXY-crypt
lvchange -ay hostname-vg/partitionname
mount /dev/hostname-vg/partitionname /media/drive/mountpoint
```

Now restore the backup:

```sh
tar -c -C /media/backup/mountpoint . | \
tar --same-owner -xp -C /media/drive/mountpoint
```

# Cleaning up
Now unmount the encrypted volume (if you don't want to use it yet)
and delete the SquashFS. Unmounting VeraCrypt volumes is easy
enough to not be documented here.

## Unmounting LUKS
```sh
umount /media/drive/mountpoint
cryptsetup luksClose sdXY-crypt
```

## Unmounting LVM + LUKS
```sh
umount /media/drive/mountpoint
lvchange -an hostname-vg/partitionname
cryptsetup luksClose sdXY-crypt
```

***WARNING: Store the SquashFS image on an encrypted drive
or wipe it securely! A simple `rm` won't do, especially with
solid state storage!***

[Return to Guide List](/cgi-bin/guides.lua)

[Return to Index Page](/cgi-bin/index.lua)