I have Gentoo Linux installed on a 25.93GB/62.43GB partition /dev/sda4.
The other partitions on the disk are 150MB /boot on /dev/sda1 and 56,66GB unused space on other two partitions.
I am planning to encrypt the unused space with dm-crypt, format it to ext4 and after migrating my installation onto it, to nuke the old partition. My questions here are:
-
Is this possible at all? Or would it require many tweaks to get the installation running on the encrypted volume
/dev/sda2? -
Is this an efficient way? Taking into consideration my 25.9GB Gentoo, would it be less hassle for me if I just encrypted the whole disk and installed Gentoo(and all the packages) again?
-
Should I use
encfsorecryptfsinstead ofdm-crypthere? Would they provide equal security? -
What algorithm should I use to encrypt the partition? My processor does not have AES-NI.
-
What should I use to sync the encrypted partition with the other one? Would something like
dcflddwork for that?
Edit being written from migrated partition:
-
After deleting the unused partitions and making a new unformatted
/dev/sda2, I ran :cryptsetup luksFormat /dev/sda2 cryptsetup luksOpen /dev/sda2 encrypt pv /dev/zero > /dev/mapper/encryptpvhere is used to monitor the progress of writing zeroes, and after this I formatted the encrypted partition to ext4 withmkfs.ext4 /dev/mapper/encrypt. -
To sync the partitions, I used YoMismo’s recommendation
rsyncafter booting the PC from a live USB. It didn’t let me in withchrootthough, I had to reboot my old partition andchrootfrom there instead. I ran in this process:mkdir /tmp/old_partition /tmp/new_encrypt mount /dev/sda4 /tmp/old_partition mount /dev/mapper/encrypt /tmp/new_encrypt cd /tmp/new_encrypt rsync -av /tmp/old_partition/* .and after rebooting the old partition
/dev/sda4, opening and mounting/dev/sda2and mounting virtual kernel filesystems: -
I made an
/etc/crypttabwithroot UUID=<uuid of /dev/sda2> none luks - I altered
/etc/fstabto tell my root partition isUUID=<uuid of mapper>. - I altered
/boot/grub/grub.conf: I deletedroot=<root>on the end ofkernelline, and set a crypted device withcrypt_root=UUID=<uuid> root=/dev/mapper/root. - I ran
genkernel --install --luks initramfsto make new initramfs with luks support.
Now I can boot and run it, the only thing left is setting the old partition on fire.