encrypt Whonix-Host disk after first boot of Whonix-Host


ID: 906
PHID: PHID-TASK-y4qrdy5n5xxu4j6bjdy7
Author: Patrick
Status at Migration Time: open
Priority at Migration Time: Normal


This would be useful in case of installing Whonix-Host without installer (calamares) (T909),

Building encrypted images and then later using cryptsetup-reencrypt (to get a secret master key) is not yet possible and may or may not be simple to implement in grml-debootstrap.

Also shipping already encrypted images would probably increase the size of the images since then compression would be hard.

There is probably no compression tool that understands the encryption master key and uses that for the benefit of the compression.

cryptsetup-reencrypt as far as I understand (I hope I am wrong?) can only be used for already encrypted luks images.

luksipc apparently seems capable of in-place encryption of non-luks disks.

At first boot after T907 the user could be prompted an offer to encrypt the disk in place.


  • test lukspic to encrypt a previously unencrypted installed Debian and convert it into a full disk encrypted system
  • #research if there are better alternatives



2020-03-17 11:59:08 UTC


2020-03-17 17:07:48 UTC