Page MenuHomePhabricator

encrypt Whonix-Host disk after first boot
Open, NormalPublic


Building encrypted images and then later using cryptsetup-reencrypt (to get a secret master key) is not set possible and may or may not be simple to implement in grml-debootstrap.

Also shipping already encrypted images would probably increase the size of the images since then compression would be hard.

There is probably no compression tool that understands the encryption master key and uses that for the benefit of the compression.

cryptsetup-reencrypt as far as I understand (I hope I am wrong?) can only be used for already encrypted luks images.

luksipc apparently seems capable of in-place encryption of non-luks disks.

At first boot after T907 the user could be prompted an offer to encrypt the disk in place.


  • test lukspic to encrypt a previously unencrypted installed Debian and convert it into a full disk encrypted system
  • research if there are better alternatives



Event Timeline

Patrick triaged this task as Normal priority.Apr 23 2019, 12:47 PM
Patrick created this task.
Patrick updated the task description. (Show Details)Apr 23 2019, 1:20 PM