Partition encryption uses the kernel’s cryptographic support to encrypt all the data you store in a partition. Attempting to access this data without the correct encryption key returns random, meaningless bytes.
This section explains how to use encryption for partitions other than the root file system. For information on encrypting the root file system see Set up secure boot. |
Enable encryption for one or more partitions
To enable encryption for one or more partitions, use the encrypt-partitions tool. The tool takes a comma-separated list of partition names, marks them as encrypted, and formats them. It also generates an encryption key if the system doesn’t have one installed.
# encrypt-partitions --help
Encrypt/unencrypt partitions using the recovery reboot.
Copyright(c) Digi International Inc.
Version: 0.3
Usage: encrypt-partitions [-e <partitions>] [-d <partitions>] [options]
-e <partitions> --encrypt=<partitions> Encrypt the list of provided partitions.
-d <partitions> --unencrypt=<partitions> Un-encrypt the list of provided partitions.
-k [<key>] --encryption-key[=<key>] Set <key> as file system encryption key.
Empty to generate a random key.
-T <N> --reboot-timeout=<N> Reboot after N seconds (default 10)
-f --force Force (un)encryption and key change operations.
--help Print help and exit
For example, to enable encryption for the update and data partitions:
# encrypt-partitions -e update,data
*****************************************************************
* Warning: Partition (un)encryption is a destructive operation. *
* The affected partitions' contents will be erased in *
* the process. *
*****************************************************************
Affected partitions:
update
data
Continue? (y/n): y
The recovery commands have been properly configured and the system will reboot into recovery mode in 10 seconds (^C to cancel).
Partitions containing data that needs to be accessed early in the boot process (such as the linux, recovery, and safe partitions) cannot be encrypted. The tool automatically ignores any requests to encrypt these partitions. |
Disable encryption for one or more partitions
You can disable partition encryption at any time for any given partition(s). The tool takes a comma-separated list of partition names, marks them as unencrypted, and formats them. For example, to disable encryption for the update and data partitions:
# encrypt-partitions -d data,update
*****************************************************************
* Warning: Partition (un)encryption is a destructive operation. *
* The affected partitions' contents will be erased in *
* the process. *
*****************************************************************
Affected partitions:
data
update
Continue? (y/n): y
The recovery commands have been properly configured and the system will reboot into recovery mode in 10 seconds (^C to cancel).