如何在不格式化的情况下加密 Fedora 上的现有磁盘？

Question

有许多现有的在线指南已经介绍了如何重新加密磁盘，例如此处maxschhelpzig的响应以及Arch wiki中的文档。然而，Arch wiki 更多地关注使用而不是 的系统，并且现有的 StackExchange 答案假设使用 ext4 文件系统。mkinitcpiodracut

Answer 1

This assumes a default Fedora installation, with the following Btrfs-based partitions:

• Root partition (Btrfs subvolumes "root" [mounted at /] and "home" [mounted at /home])
• Boot partition (mounted at /boot)
• EFI partition (UEFI systems only, mounted at /boot/efi)

Requirements

• A full-disk backup
• cryptsetup (should be included, otherwise install with dnf install cryptsetup)
• At least 100 MiB of free space
• A rescue system that can unmount the root filesystem (ex. Fedora live USB)
• NOTE: The encryption screen will use the keyboard layout defined in /etc/vconsole.conf (set with localectl). The layout cannot be changed at boot time.

Instructions

1. Identify the root filesystem with lsblk -f. Store the UUID (format XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX) for later use.
2. Identify your current kernel version with uname -r, and save this value for later.
3. Reboot into the rescue system. Locate the root filesystem with blkid --uuid <UUID>, and run a check on the filesystem with btrfs check <device>
4. Mount the filesystem with mount /dev/<device> /mnt
5. Shrink the filesystem to make room for the LUKS header. At least 32 MiB is recommended, use btrfs filesystem resize -32M /mnt
6. Unmount the filesystem: umount /mnt
7. Encrypt the partition with cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/<device>, providing a passphrase when prompted.
8. Identify the encrypted LUKS partition with lsblk -f (note that the UUID has changed). Save this LUKS partition UUID for later use.
9. Open the partition, providing your passphrase when prompted: cryptsetup open /dev/<device> system
10. Mount the mapped filesystem with mount /dev/mapper/system /mnt
11. Resize the filesystem to use all the space: btrfs filesystem resize max /mnt, then unmount the filesystem with umount /mnt
12. Mount the root subvolume (the Linux filesystem root) with mount -t btrfs -o "noatime,subvol=root,compress=zstd:1" /dev/mapper/system /mnt
13. Identify the devices for the boot and EFI partitions with lsblk. Mount the boot filesystem (mount /dev/<boot device> /mnt/boot), followed by the EFI filesystem for UEFI systems (mount /dev/<EFI device> /mnt/boot/efi).
14. Bind-mount the pseudo filesystems /dev, /dev/pts, /proc, /run, and /sys, in the format of mount --bind /sys /mnt/sys
15. Open a shell within the filesystem: chroot /mnt /bin/bash
16. Open /etc/default/grub with a text editor, and modify the kernel parameters to identify the LUKS partition, and temporarily disable SELinux enforcing. Add these parameters, then save the changes and close the file:

GRUB_CMDLINE_LINUX="[other params] rd.luks.uuid=<LUKS partition UUID> enforcing=0"

17. Configure a relabelling of SELinux with touch /.autorelabel
18. Regenerate the GRUB config: grub2-mkconfig -o /boot/grub2/grub.cfg (also generate for /etc/grub2.cfg, and on UEFI systems /etc/grub2-efi.cfg)
19. Regenerate initramfs to ensure cryptsetup is enabled: dracut --kver <kernel version> --force
20. Exit the chroot
21. Unmount all filesystems in reverse order. (For filesystems mounted with --bind, the option -l can be used.) Close the LUKS partition with cryptsetup close system
22. Reboot and log into the regular system. You'll be asked for your passphrase to decrypt the system during boot.
23. Open /etc/default/grub in a text editor, and reenable SELinux enforcing by removing enforcing=0 from GRUB_CMDLINE_LINUX. Save and exit.
24. Relabel SELinux again with touch /.autorelabel.
25. Repeat step 18 to regenerate the GRUB config.
26. Reboot and log into the system.

这个答案很大程度上源自maxschhelpzig的答案和Arch wiki。它也来自ceremcem的 答案。2023 年 3 月 16 日，更正了错误--reduce-device-size包含空格的拼写错误。