# LVM and DM-crypt question

## jasiu85

Hi,

I followed a HOWTO on Gentoo Wiki and created the following configuration:

- formatted my whole SATA drive as LVM PV,

- created one VG,

- created LV for root and for swap

- encrypted both LVs using DM-Crypt/LUKS.

How do I properly shutdown these things? Since root is mounted until the very end, I don't know how to issue 'cryptsetup luksClose' and 'vgchange -an' commands. Do I actually need to issue them?

Thanks,

Mike

PS. Forgive me, if it's not the right forum. I couldn't figure out where to post it.

PPS. I'm not paranoid with LVM and DM-Crypt/LUKS  :Wink: . It's kind of for fun and learning  :Smile: .

----------

## seiichiro0185

Hi,

form my experience its not necessary to do cryptsetup luksClose and vgchange -an. If I understand correctly LVM and dm-crypt simply write the blocks you give them to the layer beneath. I use dm-crypt and LVM on my laptop with a setup like this:

-----LVM-----

--dm-crypt--

-harddrive--

all my partitions except /boot are on the LVM, so on shutdown LVM and dm-crypt layers don't shut down completely because of the mountet root. I use this setup for several months now, and had not the slightest problem so far.

seiichro0185

PS. I don't really know the inner workings of LVM or dm-crypt, so all this is only based on my experience. So please correct me if I'm wrong.

----------

## jasiu85

Thanks for sharing your experience! This cools me down that nothing wrong will happen to my data  :Smile: . But still some questions remain:

- Can it be that not issuing luksClose can be a threat to the data? I mean, if I don't luksClose and someone steals the disk, does he have any advantage?

- Did you get rid of that message saying that LVM volumes can't be unmounted when computer is shutting down?

Mike

----------

## seiichiro0185

 *jasiu85 wrote:*   

> 
> 
> - Can it be that not issuing luksClose can be a threat to the data? I mean, if I don't luksClose and someone steals the disk, does he have any advantage?#
> 
> 

 

I don't think that not doing luksClose is any threat to your data. Decrypting the data is done in RAM/on the fly, the disk only gets encrypted data. The keys are also only stored encrypted. So if someone steals the disk he won't have any advantage from not issuing luksClose.

 *jasiu85 wrote:*   

> 
> 
> - Did you get rid of that message saying that LVM volumes can't be unmounted when computer is shutting down?
> 
> 

 

Well,I don't get a message like that, but I didn't do anything special, it just isn't there.   :Smile: 

seiichiro0185

----------

## the.ant

 *seiichiro0185 wrote:*   

> 
> 
> form my experience its not necessary to do cryptsetup luksClose and vgchange -an. If I understand correctly LVM and dm-crypt simply write the blocks you give them to the layer beneath. I use dm-crypt and LVM on my laptop with a setup like this:
> 
> -----LVM-----
> ...

 

This is exactly how I would like to set up my server but I can't get it running. Can you explain (or point to a howto) how you created the initramfs?

My attempts to merge howtos for lvm or luks were not successfull so far. And it's so tiresome because every failed attempt means again boot from live-cd, install all extra software, mount everything by hand, etc. etc...

----------

## manaka

Standard Gentoo genkernel contains all the necessary functionality. Just include luks support when generating the initramfs. Try something like this:

genkernel --luks --lvm --no-install initrd

You will have to pass the following options as kernel cmdline:

crypt_root

real_root

Hope this helps.

----------

## the.ant

Unfortunately not really, because I would like to avoid genkernel. 

I am sure there must be a way, however I am a total noob in regards to initramfs, so I am really having some trouble to figure it out.

----------

## seiichiro0185

I created the basic initrd  using this howto: gentoo-wiki

The script has an option to add additional programs which I used to add cryptsetup-luks to the initrd. 

After that I gunziped and loop-mounted the initrd to edit the init-script (/sbin/init inside the initrd IIRC). There I added the call to cryptsetup for decrypting the hd before the lvm-calls and mounting. after that I unmounted the initrd and gzipped it. Unfortunalety I don't have the laptop with me right now, but I'll try to post my edited init-script in the evening.

I Hope this gives you a clue how to do this. I'll post more instructions later.

seiichrio0185

PS: this is what I recall right now, since the setup was some months ago it may be that I have mistakes in the instructions. I'll confirm this on the real setup in the evening and post more details then...

----------

## the.ant

 *seiichiro0185 wrote:*   

> 
> 
> The script has an option to add additional programs which I used to add cryptsetup-luks to the initrd. 

 

Do you mean with the -e parameter or did you edit the script? I don't quite get the difference between -e and -f (and -m)... 

And what do you mean by unzipping and loop-mounting? 

I'm sorry, I know this might be a rather noobish question, but last time I tried to peek into an initrd i accidentally unpacked it in / and thus blew my whole system into nirvana...   :Embarassed: 

So I'm rather careful now... 

I got to create an initrd with the script now and I thought I had managed to add the "cryptsetup luksOpen part" but the machine stops during boot without a prompt to enter a passphrase. It's all a bit messy because I installed gentoo from an Ubuntu-live cd so the kernel-version does not match. Eventually I got my hands on a gentoo-live-cd but it turned out that I couldn't decrypt the discs with it because the cypher mode is not supported by the kernel. So back to ubuntu...

First problem I had with the script is that  script complained about not finding the right modules, because it is looking in the directory of the currently running kernel, which is different than the one I want to install it on. I "solved" this by creating the desired directory and copying all modules into it. 

Next problem was that it wouldn't run cause the live-cd I used didn't have the loop module but somehow I got to load that as well. 

Right now I am not sure if the problem lies in my workarounds or if I just have to add this final command and everything will be fine...

----------

## seiichiro0185

I just checked, and yes, I used the -e option of the script to add cryptsetup to the initrd, so my line looks like this:

```

sh ./lvm2create_initrd -M gentoo -e /sbin/cryptsetup 2.6.22-suspend2-r2

```

Then I edited the initrds init-file like this:

```

gunzip initrd.gz

mount -o loop initrd /mnt/tmp/

nano -w /mnt/tmp/sbin/init

```

My edited init-file looks like this:

```

#!/bin/bash

# include in the path some dirs from the real root filesystem

# for chroot, blockdev

PATH="/sbin:/bin:/usr/sbin:/usr/bin:/lib/lvm-200:/initrd/bin:/initrd/sbin"

PRE="initrd:"

do_shell(){

    /bin/echo

    /bin/echo "*** Entering LVM2 rescue shell. Exit shell to continue booting. ***"

    /bin/echo

    /bin/bash

}

echo "$PRE Remounting / read/write"

mount -t ext2 -o remount,rw /dev/ram0 /

# We need /proc for device mapper

echo "$PRE Mounting /proc"

mount -t proc none /proc

mount -t sysfs none /sys

# plug in modules listed in /etc/modules

if [ -f /etc/modules ]; then

    echo -n "$PRE plugging in kernel modules:"

    cat /etc/modules |

    while read module; do

        echo -n " $module"

        modprobe $module

    done

    echo '.'

fi

# start raid devices if raid_autostart file exists

if [ -f /etc/raid_autostart ]; then

    if [ ! -f /etc/mdadm/mdadm.conf ]; then

        mdoptions='--super-minor=dev'

    fi

    cat /etc/raid_autostart|

    while read dev; do

       echo "Starting RAID device $dev"

        /sbin/mdadm --assemble $dev $mdoptions 

    done

fi

echo -n "$PRE Finding device mapper major and minor numbers "

MAJOR=$(sed -n 's/^ *\([0-9]\+\) \+misc$/\1/p' /proc/devices)

MINOR=$(sed -n 's/^ *\([0-9]\+\) \+device-mapper$/\1/p' /proc/misc)

if test -n "$MAJOR" -a -n "$MINOR" ; then

   mkdir -p -m 755 /dev/mapper

   mknod -m 600 /dev/mapper/control c $MAJOR $MINOR

fi

echo "($MAJOR,$MINOR)"

for arg in `cat /proc/cmdline`; do

   echo $arg | grep '^lvm2root=' > /dev/null

   if [ $? -eq 0 ]; then

      rootvol=${arg#lvm2root=}

      break

   fi

done

echo "$PRE Setting up crypto-device"

clear

echo

echo

echo "                                                                         .-------. "

echo "                                                                        / .-----. \ "

echo "                                                                       / /       \ \ "

echo "                                                                       | |       | | "

echo "                                                                      _| |_______| |_ "

echo "                                                                    .' |_|       |_| '. "

echo "                                                                    '._____ ___ _____.' "

echo "                                                                    |     .'___'.     | "

echo "                                                                    '.__.'.'   '.'.__.' "

echo "                                                                    '.__  |     |  __.' "

echo "                                                                    |   '.'.___.'.'   | "

echo "                                                                    '.____'.___.'____.' "

echo "                                                                    '._______________.' "

echo

echo "                                                                 This system is encrypted!"

echo "                                                                 Enter password to proceed"

echo

echo

/bin/cryptsetup luksOpen /dev/sda2 lvm # HERE YOU SHOULD INSERT YOUR CRYPTED PARTITION INSTEAD OF /dev/sda2

if [ $? -eq 255 ]; then

echo

echo '                                                            PASSWORD WRONG 3 TIMES Shutting down'

echo

sleep 3

/bin/poweroff -f 

fi

clear

echo

echo

echo "                                                                         .-------."

echo "                                                                        / .-----. \ "

echo "                                                                       / /       \ \ "

echo "                                                                       | |       | |"

echo "                                                                       | |       | |"

echo "                                                                      _| |___________"

echo "                                                                    .' |_|        _  '."

echo "                                                                    '._____ ___ _____.'"

echo "                                                                    |     .'___'.     |"

echo "                                                                    '.__.'.'   '.'.__.'"

echo "                                                                    '.__  |     |  __.'"

echo "                                                                    |   '.'.___.'.'   |"

echo "                                                                    '.____'.___.'____.'"

echo "                                                                    '._______________.'"

echo

echo "                                                                      ACCESS GRANTED"

echo

echo

sleep 3

clear

echo "$PRE Activating LVM2 volumes"

# run a shell if we're passed lvm2rescue on commandline

grep lvm2rescue /proc/cmdline 1>/dev/null 2>&1

if [ $? -eq 0 ]; then

    lvm vgchange --ignorelockingfailure -P -a y

    do_shell

else

    lvm vgchange --ignorelockingfailure -a y

fi

grep resume2 /proc/cmdline 1>/dev/null 2>&1

if [ $? -eq 0 ]; then

    echo "$PRE Trying to resume"

    mount -t ext2 -o remount,ro /dev/ram0 / # suspend2 doesnt resume with / mounted rw

    echo > /sys/power/suspend2/do_resume # resume

fi

echo "$PRE resume not possible, doing normal boot"

mount -t ext2 -o remount,rw /dev/ram0 / # if we do a normal boot we need / rw again

echo "$PRE Mounting root filesystem $rootvol ro"

mkdir /rootvol

if ! mount -t auto -o ro $rootvol /rootvol; then

   echo "\t*FAILED*";

   do_shell

fi

echo "$PRE Umounting /proc"

umount /proc

umount /sys

echo "$PRE Changing roots"

cd /rootvol

if ! pivot_root . initrd ; then

   echo "\t*FAILED*"

   do_shell

fi

echo "$PRE Proceeding with boot..."

exec chroot . /bin/sh -c "umount /initrd; blockdev --flushbufs /dev/ram0 ; exec /sbin/init $*" < dev/console > dev/console 2>&1

```

after saving the changes to the the file i did this:

```

umount /mnt/tmp

gzip initrd

```

The last step is to use the correct line in grub, mine looks like this:

```
title Gentoo 2007.0

root (hd0,0)

kernel /boot/linux-2.6.22-suspend2-r2 root=/dev/ram0 lvm2root=/dev/gentoo/rootfs quiet

initrd /boot/initrd.gz

```

After this you shouldn't forget to edit /etc/init.d/checkroot like described in the howto here: gentoo-wiki

I hope I didn't forget something and you will get your system up and running with this.

I cant say anything about your problems with the modules, since I have anything critical for boot built into the kernel. 

seiichiro0185

----------

## madisonicus

 *the.ant wrote:*   

> Unfortunately not really, because I would like to avoid genkernel. 
> 
> I am sure there must be a way, however I am a total noob in regards to initramfs, so I am really having some trouble to figure it out.

 Not sure if the source of your reluctance is having to use a genkernel-provided kernel, but just in case, I wanted to let you know that genkernel can be used just to create the initramfs.  Just pass your desired config to it:

```
genkernel --kernel-config=customkernelconfig --luks --lvm initrd
```

Since initramfs are very dependent on the particulars of a distro, it makes sense to use the tool provided, I think.

I use a very custom kernel with a genkernel-created initramfs to boot my entirely luks-encrypted harddrive (except /boot partition, that is) on my laptop.

-m

----------

## the.ant

 *Quote:*   

> 
> 
> I hope I didn't forget something and you will get your system up and running with this.
> 
> 

 

Thank you so very much for this detailled description. I was away over the weekend so I wasn't able to try it earlier and yesterday I noticed that I have some problems with my kernel which I have to solve first before I can finish with the initrd. But I am confident that it will work. 

Just two questions: I noticed that you included /bin/cryptsetup, mine is located in /sbin/cryptsetup. Is this due to a difference in versions or should I install cryptsetup differently?  I assume that it doesn't matter if I change the link from /bin to /sbin, just asking to be sure. 

Second question, I noticed your script diverts from the one linked in the wiki that you include 

```
mount -t sysfs none /sys
```

What is this for? is this required?

Oh, and beautiful ASCII-art, btw...

----------

## the.ant

 *madisonicus wrote:*   

> Not sure if the source of your reluctance is having to use a genkernel-provided kernel, but just in case, I wanted to let you know that genkernel can be used just to create the initramfs. 
> 
> Since initramfs are very dependent on the particulars of a distro, it makes sense to use the tool provided, I think.
> 
> 

 

Actually I was not aware of that, thank's for the hint!

I plan to use a the hardened kernel and thought that would exclude the use of a genkernel initramfs. 

Guess I will try that out as well... the box I am setting up is kind of a test-run for my laptop.

----------

## seiichiro0185

 *the.ant wrote:*   

>  *Quote:*   
> 
> I hope I didn't forget something and you will get your system up and running with this.
> 
>  
> ...

 

well, actually it is /sbin/cryptsetup for me too, its a typo in the instructions ^_^ (I corrected it now)

the mounting of sysfs is required cause I'm also using suspend 2 disk, so the initrd is trying to resume after decrypting the hdd and initializing lvm and for that /sys is needed

----------

## the.ant

Just an update, no luck so far. I tried for quite while without luck until I finally decided to try again with another kernel (mainline instead of hardened). 

With that I could start seiichiro's script but upon callin cryptsetup I only got a segfault error.  

Live-cd, changeroot, cryptsetup works flawlessly, however booting from hd and starting initram gives segfault: error 6 when calling cryptsetup. The boot-process continues but obviously the LVM does not find any drives. 

I also gave genkernel a try then but that didn't work either. The documentation instructs to give an option for crypt_root and real_rool when calling the kernel. However, my problem is that I have two Luks_encrypted disks. Each is a physical volume and together they slice into a VG in which there is the root-partition. It seems that genkernel is looking for a rootpartition in the encrypted disk which is obviously cannot find before having decrypted the other disk as well. The system drops into a busybox console but there I can't do anything, or rather can't find any devices as all. 

I think I will try to redo the setup again and take / out of the lvm, which is a pity because I've would liked it to be sliced. But I guess this whole setup with two disks out of 4 in the machine is a bit too messy.  

Maybe I will have more luck with complete luks/lvm when I set up my laptop since it has only one disk. However, I'm not trying that one until the desktop is up and running...

----------

## seiichiro0185

Thats strange that you get a segfault when running cryptsetup, but I didn't try this with a hardened setup (which I assume you have from the fact you where using hardened-sources). But normally this schouldn't make a difference since cryptsetup is built as a static binary by default (as long as the dynamic USE-flag is not set) so it should have all things it needs included.

 For the record: with one disk the genkernel initramfs works fine on my laptop, although I switched back to my custom initrd because I like the ASCII-art a lot more than the simple password prompt from the genkernel initramfs ^_^

----------

## the.ant

Mind, the segfault was with the normal kernel with the hardened I couldn't get that far in the first place.  

However, I just noticed some inconsistencies in the kernel config and set that up again, maybe there was a problem there... 

Compiling right now, let's see how it goes...

----------

## the.ant

OK, I'm getting closer, did a lot of debuging and kernel compiling today. 

The segfault comes definetly from cryptsetup not finding the drive.

I did a lot of kernel modification today so I am not sure if they did the trick, but it might very well be that it did not work earlier because I did not take the #comment out of your script. I did today, it might be a cause of the problem, if cryptsetup is flaky on the input it gets. 

So first luksdrive is open. Yeay!

However, I called the decrypt routine twice and there I still get a segfault the second time.

Again I drop into busybox where I can open and close the first luksdrive to my liking, but I can't open the second one (segfault). Thus I would guess that the problem is not calling cryptsetup  twice but that it does not find my sata drive. 

In summary, your instructions and script work well, the problem is probably my sata controller. 

The only thing you need to adapt is the calling of cryptsetup (here as well /sbin instead of /bin).

I have a very old SiL 3112 controller, which is known to be difficult, unfortunately it's onboard and I can't turn it off... and it works with the live-cd, after all. 

I will experiment a bit more with it the next couple of days I guess...

----------

## the.ant

 :Mr. Green:   :Mr. Green:   :Mr. Green:   :Mr. Green:  huzzaaa!

I just saw a nice ascii lock open could log into box. 

Thank you so much for you script!

I am still not quite sure what the problem was, on the one hand I found many postings with busybox-sata problems (and no solutions), so I updated to the latest (~x86) busybox version. 

On the other hand my sata controller is really bad (SiL 3112) so I tried many different kernel settings and eventually one worked. Well the good thing is, now it's finally running, it's also much less effort to experiment a bit more. 

And when the system is finally stable and usable, I will encrypt the Laptop. 

 :Cool: 

----------

## seiichiro0185

hehe, I'm glad you got it working!  :Very Happy: 

----------

## xpd259

i've got the init script working  up to the point where it does a

```

echo "$PRE Changing roots"

cd /rootvol

if ! pivot_root . initrd ; then

   echo "\t*FAILED*"

   do_shell

fi 
```

 and i've no idea what to do to sort this

.im using the beta stage3 tar as there were too many packages to update that blocked each other on the non beta

if any body could give some advice i would be thankful

as im stuck with out a working pc at the moment

----------

## frostschutz

I can't help you with the init script in this thread (it's much more complicated than what I'm using), but if you're interested in a simple way do it yourself initramfs that boots, unlocks your drive, initializes lvm and mounts and boots your encrypted root filesystem, I wrote down the steps I took to do just this here. It does not use genkernel or lvm2createinitrd, because those scripts are trying to do too much at once, and end up not working the way you want it to. Besides, it turned out that building your own initramfs isn't that hard after all (10 commands to execute, 10 lines of code to write)

http://www.gentoo-wiki.com/Booting_encrypted_system_from_USB_stick

----------

## xpd259

thanks for the help getting my system up and running 

the simpler init was a good idea but i got the message after the problem was fixed but thank you 

now i just need to work out how to hibernate with tuxonice-sources and gnome

----------

