Fedora15 - Help me understand how cryptsetup and LVM interact

1

Upgrading F11 to F15 I've decided to encrypt the disk. Anaconda appears to have limited support for custom disk partitions (mine is dual boot). The result of my second install attempt was a PV boot and LVM VG with home, root, and swap. The problem is these LVs each have their own encryption! The Fedora documentation only gives instructions for encrypting during Anaconda install process and after a system is installed.

From research and discussions I uncovered an alternative where the the VG is only encrypted "bit" of the partitioned drive. Then I can install Fedora using a spin disk or the 4G iso with Anaconda. This would make an encrypted Fedora system with a single unencrypt passphrase. What I am not clear on is the step to create the LVs.

Reading cryptsetup docs and the above examples I conclude LuksOpen and LuksClose commands "bookend" the LVM linux commands pvcreate, vgcreate, and lvcreate. Then I won't need to use gparted the graphical disk partitioning tool, yes?

Since I will be deleting my system, I need do all of this from a liveCD like gparted, or a Fedora spin liveCD. And this disk needs to have the LVM commands pvcreate, vgcreate, lvcreate, and cryptsetup-luks, and dm-crypt packages?

Once the VG is encrypted and the LVs are added then I can launch the Fedora spin CDROM or Anaconda DVD to complete the install?

Does this sound correct? Am I missing anything? Is there an easier way to do this? (^_^)

xtian

Posted 2011-07-18T00:39:24.087

Reputation: 782

I take it by the silence all are awed by my complete and all encompassing summary of this simple--though impossible with Anaconda--procedure. (^_^) – xtian – 2011-07-20T20:55:05.287

Is this a job for a kickstart? "Furthermore, advanced options such as LVM, encrypted filesystems, and resizable filesystems are available only in graphical mode and kickstart." – xtian – 2011-07-21T21:34:37.577

Seems like a lot of trouble for a system you'll be deleting. I would skip the LVM encryption entirely and just use luks. It can be used to encrypt an LV just like any other block device, either during graphical setup or after, using cryptsetup. – Peet Corelli – 2012-05-12T21:14:13.750

Answers

1

LVM is a container for volumes ("logical" volumes, as it were). After your volume groups are enabled, these volumes are exposed at /dev/mapper and function like block devices (/dev/sda, etc). You can format them, then mount them, etc. If the underlying real devices are disconnected, the exposed "device(s)" at /dev/mapper fails to work.

In summary,

  • LVM can use any block device as a physical volume, including anything in /dev/mapper such as an encrypted LUKS volume cryptsetup exposes there.

  • cryptsetup can use any block device as an encrypted volume, including anything in /dev/mapper, such as a logical volume setup by LVM.

You have to tear things down in the reverse order you set them up. Therefore, if you have an LVM, and then an encrypted volume "in" it, you need to dismount the encrypted volume before disabling the logical volume.

(Yes, you can have an absolutely insane stack of LV's and encrypted volumes, and LV's in encrypted volumes in other LV's, etc. Gets better when you throw in network block devices, iSCSI targets, etc.)

LawrenceC

Posted 2011-07-18T00:39:24.087

Reputation: 63 487

Asked: 2011-07-18T00:39:24.087

Viewed: 511 times

Active: 2012-06-15T15:55:57.153