@@ -38,6 +38,7 @@ or by adding using the following command line build:
The initramfs-crypt-hook recipe has the following variables which can be overwritten during image build:
- CRYPT_PARTITIONS
- CRYPT_CREATE_FILE_SYSTEM_CMD
+- CRYPT_FAST_REENCRYPTION
### CRYPT_PARTITIONS
@@ -58,6 +59,36 @@ The mountpoint is empty as the root partition is mounted by a seperate initramf
Both partitions are encrypted during first boot. The initramfs hook opens `${ABROOTFS_PART_UUID_A}` and `${ABROOTFS_PART_UUID_B}`
during boot.
+#### Speed-up disk-reencryption (`CRYPT_FAST_REENCRYPTION`)
+
+As the `reencrypt` mechanism doesn't work at file system level
+so it wouldn't detect used and free blocks.
+This means that the block-wise reencryption process could
+take a very long time depending on the partition size.
+
+Using the `format` mechanism instead of the `reencrypt` one
+would delete all existing data (without wiping). This would be very fast,
+because it doesn't matter whether a block is used or free.
+
+Set `CRYPT_FAST_REENCRYPTION` to `"1"` to speed-up the `reencrypt` process.
+So, this would be done:
+- Obtain used space of the unencrypted userdata partition
+- Shrink the partition and resize it to the size of used space (minimum size)
+- reencrypt the userdata partition now with smaller size
+- Expand the encrypted userdata partition back to the maximum possible size
+
+Some disk encryption implementations like within the Debian installer
+will overwrite the entire partition with random data for security reasons
+(e.g. wiping old already deleted data, hiding metadata, etc.).
+
+However, this speed-up lacks the described security benefit of implicit data overwrite.
+So for security reasons, it behaves identical to the `format` option
+(there is no support for explicit random overwrite within initramfs-crypt-hook).
+
+Keep in mind that a power loss while reencryption will cause data loss.
+The key is only enrolled after fully succeeded reencryption, yet.
+So, no recovery from already encrypted data would be possible.
+
### CRYPT_CREATE_FILE_SYSTEM_CMD
The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly
Signed-off-by: Stefan Koch <stefan-koch@siemens.com> --- doc/README.tpm2.encryption.md | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+)