Adding encryption in hindsight

New to Debian (Or Linux in general)? Ask your questions here!

Adding encryption in hindsight

Postby Deutsches » 2021-01-25 19:43

Ok. I think I could use some input.
I've been reading a couple of tutorials on this, but they weren't specifically addressing my situation/answering all my questions.

So...
I'm currently planning to encrypt my entire system (except for /boot which it seems is not possible).
AFAIK there is no way to encrypt a system drive in-place.
So as a workaround I wanna backup my system with rsync; then encrypt the drive and then restore the backup.
Since I can't encrypt /boot it's gonna get it's own unencrypted partition on my drive.

Well, when it comes to the process of doing all this I'm still somewhat uncertain.
So here is kind of an outline of what I'm thinking to do:
After rsyncing my current system I'd create a new install-debian-flashmedium and
go through the installer to create a new system with the desired amendments to the drive (boot-partition, encrypted root partition).
Once the new system is done and running I should probably reboot into a liveOS and mount the newly encrypted drive.
Afterwards I can simply rsync everything from the backup over the new system. No?!
Is there anything more to do after that? Or is that it and the system will be operational again?!

Also, when it comes to creating the rsync backup, are the flags "-aAX" enough?
Or will this leave out certain properties, which are necessary to restore a fully operational system?
Additionally, I've read you're supposed to exclude /dev/,/proc/,/sys/,/run/,/lost+found when doing a full system backup.
Is this correct/ok? Or is in anyone of those anything I might still wanna backup?

PS. It's a debian buster-system in case anyone needs to know.
Deutsches
 
Posts: 4
Joined: 2015-04-17 06:36

Re: Adding encryption in hindsight

Postby CwF » 2021-01-25 20:56

I claim again and again anything can be morphed from a golden image...
Except this!

Deutsches wrote: I've read you're supposed to exclude /dev/,/proc/,/sys/,/run/,/lost+found when doing a full system backup.


If I were going to try this I would be tempted to assemble it while the OS is not running on either the source OS disk or it's encrypted clone disk. So a bystander OS is doing the operating, none of those scary directories are alive.
CwF
 
Posts: 926
Joined: 2018-06-20 15:16

Re: Adding encryption in hindsight

Postby Deutsches » 2021-01-28 14:38

CwF wrote:If I were going to try this I would be tempted to assemble it while the OS is not running on either the source OS disk or it's encrypted clone disk. So a bystander OS is doing the operating, none of those scary directories are alive.

So I also should do the backup while running a liveOS. And then backup the "scary dirs" too?! Did I understand you correctly there?
Anything else? Like, are the mentioned rsync flags sufficient?!
Deutsches
 
Posts: 4
Joined: 2015-04-17 06:36

Re: Adding encryption in hindsight

Postby CwF » 2021-01-28 15:07

Deutsches wrote: And then backup

That would be a single operation, no this, then, the entire partition contents in one copy, maybe with fsarchiver. No matter what you'd be headed to a initramfs prompt. It would be a fun exercise, maybe possible, install all the tools into the OS to be stranded before you start! Install the same crypto stuff in the live OS of choice also, obviously.

I don't know how complicated or undocumented your config is, but injecting a config over a fresh install is somewhat simpler.
CwF
 
Posts: 926
Joined: 2018-06-20 15:16


Return to Beginners Questions

Who is online

Users browsing this forum: No registered users and 12 guests

fashionable