<br><br><div class="gmail_quote">On Mon, Jul 18, 2011 at 10:22 PM, Bruno Wolff III <span dir="ltr"><<a href="mailto:bruno@wolff.to">bruno@wolff.to</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
On Mon, Jul 18, 2011 at 22:20:15 +1000,<br>
<div class="im"> yudi v <<a href="mailto:yudi.tux@gmail.com">yudi.tux@gmail.com</a>> wrote:<br>
> On Mon, Jul 18, 2011 at 9:46 PM, Bruno Wolff III <<a href="mailto:bruno@wolff.to">bruno@wolff.to</a>> wrote:<br>
><br>
> > On Mon, Jul 18, 2011 at 21:51:01 +1000,<br>
> > yudi v <<a href="mailto:yudi.tux@gmail.com">yudi.tux@gmail.com</a>> wrote:<br>
> > ><br>
> > > fine without any issues and I only have to enter the pass phrase once.<br>
> > Now I<br>
> > > would like to change this setup with the LVM layer below the LUKS layer.<br>
> > > That way I do not have to worry about decrypting 500Gb at every boot.<br>
> ><br>
> > This won't affect that unless you are only going to encrypt some of the<br>
> > LVs (e.g. just /home).<br>
> ><br>
> > Yes I might only encrypt some of the LV's, I am not sure right now. One of<br>
> the main reasons for having the encryption layer on top of the LVM layer is<br>
> to leave the LV's unmounted and encrypted until I need them. This cannot be<br>
> achieved if the whole PV is encrypted. I will only decrypt /, /home, and<br>
> swap at boot time and them will decrypt other LVs when I need them.<br>
<br>
</div>Do you realize that the devices aren't actually decrypted as a whole?<br>
Individual blocks are decrypted as needed.<br></blockquote><div><br>I did not know that, I was under the impression once the encryption
container is open all the data in that container is decrypted.<br clear="all"> </div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im"><br>
> I could not infer what you meant by "this won't affect that .."<br>
<br>
</div>Whether the encryption is on top or under the LV devices, will have little<br>
affect on how much is decrypted during boot. The blocks that are needed<br>
for booting will get decrypted as needed and those that aren't, won't.<br>
All you save decrypting is some of the LVM metadata which won't be<br>
decrypted in the case where only the LV contents are encrypted.<br>
<br>
It might be a significant savings if you are doing snapshots or the like<br>
when LVM is manipulating the data opaquely. The encrypted data can be<br>
copied around without having to decrypt it.<br></blockquote><div><br>I guess you mean LV's can be moved around not the data per se.<br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im"><br>
> > I would like to know if there is a way to decrypt all the encrypted LVs<br>
> > > with one pass phrase.<br>
> ><br>
> > If you use the same passphrase for the different encrypted devices you<br>
> > will only need to enter it once (well, twice for now because of a bug<br>
> > with handing off the passphrase to plymouth).<br>
> ><br>
><br>
> Cool, I did not know this. Thanks you.<br>
<br>
</div>If you delay using the encrypted devices until after boot then you<br>
will need to enter a passphrase when you open them.<br>
</blockquote></div><br>I prefer to have the data locked up until I need it. I am certain I will not encrypt all my data only the stuff that matters. I will have lot of unassigned space in the VG. I can either increase the size of the containers or create new containers if need be.<br>
<br>I was playing with Debian and tried this method with even the /boot in the LVM as GRUB2 can handle booting straight from the LVM but it fails when I try to have encryption on top of the LVM. Without encryption it works just fine. <br>
<br><br>-- <br>Kind regards,<br>Yudi<br><br>