AW: [linux-lvm] Re: RAID, LVM and dm_crypt, please confirm setup

Cisco cisco66 at gmx.de
Fri Feb 11 10:00:37 UTC 2005 

Well, thanks for the answer.
Very strange, that only one man here is interested in those things... 

I also thought about the way to crypt the RAID devices, but i didn't come to
a "best" solution.
And so i decided to crypt the lvm's. One reason was, that i wanted to have
some unencrypted space for the case that something goes wrong, since i
didn't find a comparable setup anywhere.

But meanwhile i think, your solution may be better for the 3 reasons:
1) you don't have to write the passphrase so often. Not so important for me,
it runs 24x7.
2) you never have to resize the file system.
3) it seems to be running absolutely stable and there is no reason to hold
unencrypted space.

I now replaced to disks (2x40 from /dev/md1) with 2x160GB, using pvmove,
vgreduce etc...
Everything went fine and now i have the possibility to change everything in
that way you mentioned.
But i'm still not sure if i will do this.

If I would plan a completely new setup, i would suggest to do it your way
and crypt the md-devices.

Since everything runs very stable and without any problems, i think, this
setup is very secure.


-----Ursprüngliche Nachricht-----
Von: linux-lvm-bounces at redhat.com [mailto:linux-lvm-bounces at redhat.com] Im
Auftrag von Stephane Dupuis
Gesendet: Freitag, 14. Januar 2005 23:16
An: LVM general discussion and development
Betreff: [linux-lvm] Re: RAID, LVM and dm_crypt, please confirm setup


Hi,

> I have (at home) the following setup for my data discs:
> 
2x 80  GB RAID1 -->> /dev/md0
2x 40  GB RAID1 -->> /dev/md1
2x160 GB RAID1 -->> /dev/md2
> 
> These are part of volume group vg00, consisting of 9 logical volumes
> lv00...lv09
> 
> Now i set up crypt devices with cryptsetup and named these crypt 
> devices clv00...clv09.

Well I found this post really interesting :)

First, I'm sorry cause I can't help you here and say for sure "you are doing
the right thing" or "take care, what you are doing is dangerous".

But I want to make something like this at home and so have the same concern
about the good way to resize the files systems.

I don't know if it will help but I thought about another way of mixing raid,
lvm and dmcrypt.
Instead of crypting the logical volume, why not crypt the raid device?
So you can have :

Physical drives -->> /dev/mdX
using dmcrypt on it -->> /dev/mapper/mdX_crypt And after make your LVM
physical volume :
pvcreate /dev/mapper/mdX_crypt   ******* NOTE, SEE UNDER
vgcreate testvg /dev/mapper/mdX_crypt
and so on...

In this way, you will never have to resize the crypted device.
You will just have to resize the logical volume and the filesystem as usual.

****** To be abble to do this, you need to edit the /etc/lvm/lvm.conf file
and change the "type" line to :
types = [ "device-mapper", 16 ]

Another advantage of this "crypted md" architecture (compare to crypt the
logical volume) is that the whole volume group are crypted, included all the
lvm metadata.

With your implementation, anybody can have access to the volume group
metadata, the logicals volumes names and so on...
(naming a logical volume "mpeg3_and_warez_fuck_riaa_lv" may not be a good
idea here ;o)

With all lvm metadata crypted, nobody can even know that you are using
lvm...

Of course, there are some drawback :(
First, It's mean that the same key will be use for a whole /dev/dm.
So, if you make a volme group on it, and.. let's say 10 logical volume, it's
mean than theses 10 lvs will be crypted with the same key and that you can't
choose to mount only 9 and think the last one is "secure"

I did'nt decide wich way I will choose yet... but I need to have a logical
volume that don't have the same key as the other.
So I can't choose my way. I will surely make as you did... or mix the two
ways.
(crypt the /dev/dm, make a vg, make lvs and for one particular lv, crypt it
again :o) Of course, I guess I will need cpu power here ;o)

So, I can't answer to your questions, I just also wonder about the better
way of putting all theses tools together...

Any comments are welcome...

Stephane Dupuis
--
()  ascii ribbon campaign
/\      - against html e-mail 
        - against microsoft attachments

_______________________________________________
linux-lvm mailing list
linux-lvm at redhat.com
https://www.redhat.com/mailman/listinfo/linux-lvm
read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/

More information about the linux-lvm mailing list