If you have a working Linux system and want to encrypt its disk then you could to follow these steps:
1) Use a Live CD to boot your computer and using gparted create a new partition with 100MB to be used as /boot
2) Mount your main root disk partition (ie.: /dev/sda1) to /mnt/disk1 and you new boot partition to /dev/disk2 and copy the original boot file to there:
$ sudo cp -ax /mnt/disk1/boot/* /mnt/disk2/
Now move your original boot partition to boot_old:
$ sudo mv /mnt/disk1/boot /mnt/disk1/boot_old
It is important to keep the original boot because if you get some issues could return it to original place.
4) Include the needed crypto modules to initramfs:
# echo "dm_crypt" >> /mnt/disk1/etc/initramfs-tools/modules # echo "sha256" >> /mnt/disk1/etc/initramfs-tools/modules # echo "aes-i586" >> /mnt/disk1/etc/initramfs-tools/modules # echo "luks" >> /mnt/disk1/etc/initramfs-tools/modules
5) Update the fstab to include the /dev/mapper/root:
# vi /mnt/disk1/etc/fstab /dev/mapper/root / ext4 defaults,errors=remount-ro 0 1
6) Update the /etc/crypttab to map the encrypted partition:
# vi /mnt/disk1/etc/crypttab root /dev/sda1 none luks
7) Now that the basic setup is in place you need to save this filesystem:
# mkdir /rootfs_backup # cp -ax /mnt/disk1/* /rootfs_backup/
8) Umount the file system and encrypt it:
# umount /mnt/disk1 # apt-get install cryptsetup # dd if=/dev/urandom of=/dev/sda1 # cryptsetup -c aes-cbc-essiv:sha256 -y luksFormat /dev/sda1 # cryptsetup luksOpen /dev/sda1 root # mkfs.ext4 /dev/mapper/root # mount /dev/mapper/root /mnt/disk1
9) Restore the filesystem backup to mounted crypted partition:
# cp -ax /rootfs_backup/* /mnt/disk1
Now create a /boot directory there and mount the boot partition:
# mkdir /mnt/disk1/boot # mount /dev/sda2 /mnt/disk1/boot
10) Create the initramfs with configurated files:
# chroot /mnt/disk1 # mount proc -t proc /proc # update-initramfs -k all -u
11) Update the GRUB to boot from encrypted disk:
# vi /etc/default/grub GRUB_CMDLINE_LINUX_DEFAULT="root=/dev/mapper/root" GRUB_DISABLE_LINUX_UUID=true # update-grub # grub-install /dev/sda
More info:
http://wejn.org/how-to-make-passwordless-cryptsetup.html#ed5e44ec607a374cc7496b66a7e37ce5
https://www.debian-administration.org/article/428/System_encryption_on_Debian_Etch
https://help.ubuntu.com/community/EncryptedFilesystemHowto4
http://madduck.net/docs/cryptdisk/
https://www.debian-administration.org/article/639/Encrypting_an_existing_Debian_lenny_installation
Alan C. Assis 