Installing Fedora with LVM and LUKS, using the encryption layer on top of the LVM layer.

Bruno Wolff III bruno at wolff.to
Mon Jul 18 12:22:50 UTC 2011 

On Mon, Jul 18, 2011 at 22:20:15 +1000,
  yudi v <yudi.tux at gmail.com> wrote:
> On Mon, Jul 18, 2011 at 9:46 PM, Bruno Wolff III <bruno at wolff.to> wrote:
> 
> > On Mon, Jul 18, 2011 at 21:51:01 +1000,
> >  yudi v <yudi.tux at gmail.com> wrote:
> > >
> > > fine without any issues and I only have to enter the pass phrase once.
> > Now I
> > > would like to change this setup with the LVM layer below the LUKS layer.
> > > That way I do not have to worry about decrypting 500Gb at every boot.
> >
> > This won't affect that unless you are only going to encrypt some of the
> > LVs (e.g. just /home).
> >
> > Yes I might only encrypt some of the LV's, I am not sure right now. One of
> the main reasons for having the encryption layer on top of the LVM layer is
> to leave the LV's unmounted and encrypted until I need them. This cannot be
> achieved if the whole PV is encrypted. I will only decrypt /, /home, and
> swap at boot time and them will decrypt other LVs when I need them.

Do you realize that the devices aren't actually decrypted as a whole?
Individual blocks are decrypted as needed.

> I could not infer what you meant by "this won't affect that .."

Whether the encryption is on top or under the LV devices, will have little
affect on how much is decrypted during boot. The blocks that are needed
for booting will get decrypted as needed and those that aren't, won't.
All you save decrypting is some of the LVM metadata which won't be
decrypted in the case where only the LV contents are encrypted.

It might be a significant savings if you are doing snapshots or the like
when LVM is manipulating the data opaquely. The encrypted data can be
copied around without having to decrypt it.

> >  I would like to know if there is a way to decrypt all the encrypted LVs
> > > with one pass phrase.
> >
> > If you use the same passphrase for the different encrypted devices you
> > will only need to enter it once (well, twice for now because of a bug
> > with handing off the passphrase to plymouth).
> >
> 
> Cool, I did not know this. Thanks you.

If you delay using the encrypted devices until after boot then you
will need to enter a passphrase when you open them.

More information about the users mailing list