FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 07-18-2011, 11:46 AM
Bruno Wolff III
 
Default Installing Fedora with LVM and LUKS, using the encryption layer on top of the LVM layer.

On Mon, Jul 18, 2011 at 21:51:01 +1000,
yudi v <yudi.tux@gmail.com> wrote:
>
> fine without any issues and I only have to enter the pass phrase once. Now I
> would like to change this setup with the LVM layer below the LUKS layer.
> That way I do not have to worry about decrypting 500Gb at every boot.

This won't affect that unless you are only going to encrypt some of the
LVs (e.g. just /home).

> I would like to know if there is a way to decrypt all the encrypted LVs
> with one pass phrase.

If you use the same passphrase for the different encrypted devices you
will only need to enter it once (well, twice for now because of a bug
with handing off the passphrase to plymouth).
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-18-2011, 11:46 AM
Bruno Wolff III
 
Default Installing Fedora with LVM and LUKS, using the encryption layer on top of the LVM layer.

On Mon, Jul 18, 2011 at 21:51:01 +1000,
yudi v <yudi.tux@gmail.com> wrote:
>
> fine without any issues and I only have to enter the pass phrase once. Now I
> would like to change this setup with the LVM layer below the LUKS layer.
> That way I do not have to worry about decrypting 500Gb at every boot.

This won't affect that unless you are only going to encrypt some of the
LVs (e.g. just /home).

> I would like to know if there is a way to decrypt all the encrypted LVs
> with one pass phrase.

If you use the same passphrase for the different encrypted devices you
will only need to enter it once (well, twice for now because of a bug
with handing off the passphrase to plymouth).
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-18-2011, 12:20 PM
yudi v
 
Default Installing Fedora with LVM and LUKS, using the encryption layer on top of the LVM layer.

On Mon, Jul 18, 2011 at 9:46 PM, Bruno Wolff III <bruno@wolff.to> wrote:

On Mon, Jul 18, 2011 at 21:51:01 +1000,

*yudi v <yudi.tux@gmail.com> wrote:

>

> fine without any issues and I only have to enter the pass phrase once. Now I

> would like to change this setup with the LVM layer below the LUKS layer.

> That way I do not have to worry about decrypting 500Gb at every boot.



This won't affect that unless you are only going to encrypt some of the

LVs (e.g. just /home).


Yes I might only encrypt some of the LV's, I am not sure right now. One of the main reasons for having the encryption layer on top of the LVM layer is to leave the LV's unmounted and encrypted until I need them. This cannot be achieved if the whole PV is encrypted. I will only decrypt /, /home, and swap at boot time and them will decrypt other LVs when I need them.


I could not infer what you meant by "this won't affect that .."



> *I would like to know if there is a way to decrypt all the encrypted LVs

> with one pass phrase.



If you use the same passphrase for the different encrypted devices you

will only need to enter it once (well, twice for now because of a bug

with handing off the passphrase to plymouth).

Cool, I did not know this. Thanks you.


--
Kind regards,
Yudi


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-18-2011, 12:20 PM
yudi v
 
Default Installing Fedora with LVM and LUKS, using the encryption layer on top of the LVM layer.

On Mon, Jul 18, 2011 at 9:46 PM, Bruno Wolff III <bruno@wolff.to> wrote:

On Mon, Jul 18, 2011 at 21:51:01 +1000,

*yudi v <yudi.tux@gmail.com> wrote:

>

> fine without any issues and I only have to enter the pass phrase once. Now I

> would like to change this setup with the LVM layer below the LUKS layer.

> That way I do not have to worry about decrypting 500Gb at every boot.



This won't affect that unless you are only going to encrypt some of the

LVs (e.g. just /home).


Yes I might only encrypt some of the LV's, I am not sure right now. One of the main reasons for having the encryption layer on top of the LVM layer is to leave the LV's unmounted and encrypted until I need them. This cannot be achieved if the whole PV is encrypted. I will only decrypt /, /home, and swap at boot time and them will decrypt other LVs when I need them.


I could not infer what you meant by "this won't affect that .."



> *I would like to know if there is a way to decrypt all the encrypted LVs

> with one pass phrase.



If you use the same passphrase for the different encrypted devices you

will only need to enter it once (well, twice for now because of a bug

with handing off the passphrase to plymouth).

Cool, I did not know this. Thanks you.


--
Kind regards,
Yudi


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-18-2011, 12:22 PM
Bruno Wolff III
 
Default Installing Fedora with LVM and LUKS, using the encryption layer on top of the LVM layer.

On Mon, Jul 18, 2011 at 22:20:15 +1000,
yudi v <yudi.tux@gmail.com> wrote:
> On Mon, Jul 18, 2011 at 9:46 PM, Bruno Wolff III <bruno@wolff.to> wrote:
>
> > On Mon, Jul 18, 2011 at 21:51:01 +1000,
> > yudi v <yudi.tux@gmail.com> wrote:
> > >
> > > fine without any issues and I only have to enter the pass phrase once.
> > Now I
> > > would like to change this setup with the LVM layer below the LUKS layer.
> > > That way I do not have to worry about decrypting 500Gb at every boot.
> >
> > This won't affect that unless you are only going to encrypt some of the
> > LVs (e.g. just /home).
> >
> > Yes I might only encrypt some of the LV's, I am not sure right now. One of
> the main reasons for having the encryption layer on top of the LVM layer is
> to leave the LV's unmounted and encrypted until I need them. This cannot be
> achieved if the whole PV is encrypted. I will only decrypt /, /home, and
> swap at boot time and them will decrypt other LVs when I need them.

Do you realize that the devices aren't actually decrypted as a whole?
Individual blocks are decrypted as needed.

> I could not infer what you meant by "this won't affect that .."

Whether the encryption is on top or under the LV devices, will have little
affect on how much is decrypted during boot. The blocks that are needed
for booting will get decrypted as needed and those that aren't, won't.
All you save decrypting is some of the LVM metadata which won't be
decrypted in the case where only the LV contents are encrypted.

It might be a significant savings if you are doing snapshots or the like
when LVM is manipulating the data opaquely. The encrypted data can be
copied around without having to decrypt it.

> > I would like to know if there is a way to decrypt all the encrypted LVs
> > > with one pass phrase.
> >
> > If you use the same passphrase for the different encrypted devices you
> > will only need to enter it once (well, twice for now because of a bug
> > with handing off the passphrase to plymouth).
> >
>
> Cool, I did not know this. Thanks you.

If you delay using the encrypted devices until after boot then you
will need to enter a passphrase when you open them.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-18-2011, 01:02 PM
yudi v
 
Default Installing Fedora with LVM and LUKS, using the encryption layer on top of the LVM layer.

On Mon, Jul 18, 2011 at 10:22 PM, Bruno Wolff III <bruno@wolff.to> wrote:

On Mon, Jul 18, 2011 at 22:20:15 +1000,

*yudi v <yudi.tux@gmail.com> wrote:

> On Mon, Jul 18, 2011 at 9:46 PM, Bruno Wolff III <bruno@wolff.to> wrote:

>

> > On Mon, Jul 18, 2011 at 21:51:01 +1000,

> > *yudi v <yudi.tux@gmail.com> wrote:

> > >

> > > fine without any issues and I only have to enter the pass phrase once.

> > Now I

> > > would like to change this setup with the LVM layer below the LUKS layer.

> > > That way I do not have to worry about decrypting 500Gb at every boot.

> >

> > This won't affect that unless you are only going to encrypt some of the

> > LVs (e.g. just /home).

> >

> > Yes I might only encrypt some of the LV's, I am not sure right now. One of

> the main reasons for having the encryption layer on top of the LVM layer is

> to leave the LV's unmounted and encrypted until I need them. This cannot be

> achieved if the whole PV is encrypted. I will only decrypt /, /home, and

> swap at boot time and them will decrypt other LVs when I need them.



Do you realize that the devices aren't actually decrypted as a whole?

Individual blocks are decrypted as needed.

I did not know that, I was under the impression once the encryption
container is open all the data in that container is decrypted.*


> I could not infer what you meant by "this won't affect that .."



Whether the encryption is on top or under the LV devices, will have little

affect on how much is decrypted during boot. The blocks that are needed

for booting will get decrypted as needed and those that aren't, won't.

All you save decrypting is some of the LVM metadata which won't be

decrypted in the case where only the LV contents are encrypted.



It might be a significant savings if you are doing snapshots or the like

when LVM is manipulating the data opaquely. The encrypted data can be

copied around without having to decrypt it.

I guess you mean LV's can be moved around not the data per se.




> > *I would like to know if there is a way to decrypt all the encrypted LVs

> > > with one pass phrase.

> >

> > If you use the same passphrase for the different encrypted devices you

> > will only need to enter it once (well, twice for now because of a bug

> > with handing off the passphrase to plymouth).

> >

>

> Cool, I did not know this. Thanks you.



If you delay using the encrypted devices until after boot then you

will need to enter a passphrase when you open them.


I prefer to have the data locked up until I need it. I am certain I will not encrypt all my data only the stuff that matters. I will have lot of unassigned space in the VG. I can either increase the size of the containers or create new containers if need be.


I was playing with Debian and tried this method with even the /boot in the LVM as GRUB2 can handle booting straight from the LVM but it fails when I try to have encryption on top of the LVM. Without encryption it works just fine.



--
Kind regards,
Yudi


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-18-2011, 02:27 PM
Bruno Wolff III
 
Default Installing Fedora with LVM and LUKS, using the encryption layer on top of the LVM layer.

On Mon, Jul 18, 2011 at 23:02:00 +1000,
yudi v <yudi.tux@gmail.com> wrote:
>
> I did not know that, I was under the impression once the encryption
> container is open all the data in that container is decrypted.

No. That wouldn't be practical. Blocks are decrypted as needed.
> > It might be a significant savings if you are doing snapshots or the like
> > when LVM is manipulating the data opaquely. The encrypted data can be
> > copied around without having to decrypt it.
> >
>
> I guess you mean LV's can be moved around not the data per se.

>From the LVs point of view the data is opaque. So if some of the data
needs to be moved around it would not need to be decrypted first. If the
LV is on an encrypted device (instead of containing one), then any work
with the LV would need to be encrypted or decrypted as appropriate. So
There could be savings when you are manipulating the LVs.

> I was playing with Debian and tried this method with even the /boot in the
> LVM as GRUB2 can handle booting straight from the LVM but it fails when I
> try to have encryption on top of the LVM. Without encryption it works just
> fine.

Fedora has the same limitation. /boot cannot be encrypted and there are some
limitations on file systems (though I think the normal ones will all work)
and raid (BIOS supported raid should work as well as software raid 1 where
the meta data is at the end of the partition). I am not sure what the
status of lvm support for /boot in Fedora.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-18-2011, 09:06 PM
yudi v
 
Default Installing Fedora with LVM and LUKS, using the encryption layer on top of the LVM layer.

On Tue, Jul 19, 2011 at 12:27 AM, Bruno Wolff III <bruno@wolff.to> wrote:

On Mon, Jul 18, 2011 at 23:02:00 +1000,

*yudi v <yudi.tux@gmail.com> wrote:
>

> I did not know that, I was under the impression once the encryption
> container is open all the data in that container is decrypted.

No. That wouldn't be practical. Blocks are decrypted as needed.


> > It might be a significant savings if you are doing snapshots or the like
> > when LVM is manipulating the data opaquely. The encrypted data can be
> > copied around without having to decrypt it.

> >
>
> I guess you mean LV's can be moved around not the data per se.

From the LVs point of view the data is opaque. So if some of the data
needs to be moved around it would not need to be decrypted first. If the

LV is on an encrypted device (instead of containing one), then any work
with the LV would need to be encrypted or decrypted as appropriate. So
There could be savings when you are manipulating the LVs.


> I was playing with Debian and tried this method with even the /boot in the
> LVM as GRUB2 can handle booting straight from the LVM but it fails when I
> try to have encryption on top of the LVM. Without encryption it works just

> fine.

Fedora has the same limitation. /boot cannot be encrypted and there are some
limitations on file systems (though I think the normal ones will all work)
and raid (BIOS supported raid should work as well as software raid 1 where

the meta data is at the end of the partition). I am not sure what the
status of lvm support for /boot in Fedora.

It's not the limitation of Fedora, it's GRUB legacy, GRUB2 can handle the /boot partition in the LVM. /boot still cannot be encrypted. Debian Squeeze comes with GRUB2 thats why I was trying to move the /boot partition to the LVM and encrypt /,/home, and*swap LVs.

--
Kind regards,
Yudi


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-19-2011, 10:28 AM
yudi v
 
Default Installing Fedora with LVM and LUKS, using the encryption layer on top of the LVM layer.

On Tue, Jul 19, 2011 at 7:06 AM, yudi v <yudi.tux@gmail.com> wrote:




On Tue, Jul 19, 2011 at 12:27 AM, Bruno Wolff III <bruno@wolff.to> wrote:

On Mon, Jul 18, 2011 at 23:02:00 +1000,

*yudi v <yudi.tux@gmail.com> wrote:
>

> I did not know that, I was under the impression once the encryption
> container is open all the data in that container is decrypted.

No. That wouldn't be practical. Blocks are decrypted as needed.



> > It might be a significant savings if you are doing snapshots or the like
> > when LVM is manipulating the data opaquely. The encrypted data can be
> > copied around without having to decrypt it.


> >
>
> I guess you mean LV's can be moved around not the data per se.

From the LVs point of view the data is opaque. So if some of the data
needs to be moved around it would not need to be decrypted first. If the


LV is on an encrypted device (instead of containing one), then any work
with the LV would need to be encrypted or decrypted as appropriate. So
There could be savings when you are manipulating the LVs.


> I was playing with Debian and tried this method with even the /boot in the
> LVM as GRUB2 can handle booting straight from the LVM but it fails when I
> try to have encryption on top of the LVM. Without encryption it works just


> fine.

Fedora has the same limitation. /boot cannot be encrypted and there are some
limitations on file systems (though I think the normal ones will all work)
and raid (BIOS supported raid should work as well as software raid 1 where


the meta data is at the end of the partition). I am not sure what the
status of lvm support for /boot in Fedora.

It's not the limitation of Fedora, it's GRUB legacy, GRUB2 can handle the /boot partition in the LVM. /boot still cannot be encrypted. Debian Squeeze comes with GRUB2 thats why I was trying to move the /boot partition to the LVM and encrypt /,/home, and*swap LVs.


--
Kind regards,
Yudi



I have noticed something peculiar, the existing test setup looks like this: (encryption at the PV level, i.e below the LVM layer)

sda1** ntfs
sda2* /boot* ext
sda3 - PV and VG (encrypted at the PV level)

- lv_swap* swap
-lv_root* / ext4
-lv_home* /home ext4
-rest unassigned
sda4 extended
sda5* vfat


Now I wanted to change this to: (encryption on top of the LVM layer, encrypting individual LVs)


sda1** ntfs

sda2 * /boot* ext

sda3 - PV and VG

- lv_swap* swap* (encrypted LV)

-lv_root*** / ext4 (encrypted LV)

-lv_home /home ext4 ( (encrypted LV))

-rest unassigned - I will assign and encrypt as the need arises.


sda4 extended

sda5* vfat

When I try to install over the existing setup, anaconda tells me that sda3 is encrypted and asks for the passphrase. If* I do not provide the passphrase sda3 gets excluded. Thats not what* I want and I want to get rid of the encryption layer at the sda3 PV level and have it on top of the LVM layer at individual LV level.


Wasn't sure what to do so fired up Gparted live cd and used FDISK to delete sda3 and create an LVM partition. Left the break down to the Fedora installer.

Back in Fedora installer, it again asks me for the sda3 passphrase.


Fired up Gparted CD again and used gparted this time to look at the partition scheme.* gparted still says the file system on sda3 is crypt-luks.

Not sure why this is happening.

Finally, I just deleted the partition with fdisk and left it unassigned. Then Fedora install went through as expected.


Was I doing something wrong?
Should I have given the Fedora installer the passphrase for sda3 partition? - would this allow the deletion of the encrypted PV?
Also why does the fedora installer assign partition ID 83 to sda3, shouldn't it be 8e for an LVM?

--
Kind regards,
Yudi


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 04:23 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org