0

I've been asked to encrypt the filesystem of a live server without affecting the operations or data. I normally install Redhat with encrypted filesystem, so the "how" is not the problem. I want to know if it is even possible to encrypt the filesystem without shrinking the partition, making a new partition, encrypting it, copying everything over, deleting the old partition, and resizing the new partition to fill the drives.

kainaw
  • 223
  • 2
  • 11
  • Not possible. I would just setup a new server then clone the data over and make a switch. – Tiffany Walker Jul 17 '13 at 17:41
  • It's theorically possible to do: .1 grow physically, .2 grow crypted, than .3 grow fs, or in the other way .1 shrink fs, .2 shrink crypted than .3 shrink partition, but overkill and dangerous as a little error may render your partition unreadable. – F. Hauri - Give Up GitHub Jul 17 '13 at 19:20

2 Answers2

1

You may be quicker by re-creating a new partition that fit target device and use another encryption for transfer:

tar --one-file-system --numeric-owner -cpC / . |gzip |gpg -e -r username >file.tgz.gpg

Care about opened files, you've better to do this in single-user-mode (init 1). Or better: if / is a crypted partition on a LVM2 parted system, you could use a snapshot with lvcreate -s, but you have to open another session of luks to decrypt them before mounting on quiet mountpoint.

lvcreate -s -L 1G -n BkVolName VolGroup/VolName
cryptsetup luksOpen /dev/mapper/VolGroup-BkVolName bk_crypted
mount -o ro /dev/mapper/bk_crypted /mnt

tar -zcpC /mnt . | gpg -e -r username >file.tgz.gpg

umount /mnt
cryptsetup luksClose bk_crypted
lvremove -f VolGroup/BkVolName

Than after moving gpg crypted tarball to destination host, re-creating crypted partition and mounting them on /mnt for sample:

cryptsetup --verbose --verify-passphrase luksFormat $DEVICE
cryptsetup luksOpen $DEVICE new_crypted
mount /dev/mapper/new_crypted /mnt

gpg -d <file.tgz.gpg | tar -zxvC /mnt

sync
umount /mnt
cryptsetup luksClose new_crypted

Doing so let you the ability of whipe file creation and use low-level network directly as:

  • on source host:

    tar --one-file-system -zcpC / . | gpg -e -r uname | nc -q 0 -l -p 9900

  • than when first nc -l is run, on destination host:

    nc sourceHostIPorName 9900 | gpg -d | tar -zxC /mnt
F. Hauri - Give Up GitHub
  • 1,057
  • 9
  • 14
0

Not possible using native tools. It may be possible to encrypt in-place using third-party tools, but I have no experience doing so on RHEL.

John
  • 9,070
  • 1
  • 29
  • 34