Why can I view my encrypted lvm logical volumes without opening them with my passphrase?
I just installed Fedora 31 on my laptop. I had created a volume group and logical volumes from the Anaconda installer itself. I had marked the checkbox for encrypting my fedora partition , and when booting I am asked my passphrase, so I thought everything was fine.
But when I am booting into a live environment and do an `lsblk` . This is my output:
``` NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 931.5G 0 disk ├─sda1 8:1 0 512M 0 part ├─sda2 8:2 0 512M 0 part └─sda3 8:3 0 930.5G 0 part ├─vgfedora-root-real 253:0 0 700G 0 lvm │ ├─vgfedora-root 253:1 0 700G 0 lvm │ └─vgfedora-before_hibernate 253:3 0 700G 0 lvm └─vgfedora-before_hibernate-cow 253:2 0 50G 0 lvm └─vgfedora-before_hibernate 253:3 0 700G 0 lvm ```
1. **How on earth are my Volume Groups visible from the live environment?** I did not even open up with `cryptsetup open --type luks2 /dev/sda3` . What is going on here ? 2. As you can see **I have created a snapshot, is that even encrypted ?** Or is it only my root ? **I need everything to be encrypted even snapshots.** 3. I can even do a `vgchange -a y` and select all my logical volumes. **This really should not happen as it should not even be visible from the live environment** . Again what is going on ? 4. **How can I verify what is encrypted and what is not ?**
My understanding was that the LVM would not even be visible since it is under encryption. So how am I able to detect it from the live environment ?
Let me know if any other information is required.
Thanks.
On 4/3/20 2:48 AM, Sreyan Chakravarty wrote:
I just installed Fedora 31 on my laptop. I had created a volume group and logical volumes from the Anaconda installer itself. I had marked the checkbox for encrypting my fedora partition , and when booting I am asked my passphrase, so I thought everything was fine.
I'm not familair with encryption on Fedora other than LUKS, and your lsblk output doesn't look like you're using LUKS. Have you looked at /etc/crypttab or /etc/fstab for other hints as to what type of encryption you're using?
On 4/3/20 2:48 AM, Sreyan Chakravarty wrote:
I'm not familair with encryption on Fedora other than LUKS, and your lsblk output doesn't look like you're using LUKS. Have you looked at /etc/crypttab or /etc/fstab for other hints as to what type of encryption you're using?
Here is my output from /etc/crypttab and /etc/fstab
/etc/crypttab :
luks-65efaad8-7775-4f86-ac47-f8e266b3ed41 UUID=65efaad8-7775-4f86-ac47-f8e266b3ed41 none disca
/etc/fstab:
/dev/mapper/luks-65efaad8-7775-4f86-ac47-f8e266b3ed41 / ext4 defaults,x-systemd.device-timeout=0 1 1 UUID=0450aaba-fa52-47cb-95e7-e818e8e6a9fe /boot ext4 defaults 1 2 UUID=852E-5A7A /boot/efi vfat umask=0077,shortname=winnt 0 2 UUID=c0577d65-a0f0-4e6c-b2cf-4e945e03a826 none swap sw 0 0
I have LUKS on LVM, that is LUKS is used when opening each LVM logical volume.
On 4/3/20 4:48 AM, Sreyan Chakravarty wrote:
I just installed Fedora 31 on my laptop. I had created a volume group and logical volumes from the Anaconda installer itself. I had marked the checkbox for encrypting my fedora partition , and when booting I am asked my passphrase, so I thought everything was fine.
But when I am booting into a live environment and do an `lsblk` . This is my output:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 931.5G 0 disk ├─sda1 8:1 0 512M 0 part ├─sda2 8:2 0 512M 0 part └─sda3 8:3 0 930.5G 0 part ├─vgfedora-root-real 253:0 0 700G 0 lvm │ ├─vgfedora-root 253:1 0 700G 0 lvm │ └─vgfedora-before_hibernate 253:3 0 700G 0 lvm └─vgfedora-before_hibernate-cow 253:2 0 50G 0 lvm └─vgfedora-before_hibernate 253:3 0 700G 0 lvm
- **How on earth are my Volume Groups visible from the live environment?** I did not even open up with `cryptsetup open --type luks2 /dev/sda3` . What is going on here ?
- As you can see **I have created a snapshot, is that even encrypted ?** Or is it only my root ? **I need everything to be encrypted even snapshots.**
- I can even do a `vgchange -a y` and select all my logical volumes. **This really should not happen as it should not even be visible from the live environment** . Again what is going on ?
- **How can I verify what is encrypted and what is not ?**
Run "lsblk" with the "-f" option to get more type information.
On 4/3/20 10:43 PM, Sreyan Chakravarty wrote:
I have LUKS on LVM, that is LUKS is used when opening each LVM logical volume.
I'm not familiar with that configuration, but if you have LUKS on LVM, then it seems perfectly normal that you'd be able to see the volume group structure without entering a passphrase.
If you want LVM on top of LUKS, so that all of that is hidden as well, look at the install guide:
https://docs.fedoraproject.org/en-US/fedora/rawhide/install-guide/install/In...
In the "Installation Destination" section: You should use the "encrypt my data" check-box.
In to the "Creating a Logical Volume Managament (LVM) Layout" section: I think you selected the "encrypt" option next to the Device Type drop-down instead.
I know how to do that.
The question is why I can view them when I shouldn't be able to.
On Sat, Apr 4, 2020 at 7:06 PM Robert Nichols rnicholsNOSPAM@comcast.net wrote:
On 4/3/20 4:48 AM, Sreyan Chakravarty wrote:
I just installed Fedora 31 on my laptop. I had created a volume group
and logical volumes from the Anaconda installer itself. I had marked the checkbox for encrypting my fedora partition , and when booting I am asked my passphrase, so I thought everything was fine.
But when I am booting into a live environment and do an `lsblk` . This
is my output:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 931.5G 0 disk ├─sda1 8:1 0 512M 0 part ├─sda2 8:2 0 512M 0 part └─sda3 8:3 0 930.5G 0 part ├─vgfedora-root-real 253:0 0 700G 0 lvm │ ├─vgfedora-root 253:1 0 700G 0 lvm │ └─vgfedora-before_hibernate 253:3 0 700G 0 lvm └─vgfedora-before_hibernate-cow 253:2 0 50G 0 lvm └─vgfedora-before_hibernate 253:3 0 700G 0 lvm
- **How on earth are my Volume Groups visible from the live
environment?** I did not even open up with `cryptsetup open --type luks2 /dev/sda3` . What is going on here ?
- As you can see **I have created a snapshot, is that even encrypted
?** Or is it only my root ? **I need everything to be encrypted even snapshots.**
- I can even do a `vgchange -a y` and select all my logical volumes.
**This really should not happen as it should not even be visible from the live environment** . Again what is going on ?
- **How can I verify what is encrypted and what is not ?**
Run "lsblk" with the "-f" option to get more type information.
-- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On 4/4/20 10:41 AM, Sreyan Chakravarty wrote:
I know how to do that.
The question is why I can view them when I shouldn't be able to.
On Sat, Apr 4, 2020 at 7:06 PM Robert Nichols <rnicholsNOSPAM@comcast.net mailto:rnicholsNOSPAM@comcast.net> wrote:
On 4/3/20 4:48 AM, Sreyan Chakravarty wrote: > I just installed Fedora 31 on my laptop. I had created a volume group and logical volumes from the Anaconda installer itself. I had marked the checkbox for encrypting my fedora partition , and when booting I am asked my passphrase, so I thought everything was fine. > > But when I am booting into a live environment and do an `lsblk` . This is my output: > > ``` > NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT > sda 8:0 0 931.5G 0 disk > ├─sda1 8:1 0 512M 0 part > ├─sda2 8:2 0 512M 0 part > └─sda3 8:3 0 930.5G 0 part > ├─vgfedora-root-real 253:0 0 700G 0 lvm > │ ├─vgfedora-root 253:1 0 700G 0 lvm > │ └─vgfedora-before_hibernate 253:3 0 700G 0 lvm > └─vgfedora-before_hibernate-cow 253:2 0 50G 0 lvm > └─vgfedora-before_hibernate 253:3 0 700G 0 lvm > ``` > > 1. **How on earth are my Volume Groups visible from the live environment?** I did not even open up with `cryptsetup open --type luks2 /dev/sda3` . What is going on here ? > 2. As you can see **I have created a snapshot, is that even encrypted ?** Or is it only my root ? **I need everything to be encrypted even snapshots.** > 3. I can even do a `vgchange -a y` and select all my logical volumes. **This really should not happen as it should not even be visible from the live environment** . Again what is going on ? > 4. **How can I verify what is encrypted and what is not ?** Run "lsblk" with the "-f" option to get more type information. -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it.
If you want to answer the question about what is encrypted and what is not, post the output from "lsblk -f". Without that, you are not going to get an answer to your questions.
Am 04.04.2020 um 17:41 schrieb Sreyan Chakravarty:
I know how to do that.
The question is why I can view them when I shouldn't be able to.
Isn't it obvious that you have created individual LUKS encryption on top of each LVM instead of creating a LUKS device first and then LVM volumes inside that?
Alexander
Yes but how do I configure LUKS first and then LVM. The installer can't handle that it seems, I have even opened a bug over here:
https://bugzilla.redhat.com/show_bug.cgi?id=1820912
On Sat, Apr 4, 2020 at 11:19 PM Alexander Dalloz ad+lists@uni-x.org wrote:
Am 04.04.2020 um 17:41 schrieb Sreyan Chakravarty:
I know how to do that.
The question is why I can view them when I shouldn't be able to.
Isn't it obvious that you have created individual LUKS encryption on top of each LVM instead of creating a LUKS device first and then LVM volumes inside that?
Alexander _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Well I have good news and bad news.
Bad news is I can't give you the output of "lsblk -f" because I had to destroy that partition since I was testing before filing this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1820912
Good news is that by complete accident I have solved my own problem, you can find the details here:
https://ask.fedoraproject.org/t/ananconda-cant-handle-lvm-on-luks-setup/6112...
The question now is that can this information be added in the Wiki or docs somewhere so other new users won't have to suffer.
Let me know.
Thanks.
On Sat, Apr 4, 2020 at 11:06 PM Robert Nichols rnicholsNOSPAM@comcast.net wrote:
On 4/4/20 10:41 AM, Sreyan Chakravarty wrote:
I know how to do that.
The question is why I can view them when I shouldn't be able to.
On Sat, Apr 4, 2020 at 7:06 PM Robert Nichols <
rnicholsNOSPAM@comcast.net mailto:rnicholsNOSPAM@comcast.net> wrote:
On 4/3/20 4:48 AM, Sreyan Chakravarty wrote: > I just installed Fedora 31 on my laptop. I had created a volumegroup and logical volumes from the Anaconda installer itself. I had marked the checkbox for encrypting my fedora partition , and when booting I am asked my passphrase, so I thought everything was fine.
> > But when I am booting into a live environment and do an `lsblk` .This is my output:
> > ``` > NAME MAJ:MIN RM SIZE RO TYPEMOUNTPOINT
> sda 8:0 0 931.5G 0 disk > ├─sda1 8:1 0 512M 0 part > ├─sda2 8:2 0 512M 0 part > └─sda3 8:3 0 930.5G 0 part > ├─vgfedora-root-real 253:0 0 700G 0 lvm > │ ├─vgfedora-root 253:1 0 700G 0 lvm > │ └─vgfedora-before_hibernate 253:3 0 700G 0 lvm > └─vgfedora-before_hibernate-cow 253:2 0 50G 0 lvm > └─vgfedora-before_hibernate 253:3 0 700G 0 lvm > ``` > > 1. **How on earth are my Volume Groups visible from the liveenvironment?** I did not even open up with `cryptsetup open --type luks2 /dev/sda3` . What is going on here ?
> 2. As you can see **I have created a snapshot, is that evenencrypted ?** Or is it only my root ? **I need everything to be encrypted even snapshots.**
> 3. I can even do a `vgchange -a y` and select all my logicalvolumes. **This really should not happen as it should not even be visible from the live environment** . Again what is going on ?
> 4. **How can I verify what is encrypted and what is not ?** Run "lsblk" with the "-f" option to get more type information. -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it.If you want to answer the question about what is encrypted and what is not, post the output from "lsblk -f". Without that, you are not going to get an answer to your questions.
-- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On 4/4/20 11:13 AM, Sreyan Chakravarty wrote:
Yes but how do I configure LUKS first and then LVM. The installer can't handle that it seems, I have even opened a bug over here:
Why are you creating the luks partition before running the installer instead of using the installer to create the partition? You might be able to make that work if you use the blivet custom partitioning. The partition isn't marked as anything but an ext4 filesystem with unreadable data, what do you expect the installer to do?
On 4/4/20 12:05 PM, Sreyan Chakravarty wrote:
https://ask.fedoraproject.org/t/ananconda-cant-handle-lvm-on-luks-setup/6112...
The question now is that can this information be added in the Wiki or docs somewhere so other new users won't have to suffer.
The checkbox you selected works, obviously, but the simple solution is to use the "encrypt my data" checkbox on the initial "installation destination" screen. That box is the first and most visible place to select encryption, so I would think it's the most obvious way to encrypt an installation possible.
Well I would expect the documentation to say something about this rather than me fumbling about in the dark.
Is there any way I can add this to the documentation ?
On Sun, Apr 5, 2020 at 12:48 AM Samuel Sieb samuel@sieb.net wrote:
On 4/4/20 11:13 AM, Sreyan Chakravarty wrote:
Yes but how do I configure LUKS first and then LVM. The installer can't handle that it seems, I have even opened a bug over here:
Why are you creating the luks partition before running the installer instead of using the installer to create the partition? You might be able to make that work if you use the blivet custom partitioning. The partition isn't marked as anything but an ext4 filesystem with unreadable data, what do you expect the installer to do? _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On Sat, 2020-04-04 at 14:12 -0700, Gordon Messmer wrote:
The checkbox you selected works, obviously, but the simple solution is to use the "encrypt my data" checkbox on the initial "installation destination" screen. That box is the first and most visible place to select encryption, so I would think it's the most obvious way to encrypt an installation possible.
It's been a while since I did my install, but I seem to recall thinking that was too vague to understand what it was going to do.
Was it going to just encrypt *my* data (e.g. only "/home")?
Was it going to encrypt all the data on *my* computer (e.g. encrypt as much of the entire filesystem as possible)? There is *my* data in /var (mail spools, logs, etc), there would be in /etc as well.
Even if I create an encrypted volume using the method I have described, there is no way I can use LUKS version 2. It will always use LUKS version 1.
On Sun, Apr 5, 2020 at 11:40 AM Tim via users users@lists.fedoraproject.org wrote:
On Sat, 2020-04-04 at 14:12 -0700, Gordon Messmer wrote:
The checkbox you selected works, obviously, but the simple solution is to use the "encrypt my data" checkbox on the initial "installation destination" screen. That box is the first and most visible place to select encryption, so I would think it's the most obvious way to encrypt an installation possible.
It's been a while since I did my install, but I seem to recall thinking that was too vague to understand what it was going to do.
Was it going to just encrypt *my* data (e.g. only "/home")?
Was it going to encrypt all the data on *my* computer (e.g. encrypt as much of the entire filesystem as possible)? There is *my* data in /var (mail spools, logs, etc), there would be in /etc as well.
--
uname -rsvp Linux 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64
Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list.
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On 4/4/20 11:13 AM, Sreyan Chakravarty wrote:
Why are you creating the luks partition before running the installer instead of using the installer to create the partition? You might be able to make that work if you use the blivet custom partitioning. The partition isn't marked as anything but an ext4 filesystem with unreadable data, what do you expect the installer to do?
You do realize that there is no way to get LVM on LUKS version 2 from the installer right ?
All the LUKS volumes created by the installer will use LUKS 1.
Fedora makes it really hard to use the security options you want.
-
Alexander Dalloz -
Gordon Messmer -
Robert Nichols -
Samuel Sieb -
Sreyan Chakravarty -
Tim