|
Packit |
94f725 |
Example of simple dracut module for reencryption of system
|
|
Packit |
94f725 |
LUKS drive on-the-fly.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Install in /usr/[share|lib]/dracut/modules.d/90reencrypt, then
|
|
Packit |
94f725 |
build special initramfs "with dracut -a reencrypt -o crypt".
|
|
Packit |
94f725 |
Reencrypt module doesn't work (has a conflict) with crypt module as
|
|
Packit |
94f725 |
of now. After successful reencryption reboot using original initramfs.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Dracut then recognize argument rd.luks.reencrypt=name:size,
|
|
Packit |
94f725 |
e.g. rd.luks.reencrypt=sda2:52G means only 52G of device
|
|
Packit |
94f725 |
will be reencrypted (default is whole device).
|
|
Packit |
94f725 |
(Name is kernel name of device.)
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If there's more than single active keyslot in the target luks device
|
|
Packit |
94f725 |
you're required to select one keyslot explicitly for reencryption via
|
|
Packit |
94f725 |
rd.luks.reencrypt_keyslot=<keyslot_number> option. Bear in mind that
|
|
Packit |
94f725 |
if you use this option, all other keyslots will get deactivated in the
|
|
Packit |
94f725 |
process.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Another argument, rd.luks.reencrypt_key=/dev/sda:/path/to/keyfile
|
|
Packit |
94f725 |
can be used to read password for specific keyslot from device containing
|
|
Packit |
94f725 |
filesystem with a keyfile (file with a password). If you omit reencrypt_key
|
|
Packit |
94f725 |
argument, reencryption would work only in case a LUKS container has
|
|
Packit |
94f725 |
exactly one keyslot activated.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Arguments rd.luks.reencrypt_keyslot and rd.luks.reencrypt_key are not
|
|
Packit |
94f725 |
mandatory.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Note that reencryption context is stored in ramdisk, any
|
|
Packit |
94f725 |
fail can mean complete lost of data!
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Copyright (C) 2012 Milan Broz <gmazyland@gmail.com>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This copyrighted material is made available to anyone wishing to use,
|
|
Packit |
94f725 |
modify, copy, or redistribute it subject to the terms and conditions
|
|
Packit |
94f725 |
of the GNU General Public License v.2.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
You should have received a copy of the GNU General Public License
|
|
Packit |
94f725 |
along with this program; if not, write to the Free Software Foundation,
|
|
Packit |
94f725 |
Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|