Re-encrypting from clear key to secure key onto a new volume

In this use case, you learn how to decrypt a volume that had been encrypted with a clear key in LUKS1 or in plain mode, and how to re-encrypt it with a secure key according to the infrastructure for protected volume encryption. The re-encrypted data is written to a new volume in this scenario.

Before you begin

You need a free volume, or a free partition on a volume that has sufficient space. Ensure that this volume is persistently configured to your Linux® instance.

About this task

You can either have the clear-key encrypted volume as a stand-alone volume or it can be a physical volume as part of an LVM volume group.

In this procedure, you use the known clear key used for the volume encryption to decrypt the data and then use the tools of the infrastructure for protected volume encryption to re-encrypt the volume using a generated secure key.

Procedure

Open the encrypted volume.
Perform the data migration.
1. With LVM: Perform the procedure as described in Migrating to an encrypted LVM physical volume.
  If you have enough free space in your LVM volume group, you can migrate one physical volume after the other, because you do not need temporary disk space to hold the migration data.
2. Non LVM: Perform the procedure as described in Migrating data to a new encrypted volume.
Update your system configuration to use the new encrypted volume. You might require changes in several configuration files, for example, /etc/crypttab and /etc/fstab, depending on the usage of the encrypted volume.