Page MenuHomePhabricator

encrypt Whonix-Host disk after first boot of Whonix-Host
Open, NormalPublic


This would be useful in case of installing Whonix-Host without installer (calamares) (T909),

Building encrypted images and then later using cryptsetup-reencrypt (to get a secret master key) is not yet possible and may or may not be simple to implement in grml-debootstrap.

Also shipping already encrypted images would probably increase the size of the images since then compression would be hard.

There is probably no compression tool that understands the encryption master key and uses that for the benefit of the compression.

cryptsetup-reencrypt as far as I understand (I hope I am wrong?) can only be used for already encrypted luks images.

luksipc apparently seems capable of in-place encryption of non-luks disks.

At first boot after T907 the user could be prompted an offer to encrypt the disk in place.


  • test lukspic to encrypt a previously unencrypted installed Debian and convert it into a full disk encrypted system
  • research if there are better alternatives



Event Timeline

Patrick triaged this task as Normal priority.Apr 23 2019, 10:47 AM
Patrick created this task.

Should we consider closing this task since Calamares installer provides the option of full disk encryption?

This ticket is only useful if we go for T909. I will update the ticket descriptions now.

Patrick renamed this task from encrypt Whonix-Host disk after first boot to encrypt Whonix-Host disk after first boot of Whonix-Host.Mar 17 2020, 5:12 PM
Patrick updated the task description. (Show Details)