| Example of simple dracut module for reencryption of system |
| LUKS drive on-the-fly. |
| |
| Install in /usr/[share|lib]/dracut/modules.d/90reencrypt, then |
| build special intramfs "with dracut -a reencrypt -o crypt". |
| Reencrypt module doesn't work (has a conflict) with crypt module as |
| of now. After successfull reencryption reboot using original initramfs. |
| |
| Dracut then recognize argument rd.luks.reencrypt=name:size, |
| e.g. rd.luks.reencrypt=sda2:52G means only 52G of device |
| will be reencrypted (default is whole device). |
| (Name is kernel name of device.) |
| |
| If there's more than single active keyslot in the target luks device |
| you're required to select one keyslot explicitly for reencryption via |
| rd.luks.reencrypt_keyslot=<keyslot_number> option. Bear in mind that |
| if you use this option, all other keyslots will get deactivated in the |
| process. |
| |
| Another argument, rd.luks.reencrypt_key=/dev/sda:/path/to/keyfile |
| can be used to read password for specific keyslot from device containing |
| filesystem with a keyfile (file with a password). If you omit reencrypt_key |
| argument, reencryption would work only in case a LUKS container has |
| exactly one keyslot activated. |
| |
| Arguments rd.luks.reencrypt_keyslot and rd.luks.reencrypt_key are not |
| mandatory. |
| |
| Note that reencryption context is stored in ramdisk, any |
| fail can mean complete lost of data! |
| |
| Copyright (C) 2012 Milan Broz <gmazyland@gmail.com> |
| |
| This copyrighted material is made available to anyone wishing to use, |
| modify, copy, or redistribute it subject to the terms and conditions |
| of the GNU General Public License v.2. |
| |
| You should have received a copy of the GNU General Public License |
| along with this program; if not, write to the Free Software Foundation, |
| Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
