I have a non-Linux partition I want to encrypt with LUKS. The goal is to be able to store it by itself on a device without Linux and access it from the device when needed with an Ubuntu Live CD.
I know LUKS can't encrypt partitions in place, so I created another, unformatted partition of the exact same size (using GParted's "Round to MiB" option) and ran this command:
sudo cryptsetup luksFormat /dev/xxx
Where xxx is the partition's device name. Then I typed in my new passphrase and confirmed it. Oddly, the command exited immediately after, so I guess it doesn't encrypt the entire partition right away? Anyway, then I ran this command:
sudo cryptsetup luksOpen /dev/xxx xxx
Then I tried copying the contents of the existing partition (call it yyy) to the encrypted one like this:
sudo dd if=/dev/yyy of=/dev/mapper/xxx bs=1MB
and it ran for a while, but exited with this:
dd: writing `/dev/mapper/xxx': No space left on device
just before writing the last MB. I take this to mean the contents of yyy was truncated when it was copied to xxx, because I have dd'd it before, and whenever I have dd'd to a partition of the exact same size, I never get that error. (and fdisk reports they are the same size in blocks).
After a little Googling I discovered all luksFormat'ted partitions have a custom header followed by the encrypted contents. So it appears I need to create a partition exactly the size of the old one + however many bytes a LUKS header is.
What size should the destination partition be, no. 1, and no. 2, am I even on the right track here?
I found this in the LUKS FAQ:
- I think this is overly complicated. Is there an alternative?
Yes, you can use plain dm-crypt. It does not allow multiple
passphrases, but on the plus side, it
has zero on disk description and if
you overwrite some part of a plain
dm-crypt partition, exactly the
overwritten parts are lost (rounded up
to sector borders).
So perhaps I shouldn't be using LUKS at all?