krzys-h · February 28, 2025 15:45 · tk425 · May 13, 2022 · williamdes · Jan 19, 2025
diff --git a/encrypt.sh b/encrypt.sh
 #!/bin/bash
 # Encrypt an existing partition with LUKS2 on Ubuntu 20.04 LTS

 # DISCLAIMER: USE AT YOUR OWN RISK AND MAKE BACKUPS
 # Made for my personal use and has almost NO error checking!!

 # Based on instructions from:
 # https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption#Encrypt_an_existing_unencrypted_filesystem

 DISK="$1"

 if [ -z "$DISK" ]; then
 	echo "Usage: $0 /dev/sdXY"
 	exit 1
 fi

 # Run a filesystem check
 e2fsck -f "$DISK"

 # Make the filesystem slightly smaller to make space for the LUKS header
 BLOCK_SIZE=`dumpe2fs -h $DISK | grep "Block size" | cut -d ':' -f 2 | tr -d ' '`
 BLOCK_COUNT=`dumpe2fs -h $DISK | grep "Block count" | cut -d ':' -f 2 | tr -d ' '`
 SPACE_TO_FREE=$((1024 * 1024 * 32)) # 16MB should be enough, but add a safety margin
 NEW_BLOCK_COUNT=$(($BLOCK_COUNT - $SPACE_TO_FREE / $BLOCK_SIZE))
 resize2fs -p "$DISK" "$NEW_BLOCK_COUNT"

 # Run the encryption process
 cryptsetup reencrypt --encrypt --reduce-device-size 16M "$DISK"

 # Resize the filesystem to fill up the remaining space (i.e. remove the safety margin from earlier)
 cryptsetup open "$DISK" recrypt
 resize2fs /dev/mapper/recrypt
 cryptsetup close recrypt

 # Don't forget to update /etc/crypttab and /etc/fstab if required!
 #
 # For example:
 # /etc/crypttab
 # crypt_root    UUID=xxx    none    luks,keyscript=decrypt_keyctl
 # crypt_home    UUID=xxx    none    luks,keyscript=decrypt_keyctl
 # /etc/fstab
 # /dev/mapper/crypt_root    /        ext4    errors=remount-ro    0    1
 # /dev/mapper/crypt_home    /home    ext4    defaults             0    2
 #
 # The decrypt_keyctl makes it possible to unlock both partitions with the same password,
 # and unlock gnome-keyring-daemon if you enable autologin and it's encrypted with the same password
 # Note: if you are doing a clean install, using LVM is probably a better idea
 #
 # and remember to run "update-initramfs -u -k all" after updating the rootfs crypttab
	#!/bin/bash
	# Encrypt an existing partition with LUKS2 on Ubuntu 20.04 LTS

	# DISCLAIMER: USE AT YOUR OWN RISK AND MAKE BACKUPS
	# Made for my personal use and has almost NO error checking!!

	# Based on instructions from:
	# https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption#Encrypt_an_existing_unencrypted_filesystem

	DISK="$1"

	if [ -z "$DISK" ]; then
	echo "Usage: $0 /dev/sdXY"
	exit 1
	fi

	# Run a filesystem check
	e2fsck -f "$DISK"

	# Make the filesystem slightly smaller to make space for the LUKS header
	BLOCK_SIZE=`dumpe2fs -h $DISK \| grep "Block size" \| cut -d ':' -f 2 \| tr -d ' '`
	BLOCK_COUNT=`dumpe2fs -h $DISK \| grep "Block count" \| cut -d ':' -f 2 \| tr -d ' '`
	SPACE_TO_FREE=$((1024 * 1024 * 32)) # 16MB should be enough, but add a safety margin
	NEW_BLOCK_COUNT=$(($BLOCK_COUNT - $SPACE_TO_FREE / $BLOCK_SIZE))
	resize2fs -p "$DISK" "$NEW_BLOCK_COUNT"

	# Run the encryption process
	cryptsetup reencrypt --encrypt --reduce-device-size 16M "$DISK"

	# Resize the filesystem to fill up the remaining space (i.e. remove the safety margin from earlier)
	cryptsetup open "$DISK" recrypt
	resize2fs /dev/mapper/recrypt
	cryptsetup close recrypt

	# Don't forget to update /etc/crypttab and /etc/fstab if required!
	#
	# For example:
	# /etc/crypttab
	# crypt_root UUID=xxx none luks,keyscript=decrypt_keyctl
	# crypt_home UUID=xxx none luks,keyscript=decrypt_keyctl
	# /etc/fstab
	# /dev/mapper/crypt_root / ext4 errors=remount-ro 0 1
	# /dev/mapper/crypt_home /home ext4 defaults 0 2
	#
	# The decrypt_keyctl makes it possible to unlock both partitions with the same password,
	# and unlock gnome-keyring-daemon if you enable autologin and it's encrypted with the same password
	# Note: if you are doing a clean install, using LVM is probably a better idea
	#
	# and remember to run "update-initramfs -u -k all" after updating the rootfs crypttab