SSD encryption possible after installation [Solved]

[Yunoha]

Hey everybody,

As per the subject, I was asking myself whether it is possible to encrypt a SSD also after installing MXlInux? If yes, how can this be accomplished? Otherwise, do I need to install MXLinux again?

Thanks for your help!

[CharlesV]

Please post your QSI. ( MX Menu, Quick System Info, Copy for Forum, Paste here )

[Yunoha]

Please post your QSI. ( MX Menu, Quick System Info, Copy for Forum, Paste here )

Code: Select all

Snapshot created on: 20250206_1001
System:
  Kernel: 6.9.12-2-liquorix-amd64 [6.9-12~mx23ahs] arch: x86_64 bits: 64 compiler: gcc v: 12.2.0 parameters: audit=0
    intel_pstate=disable BOOT_IMAGE=/boot/vmlinuz-6.9.12-2-liquorix-amd64 root=UUID=<filter> ro
    quiet splash
  Desktop: Xfce v: 4.20.0 tk: Gtk v: 3.24.38 info: xfce4-panel wm: xfwm v: 4.20.0 vt: 7
    dm: LightDM v: 1.32.0 Distro: MX-23.6_x64 Libretto September 15  2024 base: Debian GNU/Linux 12
    (bookworm)
Machine:
  Type: Laptop System: LENOVO product: 83AM v: IdeaPad Pro 5 14APH8 serial: <superuser required>
    Chassis: type: 10 v: IdeaPad Pro 5 14APH8 serial: <superuser required>
  Mobo: LENOVO model: LNVNB161216 v: No DPK serial: <superuser required> UEFI: LENOVO v: MKCN33WW
    date: 04/09/2024
Battery:
  ID-1: BAT0 charge: 64.6 Wh (92.8%) condition: 69.6/75.0 Wh (92.9%) volts: 17.2 min: 15.6
    model: SMP L22M4PF3 type: Li-poly serial: <filter> status: discharging cycles: 282
CPU:
  Info: model: AMD Ryzen 7 7840HS with Radeon 780M Graphics bits: 64 type: MT MCP arch: Zen 4
    gen: 5 level: v4 note: check built: 2022+ process: TSMC n5 (5nm) family: 0x19 (25)
    model-id: 0x74 (116) stepping: 1 microcode: 0xA704104
  Topology: cpus: 1x cores: 8 tpc: 2 threads: 16 smt: enabled cache: L1: 512 KiB
    desc: d-8x32 KiB; i-8x32 KiB L2: 8 MiB desc: 8x1024 KiB L3: 16 MiB desc: 1x16 MiB
  Speed (MHz): avg: 1633 high: 4932 min/max: 400/5137 scaling: driver: amd-pstate-epp
    governor: performance cores: 1: 3293 2: 400 3: 4932 4: 400 5: 400 6: 400 7: 400 8: 400 9: 3286
    10: 400 11: 3572 12: 400 13: 3768 14: 400 15: 3286 16: 400 bogomips: 121364
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm
  Vulnerabilities:
  Type: gather_data_sampling status: Not affected
  Type: itlb_multihit status: Not affected
  Type: l1tf status: Not affected
  Type: mds status: Not affected
  Type: meltdown status: Not affected
  Type: mmio_stale_data status: Not affected
  Type: reg_file_data_sampling status: Not affected
  Type: retbleed status: Not affected
  Type: spec_rstack_overflow mitigation: Safe RET
  Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via prctl
  Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization
  Type: spectre_v2 mitigation: Enhanced / Automatic IBRS; IBPB: conditional; STIBP: always-on;
    RSB filling; PBRSB-eIBRS: Not affected; BHI: Not affected
  Type: srbds status: Not affected
  Type: tsx_async_abort status: Not affected
Graphics:
  Device-1: AMD Phoenix1 vendor: Lenovo Phoenix driver: amdgpu v: kernel arch: RDNA-3 code: Phoenix
    process: TSMC n4 (4nm) built: 2022+ pcie: gen: 4 speed: 16 GT/s lanes: 16 ports: active: eDP-1
    empty: DP-1, DP-2, DP-3, DP-4, DP-5, DP-6, HDMI-A-1, Writeback-1 bus-ID: 63:00.0
    chip-ID: 1002:15bf class-ID: 0300 temp: 26.0 C
  Device-2: Bison Integrated RGB Camera type: USB driver: uvcvideo bus-ID: 3-1:2
    chip-ID: 5986:215d class-ID: fe01 serial: <filter>
  Display: x11 server: X.Org v: 1.21.1.7 compositor: xfwm v: 4.20.0 driver: X: loaded: amdgpu
    unloaded: fbdev,modesetting,vesa dri: radeonsi gpu: amdgpu display-ID: :0.0 screens: 1
  Screen-1: 0 s-res: 2880x1800 s-dpi: 96 s-size: 763x477mm (30.04x18.78") s-diag: 900mm (35.43")
  Monitor-1: eDP-1 mapped: eDP model: TL140ADXP22-0 built: 2022 res: 2880x1800 hz: 60 dpi: 244
    gamma: 1.2 size: 300x190mm (11.81x7.48") diag: 355mm (14") ratio: 16:10 modes: max: 2880x1800
    min: 640x480
  API: OpenGL v: 4.6 Mesa 25.0.4-1~mx23ahs+1 renderer: AMD Radeon 780M (radeonsi phoenix LLVM
    15.0.6 DRM 3.57 6.9.12-2-liquorix-amd64) direct-render: Yes
Audio:
  Device-1: AMD Rembrandt Radeon High Definition Audio vendor: Lenovo driver: snd_hda_intel
    v: kernel pcie: gen: 4 speed: 16 GT/s lanes: 16 bus-ID: 63:00.1 chip-ID: 1002:1640 class-ID: 0403
  Device-2: AMD ACP/ACP3X/ACP6x Audio Coprocessor vendor: Lenovo driver: snd_pci_ps v: kernel
    alternate: snd_pci_acp3x, snd_rn_pci_acp3x, snd_pci_acp5x, snd_pci_acp6x, snd_acp_pci,
    snd_rpl_pci_acp6x, snd_sof_amd_renoir, snd_sof_amd_rembrandt, snd_sof_amd_vangogh,
    snd_sof_amd_acp63 pcie: gen: 4 speed: 16 GT/s lanes: 16 bus-ID: 63:00.5 chip-ID: 1022:15e2
    class-ID: 0480
  Device-3: AMD Family 17h/19h/1ah HD Audio vendor: Lenovo driver: snd_hda_intel v: kernel pcie:
    gen: 4 speed: 16 GT/s lanes: 16 bus-ID: 63:00.6 chip-ID: 1022:15e3 class-ID: 0403
  API: ALSA v: k6.9.12-2-liquorix-amd64 status: kernel-api tools: alsamixer,amixer
  Server-1: PipeWire v: 1.0.0 status: active with: 1: pipewire-pulse status: active
    2: wireplumber status: active 3: pipewire-alsa type: plugin 4: pw-jack type: plugin
    tools: pactl,pw-cat,pw-cli,wpctl
Network:
  Device-1: MEDIATEK MT7922 802.11ax PCI Express Wireless Network Adapter vendor: Lenovo
    driver: mt7921e v: kernel modules: wl pcie: gen: 2 speed: 5 GT/s lanes: 1 bus-ID: 01:00.0
    chip-ID: 14c3:0616 class-ID: 0280
  IF: wlan0 state: down mac: <filter>
Bluetooth:
  Device-1: Foxconn / Hon Hai Wireless_Device type: USB driver: btusb v: 0.8 bus-ID: 1-5:2
    chip-ID: 0489:e0d8 class-ID: e001 serial: <filter>
  Report: hciconfig ID: hci0 rfk-id: 2 state: down bt-service: N/A rfk-block: hardware: no
    software: yes address: <filter>
  Info: acl-mtu: 1021:6 sco-mtu: 240:8 link-policy: rswitch sniff link-mode: peripheral accept
Drives:
  Local Storage: total: 2.29 TiB used: 427.72 GiB (18.3%)
  SMART Message: Unable to run smartctl. Root privileges required.
  ID-1: /dev/nvme0n1 maj-min: 259:0 vendor: Western Digital model: WD PC SN740 SDDPMQD-512G-1101
    size: 476.94 GiB block-size: physical: 512 B logical: 512 B speed: 63.2 Gb/s lanes: 4 type: SSD
    serial: <filter> rev: 73116001 temp: 23.9 C scheme: GPT
  ID-2: /dev/sda maj-min: 8:0 type: USB vendor: Western Digital model: WD20SDRW-11VUUS0
    size: 1.82 TiB block-size: physical: 512 B logical: 512 B type: HDD rpm: 5400 serial: <filter>
    rev: 1026 scheme: GPT
Partition:
  ID-1: / raw-size: 476.69 GiB size: 468.13 GiB (98.21%) used: 73.21 GiB (15.6%) fs: ext4
    dev: /dev/nvme0n1p2 maj-min: 259:2
  ID-2: /boot/efi raw-size: 256 MiB size: 252 MiB (98.46%) used: 32.3 MiB (12.8%) fs: vfat
    dev: /dev/nvme0n1p1 maj-min: 259:1
Swap:
  Kernel: swappiness: 15 (default 60) cache-pressure: 100 (default)
  ID-1: swap-1 type: file size: 5 GiB used: 0 KiB (0.0%) priority: -2 file: /swap/swap
Sensors:
  System Temperatures: cpu: 31.5 C mobo: N/A gpu: amdgpu temp: 26.0 C
  Fan Speeds (RPM): N/A
Repos:
  Packages: pm: dpkg pkgs: 2722 libs: 1214 tools: apt,apt-get,aptitude,nala,synaptic pm: rpm
    pkgs: 0 pm: flatpak pkgs: 0
  No active apt repos in: /etc/apt/sources.list
  Active apt repos in: /etc/apt/sources.list.d/debian-stable-updates.list
    1: deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
  Active apt repos in: /etc/apt/sources.list.d/debian.list
    1: deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
    2: deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
  Active apt repos in: /etc/apt/sources.list.d/mx.list
    1: deb https://ftp.rnl.tecnico.ulisboa.pt/pub/mxlinux-packages/mx/repo/ bookworm main non-free
    2: deb https://ftp.rnl.tecnico.ulisboa.pt/pub/mxlinux-packages/mx/repo/ bookworm ahs
  Active apt repos in: /etc/apt/sources.list.d/extrepo_librewolf.sources
    1: deb [arch=amd64 arm64] https://repo.librewolf.net librewolf main
Info:
  Processes: 479 Uptime: 11d 7h 18m wakeups: 23505 Memory: 27.1 GiB used: 3.28 GiB (12.1%)
  Init: SysVinit v: 3.06 runlevel: 5 default: graphical tool: systemctl Compilers: gcc: 12.2.0
  alt: 12 Client: shell wrapper v: 5.2.15-release inxi: 3.3.26
Boot Mode: UEFI

[CharlesV]

I believe you can do either a LUKS encryption or veracrypt encryption. Both different but achieve the same goal (ie encrypted drive / partition once done. )

LUKS
https://techblog.dev/posts/2022/03/encr ... tallation/

https://www.cyberciti.biz/security/howt ... p-command/

Or using veracrypt
https://www.baeldung.com/linux/encrypt-partition

https://computingforgeeks.com/encrypt-f ... veracrypt/


Personally, I prefer Veracrypt, but many people just use LUKS.

[Yunoha]

Thanks for your help and the links.
I suppose LUKS encryption is the default encryption which is also used during the installation process?

[DukeComposed]

I believe you can do either a LUKS encryption or veracrypt encryption. Both different but achieve the same goal (ie encrypted drive / partition once done. )

Personally, I prefer Veracrypt, but many people just use LUKS.

I can't speak to VeraCrypt, but I have experience with LUKS. LUKS uses an encrypted container approach. I think OP is asking about doing an in-place conversion from an unencrypted disk to an encrypted disk, which LUKS doesn't do by any capacity of which I am aware. The link you've provided to encrypt /home on an existing install is basically "back up /home, make a new LUKS container, copy /home into it, then switch over to it".

In Windows, the built-in BitLocker volume encryption software can be enabled after the fact and I just don't think this is easily done in Linux. To do this in Linux will require support in the bootloader if OP wants to encrypt the root partition, or will require making a new encrypted container of some kind, copying unencrypted data into it, then switching over to the encrypted container and deleting the unencrypted data.

One can usually encrypt data after the fact with LUKS or VeraCrypt or encfs or some other unnamed interface. Having a black box to put things in can be done, but setting up the root partition to be a black box in its own right is a lot more work. Can it be done after the fact? I think so. Should it be done after the fact? I feel that if one is asking the question, one doesn't have the experience to do it correctly and safely.

To achieve this, one would have to perform steps similar to the following:

1. Boot into a live session
2. Export the root partition to somewhere safe
3. Reformat the root partition
4. Use cryptsetup to create a new LUKS container and open it (LUKSv1 only! GRUB doesn't always like LUKSv2)
5. Copy all the root data into the LUKS container
6. chroot into the LUKS container (don't forget the /dev, /dev/pty, /proc, and /sys mountpoints and to symlink /etc/mtab to /proc/self/mounts)
7. Edit /etc/default/grub and /etc/crypttab
8. Build new initramfs
9. Update GRUB
10. Cross fingers

This is not trivial. This is not simple for beginners to do. It is very easy to mess up and render your machine unbootable. As someone who's spent a lot of time figuring out how to build encrypted ZFS-on-root installs for fun, I speak with some experience, albeit only a small quantity, on the matter. You will mess this up if you try it. I did. You will likely lose data. I have. No, you will not be sure of why. There is a lot of pieces that have to work together perfectly, and if you aren't comfortable with cryptsetup and whatever "keyscript=/bin/cat" means when you have to put it into a crypttab, you're gonna have a bad time.

It is easier to reinstall, period.

Is it possible to convert a machine to an encrypted root partition when it wasn't installed that way? Yes. Should you convert it anyway? Not until you have a clue and a half what you're doing and even then it's risky. How risky is it? I wouldn't try it myself unless you put a gun to my head. I'd rather export my data, reinstall, and copy the data back to the new machine.

[CharlesV]

Well.. I just went and checked and Veracrypt has apparently removed the "System" option for linux :-( .. so .. not sure how that can work any more on system partitions. I will dive more into this. I have two machines that are setup like this from several years ago, but I have not checked in on them for a while either.

[rod178]

have a look at fscrypt

you can use fscrypt to encrypt specific directories (e.g., /home) on your SSD, this is the most practical approach without reinstalling

[BitterTruth]

there appears to be a utility called LUKSipc - (LUKS-In-Place_Conversion tool) which seems to do conversion on the fly. Don't know when it was last updated though.

https://www.johannes-bauer.com/linux/luksipc/

although there are some risks involved and another alternative might be better:

https://johndoe31415.github.io/luksipc/

If you don't want to do that then the arch wiki has this (section 5.3.1):

https://wiki.archlinux.org/title/Dm-cry ... filesystem

A walkthrough here based off the arch wiki and uses a script:
https://blog.williamdes.eu/Infrastruct ... with-luks/

A method for encrypting just the /home and swap (inc vid):

https://jumpcloud.com/blog/how-to-encry ... stallation

[DukeComposed]

there appears to be a utility called LUKSipc - (LUKS-In-Place_Conversion tool) which seems to do conversion on the fly. Don't know when it was last updated though.

2015: https://www.johannes-bauer.com/linux/luksipc/#anchor13