I would like to know if an existing root partition can be encrypted in place without damage, using cryptsetup. I am guessing that it cannot be done since the partition is mounted, but I would like verification.
No, you cannot encrypt in place.
You would need the following steps:
- Backup the root partition.
- Configure encryption.
- Restore from backup.
- Go to rescue mode to fix what you have broken.
- Probably need to reinstall grub. If “/boot” is part of the root partition, then you will need
GRUB_ENABLE_CRYPTODISK="y"
in “/etc/default/grub” before that reinstall.
- Rebuild the “initrd” (run “mkinitrd”).
As far as I know, this will only work if you are booting from the MBR or you are using UEFI booting. And, if booting from the MBR, you will need there to be sufficient space between the MBR and the first partition with traditional msdos partitioning or you will need a bios_boot partition for GPT partitioning.
I’ll note that you don’t seem to mention your openSUSE version. There might be additional complications depending on the version. With Leap 15.0 or later, it might be easier to reinstall and have the installer take care of the details. For Leap 42.3 or older, encrypted root partition was not available as an install option.
https://www.johannes-bauer.com/linux/luksipc/
You cannot encrypt in place mounted filesystem and of course encrypting root requires also additional steps so system remains bootable. But you can encrypt in place provided you have sufficient free space.
I thank everyone for confirming what I thought. I did not include an openSUSE version because I was asking concerning a linuxmint installation that I am playing with. In openSUSE I always encrypt root, and /home partitions during install. I use an independent boot partition. I suppose I could encrypt my linuxmint root and /home via openSUSE 15.1 since they are on the same machine and different drives. I guess the worst that could happen is that I would have to re-install linuxmint if it is unable to unlock the partitions during boot.
I opened this thread here because at the linuxmint forum, they seem to be very “GUI-centric”, plus I have been using openSUSE since 2007 and have learned that the help given at this forum is always accurate and concise.
Thanks again.