summaryrefslogtreecommitdiffstats
path: root/misc/dracut_90reencrypt/README
blob: 06729497bd560e778416323906a21295f4ba10c5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Example of simple dracut module for reencryption of system
LUKS drive on-the-fly.

Install in /usr/[share|lib]/dracut/modules.d/90reencrypt, then
build special initramfs "with dracut -a reencrypt -o crypt".
Reencrypt module doesn't work (has a conflict) with crypt module as
of now. After successful reencryption reboot using original initramfs.

Dracut then recognize argument rd.luks.reencrypt=name:size,
e.g. rd.luks.reencrypt=sda2:52G means only 52G of device
will be reencrypted (default is whole device).
(Name is kernel name of device.)

If there's more than single active keyslot in the target luks device
you're required to select one keyslot explicitly for reencryption via
rd.luks.reencrypt_keyslot=<keyslot_number> option. Bear in mind that
if you use this option, all other keyslots will get deactivated in the
process.

Another argument, rd.luks.reencrypt_key=/dev/sda:/path/to/keyfile
can be used to read password for specific keyslot from device containing
filesystem with a keyfile (file with a password). If you omit reencrypt_key
argument, reencryption would work only in case a LUKS container has
exactly one keyslot activated.

Arguments rd.luks.reencrypt_keyslot and rd.luks.reencrypt_key are not
mandatory.

Note that reencryption context is stored in ramdisk, any
fail can mean complete lost of data!

Copyright (C) 2012 Milan Broz <gmazyland@gmail.com>

This copyrighted material is made available to anyone wishing to use,
modify, copy, or redistribute it subject to the terms and conditions
of the GNU General Public License v.2.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software Foundation,
Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.