To convert your root file system to LUKS/dm-crypt, you will need to connect an external USB disk (as temporary storage). As mentioned previously, this is necessary because it is not possible to encrypt the partition in place, so the external disk is needed as temporary storage and a temporary root file system while the conversion takes place. The external disk needs to be at least twice as big as the root partition. Next, run the following script:
In the above invocation with no parameters, the defaults are:
Original root file system located on /dev/mmcblk0p2 Temporary root file system/storage for original root tarball located on /dev/sda Temporary root file system takes up entirety of new device The very first run of this script on a new temporary external USB disk could take a long time. Also, two reboots are required before the script is complete.
One thing to note is that, if the external storage device has an ext4 formatted partition with the original root file system partition (e.g. /dev/mmcblk0p2) on it, this script will use what is already on the external storage device to convert the SD card. This cuts down time for converting lots of Pi root file systems and allows the script to be used in a mass production deployment.
On a Pi3 with an attached USB SSD as the external device on a bare Jessie “full” version (~4GB), the first run of this script requires about an hour to complete the first phase. The second phase takes around 15 minutes.
The same platform with a Jessie “lite” version (~1.6GB) takes around 20 minutes for phase 1 and 5 minutes for phase 2.
Based on the above, using the formatted external device to convert subsequent units should only take 15/5 minutes.