# Encryption on top of LVM vs LVM on top of encryption.

## ramzes2008

What is the better way for encrypt whole disk? (Encryption on top of LVM vs LVM on top of encryption) 

What is the best secure tool to it? (loop-AES, dm-crypt, LUKS for dm-crypt, truecrypt, ...)

----------

## FizzyWidget

i always make LVM first then encrypt using luks

----------

## gentoo_ram

I guess it depends on what you really want.  If you truly want everything on the disk encrypted, then I guess I would encrypt the whole disk and then run LVM on top of that.  If you only need certain critical parts of the data encrypted, then I would run LVM, create a partition you want secured, and do LUKS only on that partition.

If you do LVM on top of an entire disk that's encrypted you might have to set up an initrd to boot the system depending on how you set them up.  If you do LVM and then encrypt only certain partitions of the LVM, you probably wouldn't need to deal with that complication.

----------

## cach0rr0

 *gentoo_ram wrote:*   

> 
> 
> If you do LVM on top of an entire disk that's encrypted you might have to set up an initrd to boot the system depending on how you set them up.  If you do LVM and then encrypt only certain partitions of the LVM, you probably wouldn't need to deal with that complication.

 

if your root is LVM,  you'll still need an initramfs to handle the activation of the LVM volumes - even without encryption in the picture

----------

## sphakka

Hi there,

I have an external USB disk which I decided to encrypt and manage via LVM: after much thinking, I chose LVM on top of LUKS (dm-crypt). My reasons: the whole disk had to be encrypted but I didn't want to have each partition encrypted separately -- I didn't like having to manage several passphrases because, even using the same passprhase, one should provide it repeatedly to open each partition, which in turn means storing it somewhere (temporarily), thus complicating and somewhat weakening the strategy. Since I don't use LVM for my main (pretty old  :Smile: ) system, there's no chicken-and-egg problem concerning which service (LVM, dm-crypt) is started first.

So it works like a charm: I just wrote a couple of bash scripts to respect the service init sequence.

The only annoying point with this set-up is that LVM2 seems not to be able to grab any physical volume LUKS-opened *after* LVM's start-up -- I tried ~every combination of *scan commands at no avail (in principle, that should be vgscan's business...); thus, if LVM is already running when calling 'crytpsetup  luksOpen ...', it must be restarted after opening the relevant encrypted devices. This is clearly a show-stopper for more complex set-ups wherein LVM must be started at boot to manage system disks.

To summarize my experience, LVM on top of LUKS is OK for encryption of whole non-system (i.e., backups, removable, ???) disks, provided that no other system disk is managed via LVM (otherwise, I guess quite a bit of acrobatics  would be needed). I can provide my scripts to anyone interested -- they'll be soon in some GIT repo.

As for options/details about encryption see this excellent wiki:

- http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS

and a latest related post:

- https://forums.gentoo.org/viewtopic-t-879125-highlight-luks+dmcrypt+lvm.html?sid=332e0e691752edc3a933a5b982ca8841

Cheers,

  ^m'e

----------

