"Lock" Photo by Markus Winkler on Unsplash
“Lock” Photo by Markus Winkler on Unsplash

⚠️ This guide assumes you have a separate /boot partition! If you don’t have that, and follow this guide, you will brick things.

One thing I always missed on Linux, which was available on commercial systems, was in-place encryption of the OS (“root”) file system.

Turns out, these days you can do that on Linux too. But, of course, not with a single click. But I’ll show you how to do it.

In this guide, we’ll be using Ubuntu 22.04 and a Btrfs root. This guide also assumes you did the smart thing and created a separate boot partition during installation.

The first thing we need to do, is make sure we’ll have cryptsetup in the ramdisk so that we can actually unlock the root partition:

apt install cryptsetup-initramfs
update-initramfs -u -k all

This will install cryptsetup for the ramdisk, and then rebuild all ramdisks.

The next thing we’ll want to do, is shrink the root file system, which in the case of Btrfs is done like this:

btrfs filesystem resize -64m /dev/sdxx

This will shrink the file system by 64 M, in theory we could go with 16-32 M, but we’ll leave some space just in case. Of course, you’ll have to replace sdxx with your root partition.

The next thing will be to reboot into a live installation media which has cryptsetup installed.

After booting into the live media, you can run:

cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/sdxx

This will make enough room for the LUKS header (move things around) and encrypt the drive.

Now, after reboot, booting will obviously fail because Linux expects the root to be where there’s now the encrypted partition.

Ubuntu should drop into an initramfs shell, where you’ll do the following:

cryptsetup luksOpen /dev/sdxx root
mount /dev/mapper/root /

Then you hit CTRL+D to drop out of the shell and continue boot.

From that point on, you can SSH and finish the setup.

You’ll want to do:

lsblk -o +FSTYPE,UUID

Then copy the UUID next to the crypto_LUKS partition, then edit /etc/crypttab and enter:

root UUID=aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee none luks

Of course, replacing it with the correct UUID. This should make sure you get prompted for the password at boot, which will then mount root to /dev/mapper/root.

Now we also have to modify /etc/fstab to make sure Linux knows that root is now at /dev/mapper/root rather than the raw partition it was before.

So, replace:

/dev/disk/by-uuid/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee / btrfs defaults 0 1

with

/dev/mapper/root / btrfs defaults 0 1

Finally, we update our ramdisks:

update-initramfs -u -k all

This should make sure the ramdisk contains the new information about crypttab and fstab so that it’ll know how to proceed on the next boot (and hopefully not drop to a recovery shell).

Now, reboot and hope it works. :D

Note that I run this blog in my free time, consider donating a coffee if this helped you out. (:

If you’re interested, you can also store the key on the boot partition (could be a USB drive), check out my guide here:

PS expand your file system again:

btrfs filesystem resize max /

This gave me 0.05 G back. :D