Closed Demetrio92 closed 1 year ago
TBH, it may just work, assuming your partition scheme is fit, I just haven't tried that myself :-D If you figure out a working recipe, I'm happy to merge a PR updating the documentation with your working recipe.
I managed to encrypt without reinstalling, although I bricked my system twice in the process.
Whoever wants to repeat this journey
back up the full drive: sudo dd if=/dev/nvme0n1 status=progress bs=1M | gzip -c --best > /DIFFERENT_DRIVE/full_disk.img.gz
learn how to chroot
(guide for pop os, seems fairly generic though)
I can't verify if this will work from scratch, but definitely dding into an already initialized drive worked. Most importantly, though, the order of operations should be swapped compared to the original guide, and you shouldn't doing any of that from the booted system
enable tpm: sudo kernelstub -a "libata.allow_tpm=1"
or any other way of setting kernel prams
boot into a live USB
chroot
set up boot hooks
git clone https://github.com/fornellas/tcg_opal_rootfs
cd tcg_opal_rootfs/
git submodule init
git submodule update
make
sudo make install
exit chroot, umount
your nvme
encrypt
sedutil-cli --initialsetup $PASS $DEVICE
sedutil-cli --setMBREnable off $PASS $DEVICE
sedutil-cli --setupLockingRange 1 $RANGE_START $RANGE_LENGTH $PASS $DEVICE
sedutil-cli --enablelockingrange 1 $PASS $DEVICE
I've spent most of my time troubleshooting various intricacies of sedutil-cli
. PSA: take a picture of your NVMe. You might need that PSID
code that's printed on it.
Everything was tested on pop os 22.04 with ubuntu 22.04 live for chroot
Thanks for the feedback Demetrio!
Thanks @Demetrio92 , from the looks of it:
While I acknowledge that in some cases, with enough knowledge it is definitely possible to setup things non-destructively, it is very hard to generalise the solution.
I'm gonna close this issue, as it seems to be "impossible" to implement generically. If you feel differently, please cut a PR with your ideas.
The shared steps here can be a good reference for more "adventurous" people anyway :-D
https://github.com/fornellas/tcg_opal_rootfs/commit/54be7e38d8b91ad72357940c30c523a3ce228401
I learned the hard way that, altering the locking range essentially crypto-erases it, so it seems there's no clear path towards tweaking the locking range over a pre-existing system.
So if I correctly understand, it should be sufficient to save/restore only the EFI partition on the live system by 'dd' just before/after executing 'sedutil-cli --setupLockingRange ...' ? And this way you also could easily change the size of the EFI partition?
I suppose that's theoretically possible, though it is super error prone, I'd not try anything like that without having full backups.
I don't quite understand why can't I simply do
1)
sedutil-cli --setupLockingRange 1 $RANGE_START $RANGE_LENGTH $PASS $DEVICE
2) setupinitramfs-tools
to ask for the password for the drive if it is locked on bootMy partition table is already pretty much the way it would be expected.