# Problems with encrypting LVM partitions

## NotQuiteSane

I'm stuck on the LVM supplement.

Before I begin, my hard drives are setup like this:

hda1 /boot

hda2 LVM

hdc1 LVM

sda1 /

sda2 /swap

sda3 LVM

sdb1 LVM

The 2 ide LVMs are combined into the group "system", of which all space is allocated to /home (I'm migrating from SuSE)

the scsi's (Group "gentoo") are a new creation.  the plan is to eventually migrate /home over here, once I have enough physical space, then replace the 2 ide's with 1 small drive for booting (and possibly a 2nd swap file)

What I am attempting:

leave VG "system" alone.   mount it as /home

create the "usual" partitions on "gentoo"

encrypt (dm_crypt) /tmp /swap & /var (/home will be encrypted during migration)

i'm at http://www.gentoo.org/doc/en/lvm2.xml

I had a question about how i can be sure it'll go onto the correct VG, but the answer was there.  so that leaves me with just how (link, please?) do i  encrypt during install (is this possible, or do i need to do it after install?) the logical partitions?  

i see this for swap:  https://forums.gentoo.org/viewtopic.php?p=1959581#1959581  but it's done after the system is running

NQS

----------

## NotQuiteSane

new problem:

I've created and mounted the gentoo partitions.  but there is no /dev/system so i cannot mount /home

I think i need to manually creatre that directory, but wanted to ask before i fawk anything up

NQS

----------

## NotQuiteSane

 *NotQuiteSane wrote:*   

> new problem:
> 
> I've created and mounted the gentoo partitions.  but there is no /dev/system so i cannot mount /home
> 
> I think i need to manually creatre that directory, but wanted to ask before i fawk anything up
> ...

 

Nevermind, I figured this one out.  for the record, the command is:

```
vgchange -a y volume-group-name
```

NQS[/code]

----------

## Luud

Hi,

I wanted my harddisks to be encrypted using dm-crypt and then use lvm on top of that.

I had to hack around a little to get it to work nicely together. Any feedback on my method below is appreciated. This  is just a quick writeup, so it might not be 100% complete. Although I think it is.

1. Fill your harddisk(s) with random data and format them with luks:

```
dd if=/dev/urandom of=/dev/hdc

cryptsetup luksFormat -c aes -s 256 /dev/hdc
```

2. Open the dm-crypt mappings

```
cryptsetup luksOpen /dev/hdc hdc
```

3. Create physical volume, volume group and logical volume + filesystem

```
pvcreate /dev/mapper/hdc

vgcreate testvg /dev/mapper/hdc

vgchange -a y

lvcreate -L1500 -ntestlv testvg

mkfs.ext3 /dev/testvg/testlv
```

4. Setup the dm-crypt mappings in /etc/conf.d/cryptfs

```
...

mount=hdc

source=/dev/hdc

type=luks

options='-d <somewhere to find the key, e.g. encrypted root or usb stick>'

...
```

5. Hack some startup scripts

Basically, this is to make dm-crypt part of the start/stop volumes scheme, in stead of being a special addon. This allows you to manipulate the order of lvm and dm-crypt during startup and shutdown via the parameter in /etc/conf.d/rc.

/etc/init.d/checkfs

```
...

        # Setup dm-crypt mappings if any

        #start_addon dm-crypt

        # Setup lvm on top of dm-crypt

        # comment out start_addon dm-crypt as we make it part of the start_volumes sequence (see /etc/conf.d/rc)

        #start_addon lvm

...
```

/etc/init.d/halt.sh

```
...

# Try to remove any dm-crypt mappings

# Comment out stop_addon dm-crypt as we make it part of the stop_volumes sequence (see /etc/conf.d/rc)

# stop_addon dm-crypt

# Stop LVM, etc

stop_volumes

...
```

/etc/conf.d/rc

```
...

# RC_VOLUME_ORDER allows you to specify, or even remove the volume setup

# for various volume managers (MD, EVMS2, LVM, DM, etc).  Note that they are

# stopped in reverse order.

# Change the RC_VOLUME_ORDER to include dm-crypt before lvm

#RC_VOLUME_ORDER="raid evms lvm dm"

RC_VOLUME_ORDER="dm dm-crypt lvm"

...
```

5. Add a mount rule in your fstab

```
mkdir /mnt/testlv
```

/etc/fstab

```
...

/dev/testvg/testlv        /mnt/testlv     auto    noatime         0 1

...
```

 I also added the "types = [ "device-mapper", 16 ]" to /etc/lvm/lvm.conf, although this might not be necessary as I could manually work with lvm on top of dm-crypt, but then again it might be neccessary for scanning.

I think this is the right way to do this, i.e. making dm-crypt part of the start/stop volumes system and not treating it as a separate add-on. But then again, this is my first try at lvm, so I might be wrong here  :Wink: 

----------

## batistuta

Is it better to run LVM on top of dm-crypt, or dm-crypt on top of LVM? What are the advantages/disadvantages of each?

I don't know why, but I have a feeling that encyption should be the top layer. In this way, you could for example backup the entire partition by copying the loop-back device. This doesn't seem possible if LVM is on top of the dm-crypt thingy. Any thoughts?

----------

## Luud

Well, according to the LVM micro-howto, it is better to run it on top of dm-crypt.

See: http://www.planamente.ch/emidio/docs/linux/dm-crypt/dm-crypt-4.html

 *Quote:*   

> 
> 
> 4. Using dm-crypt with LVM
> 
> 4.1 Possibilities
> ...

 

Other references: 

http://www.saout.de/tikiwiki/tiki-index.php?page=LVM2+over+dmcrypt

http://deb.riseup.net/storage/encryption/dmcrypt/

http://www.google.com/search?hl=en&q=lvm+dm-crypt  :Wink: 

----------

## batistuta

that is exacly the whole point. I want to have some LVM partitions encrypted, some not. Otherwise I have to go down to physical partitions, which kind of contradicts the idea of LVM

As far as I see, there is no official method. Both are OK according to the dm-crypt page. And even if it were not the "official", method, this doesn't mean that strange things could happen. It just means that you might not get as much support because it is not that common.

I'm not on favor of one method over the other. But theses cited arguments don't convince me.

----------

## Luud

I would suggest to just try it.

I have LVM over dm-crypt, but to try it the other way around seems as easy.

Just swap the order of lvm and dm-crypt in the RC_VOLUME_ORDER parameter of /etc/conf.d/rc and first create your Logical Volumes and then do a cryptsetup luksFormat on them.

I'm curious to what would happen if you resize an encrypted logical volume. If LUKS is nothing more than a header with encryption information that is not coupled to the volume's size, it should be no problem I think. If not, then resizing would involve backing up first and recreating the contents of the resized Logical Volume from scratch (unless cryptsetup allows for the resizing of an encrypted volume).

I'm interrested in the outcome of such a test.

----------

## RaraRasputin

 *Luud wrote:*   

> I'm curious to what would happen if you resize an encrypted logical volume. 
> 
> I'm interrested in the outcome of such a test.

 

I tried and had success. Look here for the steps: Resize a luks encrypted lvm volume

----------

## Luud

Hi, 

I figured out how to make this work with baselayout-1.12.5-r2.

See the details in the Gentoo Bug Tracker: https://bugs.gentoo.org/show_bug.cgi?id=128908

----------

