Partition encryption uses the kernel’s cryptographic support to encrypt all the data you store in a partition. Attempting to access this data without the correct encryption key returns random, meaningless bytes.

This section explains how to use encryption for partitions other than the root file system. For information on encrypting the root file system see Set up secure boot.

Enable encryption for one or more partitions

To enable encryption for one or more partitions, use the encrypt-partitions tool. The tool takes a comma-separated list of partition names, marks them as encrypted, and formats them. It also generates an encryption key if the system doesn’t have one installed.

encrypt-partitions syntax
# encrypt-partitions --help
Encrypt/unencrypt partitions using the recovery reboot.
Copyright(c) Digi International Inc.

Version: 0.3

Usage: encrypt-partitions [-e <partitions>] [-d <partitions>] [options]

  -e <partitions> --encrypt=<partitions>     Encrypt the list of provided partitions.
  -d <partitions> --unencrypt=<partitions>   Un-encrypt the list of provided partitions.
  -k [<key>]      --encryption-key[=<key>]   Set <key> as file system encryption key.
                                             Empty to generate a random key.
  -T <N>          --reboot-timeout=<N>       Reboot after N seconds (default 10)
  -f              --force                    Force (un)encryption and key change operations.
                  --help                     Print help and exit

For example, to enable encryption for the update and data partitions:

# encrypt-partitions -e update,data

  *****************************************************************
  * Warning: Partition (un)encryption is a destructive operation. *
  *          The affected partitions' contents will be erased in  *
  *          the process.                                         *
  *****************************************************************
  Affected partitions:
      update
      data

  Continue? (y/n): y

The recovery commands have been properly configured and the system will reboot into recovery mode in 10 seconds (^C to cancel).
Partitions containing data that needs to be accessed early in the boot process (such as the linux, recovery, and safe partitions) cannot be encrypted. The tool automatically ignores any requests to encrypt these partitions.

Disable encryption for one or more partitions

You can disable partition encryption at any time for any given partition(s). The tool takes a comma-separated list of partition names, marks them as unencrypted, and formats them. For example, to disable encryption for the update and data partitions:

# encrypt-partitions -d data,update

  *****************************************************************
  * Warning: Partition (un)encryption is a destructive operation. *
  *          The affected partitions' contents will be erased in  *
  *          the process.                                         *
  *****************************************************************
  Affected partitions:
      data
      update

  Continue? (y/n): y

The recovery commands have been properly configured and the system will reboot into recovery mode in 10 seconds (^C to cancel).