Installing Fedora with LVM and LUKS, using the encryption layer on top of the LVM layer.

yudi v yudi.tux at gmail.com
Mon Jul 18 21:06:21 UTC 2011 

On Tue, Jul 19, 2011 at 12:27 AM, Bruno Wolff III <bruno at wolff.to> wrote:

> On Mon, Jul 18, 2011 at 23:02:00 +1000,
>  yudi v <yudi.tux at gmail.com> wrote:
> >
> > I did not know that, I was under the impression once the encryption
> > container is open all the data in that container is decrypted.
>
> No. That wouldn't be practical. Blocks are decrypted as needed.
> > > It might be a significant savings if you are doing snapshots or the
> like
> > > when LVM is manipulating the data opaquely. The encrypted data can be
> > > copied around without having to decrypt it.
> > >
> >
> > I guess you mean LV's can be moved around not the data per se.
>
> From the LVs point of view the data is opaque. So if some of the data
> needs to be moved around it would not need to be decrypted first. If the
> LV is on an encrypted device (instead of containing one), then any work
> with the LV would need to be encrypted or decrypted as appropriate. So
> There could be savings when you are manipulating the LVs.
>
> > I was playing with Debian and tried this method with even the /boot in
> the
> > LVM as GRUB2 can handle booting straight from the LVM but it fails when I
> > try to have encryption on top of the LVM. Without encryption it works
> just
> > fine.
>
> Fedora has the same limitation. /boot cannot be encrypted and there are
> some
> limitations on file systems (though I think the normal ones will all work)
> and raid (BIOS supported raid should work as well as software raid 1 where
> the meta data is at the end of the partition). I am not sure what the
> status of lvm support for /boot in Fedora.
>

It's not the limitation of Fedora, it's GRUB legacy, GRUB2 can handle the
/boot partition in the LVM. /boot still cannot be encrypted. Debian Squeeze
comes with GRUB2 thats why I was trying to move the /boot partition to the
LVM and encrypt /,/home, and swap LVs.

-- 
Kind regards,
Yudi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20110719/402a0a35/attachment.html

More information about the users mailing list