    1 Example of simple dracut module for reencryption of system
    2 LUKS drive on-the-fly.
    4 Install in /usr/[share|lib]/dracut/modules.d/90reencrypt, then
    5 build special initramfs "with dracut -a reencrypt -o crypt".
    6 Reencrypt module doesn't work (has a conflict) with crypt module as
    7 of now. After successful reencryption reboot using original initramfs.
    9 Dracut then recognize argument rd.luks.reencrypt=name:size,
   10 e.g. rd.luks.reencrypt=sda2:52G means only 52G of device
   11 will be reencrypted (default is whole device).
   12 (Name is kernel name of device.)
   14 If there's more than single active keyslot in the target luks device
   15 you're required to select one keyslot explicitly for reencryption via
   16 rd.luks.reencrypt_keyslot=<keyslot_number> option. Bear in mind that
   17 if you use this option, all other keyslots will get deactivated in the
   18 process.
   20 Another argument, rd.luks.reencrypt_key=/dev/sda:/path/to/keyfile
   21 can be used to read password for specific keyslot from device containing
   22 filesystem with a keyfile (file with a password). If you omit reencrypt_key
   23 argument, reencryption would work only in case a LUKS container has
   24 exactly one keyslot activated.
   26 Arguments rd.luks.reencrypt_keyslot and rd.luks.reencrypt_key are not
   27 mandatory.
   29 Note that reencryption context is stored in ramdisk, any
   30 fail can mean complete lost of data!
