0

Similar to this question about 'disabling full disk encryption', but hopefully different enough to not be labeled a duplicate;

We currently have a Ubuntu Server (16.04, I believe) running in our enterprise which was installed with FDE (full disk encryption, LVM/LUKS) on a single 300GB HDD. Unfortunately, this caused some problems like having to type in the password on reboot and cron-jobs wouldn't run if nobody was logged in because the home directory was encrypted as well.

The server owner has now installed 4 new 3TB disks which I put in a raid 10, effectively giving a volume of 6TB.

The next step is to migrate the Ubuntu server from the first 300GB to the 6TB raid, but as it is unacceptable for us to have to type the password every time the server boots and we will be moving it to a more secure location, we're looking to migrate it without the FDE. I've been searching around a bit, and found the above mentioned question. There's also this and that, but I don't think they concern FDE installations.

What would be the best, easiest, least time-consuming course of action for moving an encrypted installation to a new unencrypted hdd/partition?

  1. Installing a new bootable Ubuntu Server on the new raid and then manually moving important files from one server to the other? Is there a list of all the directories and files that would need to be moved for such an operation? A script that does it automatically?

  2. Using a live-usb, copying with DD or rsync from the 300GB to the 6TB raid and then configuring, like in this answer to the mentioned question?

  3. Other options?

Community
  • 1
ZN13
  • 103
  • Option 2 seems better to me than your option 1. If you use btrfs you can also use snapshots and do btrfs send/receive. By the way, if you are annoyed that you have to type password each time you can simply remove it (or rather automatically unlock with a luks key file that is in unencrypted location, like /boot or /boot/efi and added to /etc/crypttab). Of course such system would have security equivalent to unencrypted one. – Andrius Štikonas Feb 03 '17 at 14:29
  • IMO your easiest solution is to back up your data and perform a fresh install without encryption. As you are running an "enterprise" this should be trivial . Your other option would be to run chron tasks as root not as normal users and reboot remote - http://blog.neutrino.es/2011/unlocking-a-luks-encrypted-root-partition-remotely-via-ssh/ – Panther Feb 03 '17 at 16:03
  • Voting to close as it seems you are asking for an opinion and you are not having a specific problem with a specific step of the conversion. There are multiple options and multiple potential solutions from alternate configuration to fresh install. – Panther Feb 03 '17 at 16:05
  • @AndriusŠtikonas I'm not personally annoyed by having to type the password on reboot, but the server needs to be able to restart by itself. It's going to be moved to a location where I cannot physically get to it if it crashes or reboots. – ZN13 Feb 03 '17 at 16:11
  • @bodhi.zazen I was hoping someone had an easier solution, maybe a script that will move one install over to another. I was also wondering whether doing option 2 would lead to system instabilities in the future. – ZN13 Feb 03 '17 at 16:12
  • Can't predict the future you may or may not have problems with your server for any variety of issues. You can copy a partition with dd but then you have a bunch of manual configuration and home is still encrypted so you have to manually decrypt home. I doubt there is anyone who has enough systems that it is scripted and you would need all login passwords for all users. – Panther Feb 03 '17 at 16:34
  • Your easiest solution by far is to read the link I have you regarding remote reboot and move your cron scripts to root - done is about 15 minutes. – Panther Feb 03 '17 at 16:42

0 Answers0