LUKS drive on-the-fly.
Install in /usr/[share|lib]/dracut/modules.d/90reencrypt, then
-build special intramfs "with dracut -a reencrypt -o crypt".
+build special initramfs "with dracut -a reencrypt -o crypt".
Reencrypt module doesn't work (has a conflict) with crypt module as
-of now. After successfull reencryption reboot using original initramfs.
+of now. After successful reencryption reboot using original initramfs.
Dracut then recognize argument rd.luks.reencrypt=name:size,
e.g. rd.luks.reencrypt=sda2:52G means only 52G of device
will be reencrypted (default is whole device).
(Name is kernel name of device.)
-Also, you may specify keyslot which you want to use for reencryption,
-rd.luks.reencrypt_keyslot=<keyslot_number>. Bear in mind that if you
-use this option, all other keyslots will be deactivated.
+If there's more than single active keyslot in the target luks device
+you're required to select one keyslot explicitly for reencryption via
+rd.luks.reencrypt_keyslot=<keyslot_number> option. Bear in mind that
+if you use this option, all other keyslots will get deactivated in the
+process.
Another argument, rd.luks.reencrypt_key=/dev/sda:/path/to/keyfile
can be used to read password for specific keyslot from device containing