20.5. 使用带有分离标头的 LUKS2 在块设备上加密现有数据

流程

1. 卸载设备上的所有文件系统，例如：

   # umount /dev/nvme0n1p1

   Copy to Clipboard Toggle word wrap

2. 初始化加密：

   # cryptsetup reencrypt --encrypt --init-only --header /home/header /dev/nvme0n1p1 nvme_encrypted
   
   WARNING!
   ========
   Header file does not exist, do you want to create it?
   
   Are you sure? (Type 'yes' in capital letters): YES
   Enter passphrase for /home/header:
   Verify passphrase:
   /dev/mapper/nvme_encrypted is now active and ready for online encryption.

   Copy to Clipboard Toggle word wrap

   将 /home/header 替换为带有分离的 LUKS 标头的文件的路径。分离的 LUKS 标头必须可以访问，以便稍后解锁加密的设备。

3. 挂载该设备：

   # mount /dev/mapper/nvme_encrypted /mnt/nvme_encrypted

   Copy to Clipboard Toggle word wrap

4. 恢复在线加密：

   # cryptsetup reencrypt --resume-only --header /home/header /dev/nvme0n1p1
   
   Enter passphrase for /dev/nvme0n1p1:
   Auto-detected active dm device 'nvme_encrypted' for data device /dev/nvme0n1p1.
   Finished, time 00m51s,   10 GiB written, speed 198.2 MiB/s

   Copy to Clipboard Toggle word wrap

验证

1. 验证在使用带有分离标头的 LUKS2 块设备上的现有数据是否已加密：

   # cryptsetup luksDump /home/header
   
   LUKS header information
   Version:       	2
   Epoch:         	88
   Metadata area: 	16384 [bytes]
   Keyslots area: 	16744448 [bytes]
   UUID:          	c4f5d274-f4c0-41e3-ac36-22a917ab0386
   Label:         	(no label)
   Subsystem:     	(no subsystem)
   Flags:       	(no flags)
   
   Data segments:
     0: crypt
   	offset: 0 [bytes]
   	length: (whole device)
   	cipher: aes-xts-plain64
   	sector: 512 [bytes]
   [...]

   Copy to Clipboard Toggle word wrap

2. 查看加密的空白块设备的状态：

   # cryptsetup status nvme_encrypted
   
   /dev/mapper/nvme_encrypted is active and is in use.
     type:    LUKS2
     cipher:  aes-xts-plain64
     keysize: 512 bits
     key location: keyring
     device:  /dev/nvme0n1p1

   Copy to Clipboard Toggle word wrap