Debian User Forums

[WhyDub]

Hi,

is there a way to encrypt an entire disk partition whit all its data like it can be done whit bit-locker in Windows ? Or if not, suppose that i have an image of my disk partition in question saved in an external hard drive, if I format the partition im talking about whit luks, after that, can i restore the image in the now encrypted same partition ? or if doing so will erase the encrypted partition in order to restore the image??

thanks.

[p.H]

is there a way to encrypt an entire disk partition whit all its data like it can be done whit bit-locker in Windows ?

None I am aware of.

if I format the partition im talking about whit luks, after that, can i restore the image in the now encrypted same partition ?

Not without truncating it. The encrypted volume is smaller than the partition by a few megabytes because of the LUKS header. Or you have to use a detached (separated) LUKS header, which obviously has issues (the detached header has to be stored somewhere else, and its UUID cannot be used to identify the encrypted partition).

[dilberts_left_nut]

If you can mount your "backup image" you can copy the files back to the new encrypted filesystem.

[WhyDub]

So really if I want my disk to be encrypted, i have, in other words, to reinstall the operating system and its data (fresh install) after the encryption of the disk is done. That's right isn't it ?

Or, if I trunk my actual partition to be the size of the future encrypted partition and there I backup-image this partition, can I restore it on the new same sized but now encrypted partition without loosing the encryption ?

Thanks

[pylkko]

Unless, I missed your point somehow, I believe VeraCrypt can "encrypt an entire partition and the data".

[p.H]

So really if I want my disk to be encrypted, i have, in other words, to reinstall the operating system and its data (fresh install) after the encryption of the disk is done. That's right isn't it ?

Not exactly. The Debian installer cannot use an existing encrypted partition, it must be created during the installation process.

Or, if I trunk my actual partition to be the size of the future encrypted partition and there I backup-image this partition, can I restore it on the new same sized but now encrypted partition without loosing the encryption ?

You must distinguish between a system partition (/ or /usr) and a data partition.
For a data partition, you do not have to reinstall the system. You can install cryptsetup-bin, encrypt the partition, restore the shrunk image on the encrypted volume and update /etc/crypttab and /etc/fstab.
For a system partition, this is not that simple.
- In its default configuration, GRUB cannot handle an encrypted /boot, so /boot must be in a separate unencrypted partition (and GRUB must be reinstalled if the /boot partition was not already used)
- cryptsetup must be installed
- crypttab, fstab and grub.cfg must be updated and the initramfs must be rebuilt in a chroot

So in most cases it is probably easier to reinstall the system with encryption.

[WhyDub]

OK I understand that there is no easy solution for my case... I will leave it there for the moment, until i have figure it out. thanks

[cds60601]

If encrypting only your home dir is the goal, it might be easier for you to have a secondary drive encrypted and mounted as /home
For a new person to Linux, this might not be a very easy way of doing it, but is an option if you don't wish to do a total reinstall.