[SOLVED] LUKS and LVM on two separate drives

jjthomas · 06-11-2010, 09:25 PM

I have been following the README_CRYPT.TXT specifically the section on Combining LUKS and LVM.

I have two drives and I am encrypting them both. Everything seems to go fine until I reboot. I am prompted for my password for the first PV which contains my root and home directories. The password opens up the LVM and I have access to my root and home directories, / and /home respectively.

I am never prompted for the password for the PV on the second drive. It contains my swap, var and a mount /mnt/storage.

How to set it up so I am prompted for the password at boot for second PV drives?

I am new to LVM, I hope I am using the terminology correctly.

Thank you.

-JJ

GazL · 06-18-2010, 09:51 AM

Support for unlocking multiple luks encrypted PVs was included in Slackware 13.1

If you're running 13.1 then you specify a colon delimited list of partitions to unlock on the mkinitrd -C option when you build your initrd.

here's an example snippet from the man-page for mkinitrd

Code:

This  one  is  for  a  LVM  Volume  Group  (rootvg)  comprising of two LVM Physical Volumes, each of which is on a LUKS encrypted partition
that will need to be unlocked before the root filesystem (/dev/rootvg/lvroot) can be accessed.

         mkinitrd -c -k 2.6.29.6 \
                  -m ext4:ehci-hcd:uhci-hcd:usbhid \
                  -f ext4 -r /dev/rootvg/lvroot \
                  -L -C /dev/sda2:/dev/sdb2 \
                  -l uk

Z038 · 06-30-2010, 09:43 PM

GazL, I'm glad I saw this thread. Thank you for the news. This is what I was after a couple years ago when I started this thread 12.1 LUKS and LVM install on system with multiple SATA and IDE HDD

I just upgraded one of my systems to 13.1 last night, but it only has one PV. I'll try the colon-delimited multiple PV list when I upgrade my other system that has more than one PV.

Up until now, I've just had a vgscan, vgchange, and mount command for the second volume group in my rc.local.

GazL · 07-01-2010, 10:39 AM

You're welcome and I'm glad you have a use for it.

It was quite satisfying to get something I'd written adopted by the devs.

Like you I used to run with 2 volume groups back on 12.1/2 (a vgdata and a vgsystem) and I had the same issue, namely that /etc/rc.d/rc.S does the lvm vgscan before /etc/crypttab processing so if you have additional luks encrypted PVs that are unlocked via crypttab then they're not available when the vgscan is run so it doesn't detect the second volume group and you get failures to mount filesystems from the 'mount -a'.

rc.S still has that issue and could probably do with having 2 runs of cryptsetup in a similar way to how initrd now works. I did send an updated rc.S which catered for a second pass at the crypttab to Pat just before 12.2 released but the code was a little convoluted and not nearly as elegant as what I came up with for the initrd. He didn't adopt it in the end - which was probably the correct choice on that occasion.

If I ever get around to it, I might take another look at rc.S and see what I can do to make it better, but since my new box only has a single volume group, and the initrd can now unlock any additional disks anyway there's no great need.