action #128696


add reencryption

Added by lnussel 5 months ago. Updated 3 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:


On fist boot, before any credentials such as passwords or ssh keys are created, offer a way to encrypt the full hard disk.

Manual steps to do that:

boot microos image from
in a VM:

    qemu-system-x86_64 -enable-kvm -device virtio-blk,drive=hd1 -drive file=*.qcow2,cache=unsafe,if=none,id=hd1 -machine type=q35,accel=kvm -object rng-random,id=rng0,filename=/dev/urandom -device virtio-rng-pci,rng=rng0 -smp 2 -device virtio-serial-pci -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -vga virtio -spice port=5930,disable-ticketing -bios /usr/share/qemu/ovmf-x86_64-ms.bin -m 1024 -chardev stdio,mux=on,signal=off,id=serial0 -mon chardev=serial0,mode=readline -chardev pty,id=con1 -device virtconsole,chardev=con1 -serial chardev:serial0

Finish first boot wizard, then log in as root.

update initrd to include cryptsetup:

    dracut --add-drivers dm-crypt -a crypt -I /usr/sbin/cryptsetup -f /boot/efi/opensuse-microos/*/initrd-*

resize file systems (FIXME: figure out proper amount):

    btrfs filesystem resize 2G /root
    btrfs filesystem resize 2G /var

reboot telling systemd-boot to show the menu:

    systemctl reboot --boot-loader-menu=3

In the menu press 'e' and append the following command line:


The system will drop into emergency mode. Enter root password. Then reencrypt the root device:

    echo 12345 | cryptsetup reencrypt --encrypt --type luks2 --reduce-device-size 32m -q --force-password /dev/vda3
    echo 12345 | cryptsetup reencrypt --encrypt --type luks2 --reduce-device-size 32m -q --force-password /dev/vda4

Open the new luks device and mount it:

    cryptsetup open /dev/vda3 cr_root
    mount -o rw /dev/mapper/cr_root /sysroot

Change root volume to read-write, create crypttab, switch to ro again

    btrfs prop set -t s /sysroot ro false
    echo cr_root /dev/vda3 none x-initrd.attach > /sysroot/etc/crypttab
    echo cr_var /dev/vda4 none x-initrd.attach >> /sysroot/etc/crypttab
    btrfs prop set -t s /sysroot ro true
    mount -o remount,ro /sysroot

Open and mount /var

    cryptsetup open /dev/vda4 cr_var
    mount /dev/mapper/cr_var /sysroot/var

Exit the shell, system should continue to boot

When booted, log in as root and rebuild initrd so it finds the luks devices

    dracut -f /boot/efi/opensuse-microos/*/initrd-*

Resize volumes to full size again:

    btrfs filesystem resize max /root
    btrfs filesystem resize max /var
Actions #1

Updated by lnussel 5 months ago

  • Description updated (diff)
Actions #2

Updated by lnussel 5 months ago

  • Description updated (diff)
Actions #3

Updated by lnussel 5 months ago

  • Description updated (diff)
Actions #4

Updated by lnussel 3 months ago

script for sle
could be added to initrd


Also available in: Atom PDF