Crouton: Post-installation encryption

Glad to hear you're finding it useful!

You can indeed encrypt the chroot after it's been created--just run crouton again with the same parameters you used to create the chroot, but with -u (update) and -e (encrypt). It will make you create a root password in Chromium OS if you haven't already, and then it will ask you for an encryption password and encrypt the chroot.
Make sure the operation doesn't get interrupted; you may want to back up the chroot beforehand if it has important data. The conversion is resumeable (if it gets interrupted, run the exact same command again and it will continue where it left off), but it's a bit iffy as Chromium OS's ecryptfs version has bugs and may not handle the interruption well. Once the process is over though, it's rock-solid. That's how I use all my chroots.

Awesome. Thank you very much for the detailed explanation!

David. Please specify the full parameter to -e (encrypt) a chroot. Rather than just saying "use same parameters as used to create the chroot", please just spell it out for us numb-sculls.

@ssyyddii,

The full parameter to -e (encrypt) is simply -e
@dnschneid describe what happens above but I've provided it below too.

"It will make you create a root password in Chromium OS if you haven't already, and then it will ask you for an encryption password and encrypt the chroot."

Take a look at the crouton usage display below for the '-e' option and many others.

chronos@localhost ~ $ sudo sh ~/Downloads/crouton
crouton [options] -t targets
crouton [options] -f backup_tarball
crouton [options] -d -f bootstrap_tarball

Constructs a chroot for running a more standard userspace alongside Chromium OS.

If run with -f, where the tarball is a backup previously made using edit-chroot,
the chroot is restored and relevant scripts installed.

If run with -d, a bootstrap tarball is created to speed up chroot creation in
the future. You can use bootstrap tarballs generated this way by passing them
to -f the next time you create a chroot with the same architecture and release.

crouton must be run as root unless -d is specified AND fakeroot is
installed AND /tmp is mounted exec and dev.

It is highly recommended to run this from a crosh shell (Ctrl+Alt+T), not VT2.

Options:
    -a ARCH     The architecture to prepare a new chroot or bootstrap for.
                Default: autodetected for the current chroot or system.
    -b          Restore crouton scripts in PREFIX/bin, as required by the
                chroots currently installed in PREFIX/chroots.
    -d          Downloads the bootstrap tarball but does not prepare the chroot.
    -e          Encrypt the chroot with ecryptfs using a passphrase.
                If specified twice, prompt to change the encryption passphrase.
    -f TARBALL  The bootstrap or backup tarball to use, or to download to (-d).
                When using an existing tarball, -a and -r are ignored.
    -k KEYFILE  File or directory to store the (encrypted) encryption keys in.
                If unspecified, the keys will be stored in the chroot if doing a
                first encryption, or auto-detected on existing chroots.
    -m MIRROR   Mirror to use for bootstrapping and package installation.
                Default depends on the release chosen.
                Can only be specified during chroot creation and forced updates
                (-u -u). After installation, the mirror can be modified using
                the distribution's recommended way.
    -M MIRROR2  A secondary mirror, often used for security updates.
                Can only be specified alongside -m.
    -n NAME     Name of the chroot. Default is the release name.
                Cannot contain any slash (/).
    -p PREFIX   The root directory in which to install the bin and chroot
                subdirectories and data.
                Default: /usr/local, with /usr/local/chroots linked to
                /mnt/stateful_partition/crouton/chroots.
    -P PROXY    Set an HTTP proxy for the chroot; effectively sets http_proxy.
                Specify an empty string to remove a proxy when updating.
    -r RELEASE  Name of the distribution release. Default: precise,
                or auto-detected if upgrading a chroot and -n is specified.
                Specify 'help' or 'list' to print out recognized releases.
    -t TARGETS  Comma-separated list of environment targets to install.
                Specify 'help' or 'list' to print out potential targets.
    -T TARGETFILE  Path to a custom target definition file that gets applied to
                the chroot as if it were a target in the crouton bundle.
    -u          If the chroot exists, runs the preparation step again.
                You can use this to install new targets or update old ones.
                Passing this parameter twice will force an update even if the
                specified release does not match the one already installed.
    -V          Prints the version of the installer to stdout.

Be aware that dev mode is inherently insecure, even if you have a strong
password in your chroot! Anyone can simply switch VTs and gain root access
unless you've permanently assigned a Chromium OS root password. Encrypted
chroots require you to set a Chromium OS root password, but are still only as
secure as the passphrases you assign to them.

_Hope this helps,_
-DennisL

@ssyyddii
I hope you figured it out by now; I'm new to this, and I was wondering the same thing, but I messed around a bit and figured it out.
Type: chronos@localhost ~ $ sudo sh ~/Downloads/crouton -u -e