Example of simple dracut module for reencryption of system

LUKS drive on-the-fly.

Install in /usr/[share|lib]/dracut/modules.d/90reencrypt, then

build special initramfs "with dracut -a reencrypt -o crypt".

Reencrypt module doesn't work (has a conflict) with crypt module as

of now. After successful reencryption reboot using original initramfs.

Dracut then recognize argument rd.luks.reencrypt=name:size,

e.g. rd.luks.reencrypt=sda2:52G means only 52G of device

will be reencrypted (default is whole device).

(Name is kernel name of device.)

If there's more than single active keyslot in the target luks device

you're required to select one keyslot explicitly for reencryption via

rd.luks.reencrypt_keyslot=<keyslot_number> option. Bear in mind that

if you use this option, all other keyslots will get deactivated in the

process.

Another argument, rd.luks.reencrypt_key=/dev/sda:/path/to/keyfile

can be used to read password for specific keyslot from device containing

filesystem with a keyfile (file with a password). If you omit reencrypt_key

argument, reencryption would work only in case a LUKS container has

exactly one keyslot activated.

Arguments rd.luks.reencrypt_keyslot and rd.luks.reencrypt_key are not

mandatory.

Note that reencryption context is stored in ramdisk, any

fail can mean complete lost of data!

Copyright (C) 2012 Milan Broz <gmazyland@gmail.com>

This copyrighted material is made available to anyone wishing to use,

modify, copy, or redistribute it subject to the terms and conditions

of the GNU General Public License v.2.

You should have received a copy of the GNU General Public License

along with this program; if not, write to the Free Software Foundation,

Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.