Move root partition to LVM, encrypt all volumes

Hi all,

I’ve a VPS, Leap 15.0, with root partition as a “plain” partition. All other mount points like /var, /srv, /home, /tmo as LVM logical volumes.

Would like to change it to get all partitions encrypted, preferable with a single pass phrase to be asked at boot time, not pass phrases for each logical volume / encrypted file system

I’m of course aware that LUKS/dmcrypt can only encrypt empty partitions, but I’ve enough space left on my VPS to create additional logical volumes and move the existing data to the newly created encrypted logical volumes. From new Leap installations I know, that it’s possible to start with a complete encrypted setup, but do we have any “recipes” how to get this afterwards, avoiding a complete new installation?

Not sure but I guess that for this it would be easier if the rooot partition would also be on a logical volume. Clear to me, that this could only be established when VPS is started with a rescue system, with all partitions / logical volumes are available, but not mounted. Question: If I move the root parition into a logical volume via the rescue system, what do I have to change to inform GRUB about these changes for the next boot?

When I switched to using an encrypted LVM (several years ago), I did that with a clean install. I first backed up “/home” and after the switch, I restored “/home” (now part of the encrypted LVM).

I have no experience with a VPS.

As for booting: There needs to be something unencrypted to get the booting started. If this is a UEFI system, then the EFI system partition is sufficient for that. If this is using legacy MBR booting, then you will need to be booting from the MBR rather than from the boot sector of a partition – unless you retain an unencrypted “/boot” partition.

No matter how you do it, you probably need to reinstall grub. That is to say, you would need to run “grub2-install” (with appropriate parameters) to setup booting for the encrypted LVM environment.

If you use a separate unencrypted “/boot”, then you will need to provide the encryption key after the kernel is loaded. If you do not use a separate unencrypted “/boot”, then you will also need to provide the encryption key to “grub” before it can access the boot menu. There are ways of avoiding the need to provide the encryption key twice (in case where of no separate unencrypted “/boot”), but best to set that up after they system is up and working.

That’s not sufficient by itself. You need unencrypted first stage code - boot sector + core.img. Legacy MBR partition layout leaves at most 31KiB for core.img which is likely not enough to accommodate encryption support in grub2 core.img. It is less of an issue using modern tools which start first partition on 1MiB boundary but may be a problem when reusing existing disk. So you do need to be booting from the MBR and need to make sure you have large enough post-MBR gap to store core.img.

@arvidjaar and @nrickert: Thank you very much for answering!

My VPS is based on kvm/qemu, I’ve once taken an Clonezilla based full image and recovered it to a virtual machine @home. Worked fine with legacy boot. I guess I’ll go the same way, make my desired changes to the “recovered” image at home and, once ready and booting fine, restore this changed (encrypted) image via the Clonezilla rescue system back to my hosting company.