Converting Linux partition to crypto_LUKS

Question

I'm currently working on RHEL 8.9 and attempting to harden a VM of mine, and looking into applying the crypto_LUKS encryption to my active partitions. When I check my partitions using the blkid command, I see two partitions with the "xfs" type, one with "swap" type, and one with "LVM2_member" type. My goal is to convert all of them to the crypto_LUKS format.

Whenever I attempt to use the cryptsetup luksFormat /dev/partitionname command, I encounter an issue. The machine states that these devices are currently in use, preventing me from proceeding with the operation.

Is there a workaround for this situation, or will I need to start over from scratch and configure this encryption format during the initial RHEL installation?

Thank you very much!

Answer 1

You cannot luks-encrypt a device/partition with a mounted filesystem. Depending on how your system is currently configured, there are some ways around this, but they require plenty of knowledge about linux filesystems.

If you can unmount the filesystems from the devices you want to encrypt, then take a look at Encrypting existing data on a block device using LUKS2 for a step-by-step guide on encrypting in place.

For any partitions you can't unmount, there are few options:

• You should probably plan to start over if possible. You need good backups before you start messing with encryption, and if you have good backups, then starting over should not be very difficult.
• If they are already using LVM and you have enough extra space available, then you could use LVM tools like pvmove to shuffle your data to another device > configure encryption on the original device > move your data back into the encrypted area
• You can technically do the in-place encryption steps from another linux installation (like via booting to a live CD), but it makes every step much more complicated to get right when you have to make sure the correct system and device IDs are being targeted.