LVM and dm-crypt -- best way to encrypt a logical volume?

nyle · 01-28-2009, 09:58 PM

Howdy,

I have two drives, /dev/sda and /dev/sdb. I set up a volume group called "fileshare" which is composed of a bunch of logical volumes (called "music," "video," etc.) spread across both drives. Then I formatted them.

Everything shows up fine in the actual system; I can mount /dev/mapper/fileshare-video and read and write to it just fine. I want to encrypt everything but /boot and the / directory but am having trouble figuring out the most elegant way to do it.

I can easily use cryptsetup to encrypt /dev/mapper/fileshare-(whatever) but it seems hackish. Case in point-

Code:

cryptsetup luksFormat -c aes-cbc-essiv:sha256 /dev/mapper/fileshare-video
cryptsetup luksOpen /dev/mapper/fileshare-video video
mount /dev/mapper/video /var/fileserver/video

This will do the trick, but now in the /dev/mapper directory I have two entries pointing to the same thing-- /dev/mapper/fileshare-video (the LV) and /dev/mapper/video (the encrypted device).

Is this simply *the* way to do it or is there a way to avoid having to create a separate /dev/mapper entry? I've read that one can encrypt the whole VG, which spares me from having to enter the key once for every partition when I decrypt them at boot. Can't figure out how to do that though, as:

Code:

cryptsetup luksFormat -c aes-cbc-essiv:sha256 /dev/fileshare

results in a device can't be accessed error. Which makes sense since /dev/fileshare just points to the individual partitions, but I don't see how else to encrypt the entire VG.

Any tips would be appreciated!

almatic · 01-29-2009, 05:45 AM

first you need to create the encrypted container (without filesystem), then the lvm volume-group inside it.

nyle · 01-30-2009, 12:36 PM

I think I understand the concept...make a container, encrypt it, then set up a filesystem within it. Ok.

Just to make sure I understand the actual procedure though, I still have to set up LVM beforehand, right? Once I have a (physical?) volume spanning the two drives, I would create a container on that volume, encrypt it, mount it, and set up a filesystem within it.

Do I have that right?

almatic · 01-31-2009, 01:59 AM

Quote:

Originally Posted by nyle

Just to make sure I understand the actual procedure though, I still have to set up LVM beforehand, right? Once I have a (physical?) volume spanning the two drives, I would create a container on that volume, encrypt it, mount it, and set up a filesystem within it.

Do I have that right?

No

If you want to encrypt your entire volume-group (as stated in your first post) you need to setup the encryption _before_ the lvm. Basically like this:

Create the enrypted container:

cryptsetup -c aes-cbc-essiv:sha256 --key-size 256 luksFormat /dev/whereever-your-physical-partition-is

open the container:

cryptsetup luksOpen /dev/whereever-your-physical-partition-is my-enc-container

you now have /dev/mapper/my-enc-container as device, on which you now create the volume group:

pvcreate /dev/mapper/my-enc-container
vgcreate my-vol-group /dev/mapper/my-enc-container

now you can create your logical volumes with 'lvcreate' and setup your config files.

nyle · 01-31-2009, 02:53 PM

Got it. Thanks so much. I didn't quite understand the concept of "container," hence my confusion.