[0/4] initramfs-crypt-hook: Speedup disk-encryption reencrypt and other improvements

Message

Stefan Koch July 12, 2024, 8:11 a.m. UTC

Hi

This is a patch series of 4 patches that will improve the initramfs-crypt-hook.

- Do not attempt to repair a partially encrypted filesystem

- Provide full losetup executable.
  The busybox losetup doesn't support "--sizelimit" parameter.
  The CRYPT_FAST_REENCRYPTION introduced with the next patch will need it.

- initramfs-crypt-hook: Speedup disk-encryption reencrypt
  - When "CRYPT_FAST_REENCRYPTION" is set to "1" (consider security and
    data reliablity aspects when enabling):
    - shrink partition temporarily to minimum
    - encrypt shrinked partition
    - expand encrypted partition to maximum

  In practicular this will reduce the reencryption time for a device with
  a large partition from 45 minutes to less than 1 minute.
  Security aspect: When enanbling this mode, not all blocks
  are implicitly encrypted, it behaves like in the format mode
  that does not erase all blocks before.

- Add missing mountpoint executable

Best regards

Stefan

Stefan Koch (4):
  initramfs-crypt-hook: Do not attempt to repair a partially encrypted
    filesystem
  initramfs-crypt-hook: Provide full losetup executable
  initramfs-crypt-hook: Speedup disk-encryption reencrypt
  initramfs-crypt-hook: Add missing mountpoint executable

 .../files/encrypt_partition.clevis.hook       |  1 +
 .../files/encrypt_partition.env.tmpl          |  2 +
 .../files/encrypt_partition.script            | 58 ++++++++++++++++---
 .../files/encrypt_partition.systemd.hook      |  5 ++
 .../initramfs-crypt-hook_0.2.bb               | 11 +++-
 5 files changed, 67 insertions(+), 10 deletions(-)