On Fri, 24 Apr 2015 at 09:22 Noah O'Donoghue <noah.odonoghue@gmail.com> wrote:

Yes, of course - I keep backups. In two different physical locations. But restoring them is actually a worst case scenario which involves days of downtime. It takes time to copy TB's of data. Even if you break a RAID 1 you're still going to have to make the other half read only or you're going to have new data on your original that doesn't make it across.

I think people were suggesting blanking each removed half of the array, prior to making the underlying block device encrypted, then adding and re-mirroring.

And correct me if I'm wrong with the ecryptfs solution - but doesn't it leave unencrypted copies of your files in free space? Because it's not encrypting in place at a block level, some / most / many files are left unallocated but in clear text on your volume, until you later overwrite them with new data?

Yeah, you'd totally want to run "zerofree" over the device after you were done. I was just pointing out that ecryptfs might be able to be made to work for you.

It strikes me as strange that we have kernel level APIs for abstracting blocks, we can do all this fantastic crazy stuff with LVM, yet can't do this simple operation that every other OS seems to be able to.. Imagine if Android said "sorry, you must wipe your phone first" when you turned on device encryption...

Ubuntu can do a (not live) encryption of your home directories.. so it is a thing. (They use ecryptfs, but also require the user to log out while it occurs)

I'd say it's about consumer demand. Which exists for things like Windows and Android, and even desktop installs of Ubuntu, but doesn't so much for linux server environment. So there's no incentive for people to write the tools to do it.