samdoran · August 13, 2024 19:14
diff --git a/luks-encrypt-in-place.sh b/luks-encrypt-in-place.sh
 #!/bin/bash

 # Encrypt existing hard drive in place.
 # Requires a second physical drive to temporarily store data. This drive will be erased.
 # This script is meant to be run on Clonezilla 1.2.9-19 or later.
 # The cryptsetup syntax is different in Clonezilla than in Red Hat.



 # --- Variables --- #

 VGNAME=VolGroup00   # Name of volume group containing physical volume to be encrypted
 SOURCE=/dev/sda2    # Physical volume to be encrypted
 TEMP=/dev/sdb1      # Second physical drive which the data will be copied to 

 # The keyfile is only used so that encryption can take place without user interaction.
 # The keyfile can be removed at the end and replaced with a passphrase.
 # DO NOT lose the keyfile or the drive will be inaccessible.
 # Create a random keyfile using dd if=/dev/urandom of=/tmp/keyfile bs=1024 count=4
 # I recommend storing the keyfile on a separate disk as a safety measure
 KEYFILE=/tmp/keyfile



 # --- Main Program --- #

 echo -e "Creating temp storage drive on $TEMP\n"
 pvcreate $TEMP

 echo -e "Extending $VGNAME"
 vgextend $VGNAME $TEMP

 echo -e "Moving $SOURCE to $TEMP. This will take some time.\n"
 pvmove $SOURCE $TEMP

 echo -e "Encrypting $SOURCE\n"
 vgreduce $VGNAME $SOURCE
 pvremove $SOURCE
 cryptsetup -q -s 256 --key-file $KEYFILE --key-slot=1 luksFormat $SOURCE

 echo -e "Moving data back to encrypted drive\n"
 cryptsetup --key-file $KEYFILE luksOpen $SOURCE luks-volume
 pvcreate /dev/mapper/luks-volume
 vgextend $VGNAME /dev/mapper/luks-volume
 pvmove $TEMP /dev/mapper/luks-volume
 vgreduce $VGNAME $TEMP
 pvremove $TEMP

 while [[ $ANSWER != "y" && $ANSWER != "n" ]] ; do
    read -p "Do you wish to set the passphrase and remove the temporary keyfile? {y|n}" ANSWER
 done
 case $ANSWER in
    y)
        # Prompts for a passphrase used to encrypt the volume
        cryptsetup -y --key-file $KEYFILE luksAddKey $SOURCE
        # Removes the temporary keyfile from the volume
        cryptsetup luksRemoveKey $SOURCE $KEYFILE
        echo -e "Drive encryption compelete. Please restart your machine and make a new initrd."
        exit 1
    ;;

    n)
        echo -e "Drive encryption compelete. Please restart your machine and make a new initrd."
        exit 1
    ;;
 esac



 # --- Folluw Up --- #

 # Once the drive has been encrypted with LUKS, you will need to remake the initrd to get it to boot properly.
 #
 # # 1) Reboot off of the RHEL installation disc
 #      shutdown -r
 #      # Remove the current live CD and insert the RHEL disc
 #      # Enter rescue mode
 #      boot: linux rescue
 #
 # 2) Follow the prompts until you get to a shell prompt
 #
 # 3) Change root to the found system partition
 #      chroot /mnt/sysimage
 #    
 # 4) Backup the original initrd
 #      cd /boot
 #      mv initrd-[kernel].img initrd-[kernel].img.bak
 #
 # 5) Make a new initrd
 #      mkinitrd /boot/initrd-[kernel].img [kernel]
 #    
 # 6) Exit from the changed root environment and reboot the machine
 #     exit
 #     shutdown -r now
 #     # Make sure to remove the disc as it does no eject automatically
	#!/bin/bash

	# Encrypt existing hard drive in place.
	# Requires a second physical drive to temporarily store data. This drive will be erased.
	# This script is meant to be run on Clonezilla 1.2.9-19 or later.
	# The cryptsetup syntax is different in Clonezilla than in Red Hat.



	# --- Variables --- #

	VGNAME=VolGroup00 # Name of volume group containing physical volume to be encrypted
	SOURCE=/dev/sda2 # Physical volume to be encrypted
	TEMP=/dev/sdb1 # Second physical drive which the data will be copied to

	# The keyfile is only used so that encryption can take place without user interaction.
	# The keyfile can be removed at the end and replaced with a passphrase.
	# DO NOT lose the keyfile or the drive will be inaccessible.
	# Create a random keyfile using dd if=/dev/urandom of=/tmp/keyfile bs=1024 count=4
	# I recommend storing the keyfile on a separate disk as a safety measure
	KEYFILE=/tmp/keyfile



	# --- Main Program --- #

	echo -e "Creating temp storage drive on $TEMP\n"
	pvcreate $TEMP

	echo -e "Extending $VGNAME"
	vgextend $VGNAME $TEMP

	echo -e "Moving $SOURCE to $TEMP. This will take some time.\n"
	pvmove $SOURCE $TEMP

	echo -e "Encrypting $SOURCE\n"
	vgreduce $VGNAME $SOURCE
	pvremove $SOURCE
	cryptsetup -q -s 256 --key-file $KEYFILE --key-slot=1 luksFormat $SOURCE

	echo -e "Moving data back to encrypted drive\n"
	cryptsetup --key-file $KEYFILE luksOpen $SOURCE luks-volume
	pvcreate /dev/mapper/luks-volume
	vgextend $VGNAME /dev/mapper/luks-volume
	pvmove $TEMP /dev/mapper/luks-volume
	vgreduce $VGNAME $TEMP
	pvremove $TEMP

	while [[ $ANSWER != "y" && $ANSWER != "n" ]] ; do
	read -p "Do you wish to set the passphrase and remove the temporary keyfile? {y\|n}" ANSWER
	done
	case $ANSWER in
	y)
	# Prompts for a passphrase used to encrypt the volume
	cryptsetup -y --key-file $KEYFILE luksAddKey $SOURCE
	# Removes the temporary keyfile from the volume
	cryptsetup luksRemoveKey $SOURCE $KEYFILE
	echo -e "Drive encryption compelete. Please restart your machine and make a new initrd."
	exit 1
	;;

	n)
	echo -e "Drive encryption compelete. Please restart your machine and make a new initrd."
	exit 1
	;;
	esac



	# --- Folluw Up --- #

	# Once the drive has been encrypted with LUKS, you will need to remake the initrd to get it to boot properly.
	#
	# # 1) Reboot off of the RHEL installation disc
	# shutdown -r
	# # Remove the current live CD and insert the RHEL disc
	# # Enter rescue mode
	# boot: linux rescue
	#
	# 2) Follow the prompts until you get to a shell prompt
	#
	# 3) Change root to the found system partition
	# chroot /mnt/sysimage
	#
	# 4) Backup the original initrd
	# cd /boot
	# mv initrd-[kernel].img initrd-[kernel].img.bak
	#
	# 5) Make a new initrd
	# mkinitrd /boot/initrd-[kernel].img [kernel]
	#
	# 6) Exit from the changed root environment and reboot the machine
	# exit
	# shutdown -r now
	# # Make sure to remove the disc as it does no eject automatically