diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 00:31:19 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 00:31:19 +0000 |
commit | 6e33fee6f4a7e2041dd276995b402ca036fcab14 (patch) | |
tree | 85be5c41f2715d7d4d24cfa220197f1e2c778259 /misc/dracut_90reencrypt/README | |
parent | Initial commit. (diff) | |
download | cryptsetup-upstream.tar.xz cryptsetup-upstream.zip |
Adding upstream version 2:2.1.0.upstream/2%2.1.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | misc/dracut_90reencrypt/README | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/misc/dracut_90reencrypt/README b/misc/dracut_90reencrypt/README new file mode 100644 index 0000000..0672949 --- /dev/null +++ b/misc/dracut_90reencrypt/README @@ -0,0 +1,40 @@ +Example of simple dracut module for reencryption of system +LUKS drive on-the-fly. + +Install in /usr/[share|lib]/dracut/modules.d/90reencrypt, then +build special initramfs "with dracut -a reencrypt -o crypt". +Reencrypt module doesn't work (has a conflict) with crypt module as +of now. After successful reencryption reboot using original initramfs. + +Dracut then recognize argument rd.luks.reencrypt=name:size, +e.g. rd.luks.reencrypt=sda2:52G means only 52G of device +will be reencrypted (default is whole device). +(Name is kernel name of device.) + +If there's more than single active keyslot in the target luks device +you're required to select one keyslot explicitly for reencryption via +rd.luks.reencrypt_keyslot=<keyslot_number> option. Bear in mind that +if you use this option, all other keyslots will get deactivated in the +process. + +Another argument, rd.luks.reencrypt_key=/dev/sda:/path/to/keyfile +can be used to read password for specific keyslot from device containing +filesystem with a keyfile (file with a password). If you omit reencrypt_key +argument, reencryption would work only in case a LUKS container has +exactly one keyslot activated. + +Arguments rd.luks.reencrypt_keyslot and rd.luks.reencrypt_key are not +mandatory. + +Note that reencryption context is stored in ramdisk, any +fail can mean complete lost of data! + +Copyright (C) 2012 Milan Broz <gmazyland@gmail.com> + +This copyrighted material is made available to anyone wishing to use, +modify, copy, or redistribute it subject to the terms and conditions +of the GNU General Public License v.2. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software Foundation, +Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |