Installing Fedora with LVM and LUKS, using the encryption layer on top of the LVM layer.
yudi v
yudi.tux at gmail.com
Mon Jul 18 13:02:00 UTC 2011
On Mon, Jul 18, 2011 at 10:22 PM, Bruno Wolff III <bruno at wolff.to> wrote:
> On Mon, Jul 18, 2011 at 22:20:15 +1000,
> yudi v <yudi.tux at gmail.com> wrote:
> > On Mon, Jul 18, 2011 at 9:46 PM, Bruno Wolff III <bruno at wolff.to> wrote:
> >
> > > On Mon, Jul 18, 2011 at 21:51:01 +1000,
> > > yudi v <yudi.tux at gmail.com> wrote:
> > > >
> > > > fine without any issues and I only have to enter the pass phrase
> once.
> > > Now I
> > > > would like to change this setup with the LVM layer below the LUKS
> layer.
> > > > That way I do not have to worry about decrypting 500Gb at every boot.
> > >
> > > This won't affect that unless you are only going to encrypt some of the
> > > LVs (e.g. just /home).
> > >
> > > Yes I might only encrypt some of the LV's, I am not sure right now. One
> of
> > the main reasons for having the encryption layer on top of the LVM layer
> is
> > to leave the LV's unmounted and encrypted until I need them. This cannot
> be
> > achieved if the whole PV is encrypted. I will only decrypt /, /home, and
> > swap at boot time and them will decrypt other LVs when I need them.
>
> Do you realize that the devices aren't actually decrypted as a whole?
> Individual blocks are decrypted as needed.
>
I did not know that, I was under the impression once the encryption
container is open all the data in that container is decrypted.
>
> > I could not infer what you meant by "this won't affect that .."
>
> Whether the encryption is on top or under the LV devices, will have little
> affect on how much is decrypted during boot. The blocks that are needed
> for booting will get decrypted as needed and those that aren't, won't.
> All you save decrypting is some of the LVM metadata which won't be
> decrypted in the case where only the LV contents are encrypted.
>
> It might be a significant savings if you are doing snapshots or the like
> when LVM is manipulating the data opaquely. The encrypted data can be
> copied around without having to decrypt it.
>
I guess you mean LV's can be moved around not the data per se.
>
> > > I would like to know if there is a way to decrypt all the encrypted
> LVs
> > > > with one pass phrase.
> > >
> > > If you use the same passphrase for the different encrypted devices you
> > > will only need to enter it once (well, twice for now because of a bug
> > > with handing off the passphrase to plymouth).
> > >
> >
> > Cool, I did not know this. Thanks you.
>
> If you delay using the encrypted devices until after boot then you
> will need to enter a passphrase when you open them.
>
I prefer to have the data locked up until I need it. I am certain I will not
encrypt all my data only the stuff that matters. I will have lot of
unassigned space in the VG. I can either increase the size of the containers
or create new containers if need be.
I was playing with Debian and tried this method with even the /boot in the
LVM as GRUB2 can handle booting straight from the LVM but it fails when I
try to have encryption on top of the LVM. Without encryption it works just
fine.
--
Kind regards,
Yudi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20110718/931f339c/attachment.html
More information about the users
mailing list