[linux-lvm] Re: RAID, LVM and dm_crypt, please confirm setup

Stephane Dupuis hoper at free.fr
Fri Jan 14 22:15:50 UTC 2005


> I have (at home) the following setup for my data discs:
2x 40  GB RAID1 -->> /dev/md0
2x 80  GB RAID1 -->> /dev/md1
2x160 GB RAID1 -->> /dev/md2
> These are part of volume group vg00, consisting of 9 logical volumes 
> lv00...lv09
> Now i set up crypt devices with cryptsetup and named these crypt devices 
> clv00...clv09.

Well I found this post really interesting :)

First, I'm sorry cause I can't help you here and say for sure "you are
doing the right thing" or "take care, what you are doing is dangerous".

But I want to make something like this at home and so have the same
concern about the good way to resize the files systems.

I don't know if it will help but I thought about another way of
mixing raid, lvm and dmcrypt.
Instead of crypting the logical volume, why not crypt the raid device?
So you can have :

Physical drives -->> /dev/mdX
using dmcrypt on it -->> /dev/mapper/mdX_crypt
And after make your LVM physical volume :
pvcreate /dev/mapper/mdX_crypt   ******* NOTE, SEE UNDER
vgcreate testvg /dev/mapper/mdX_crypt
and so on...

In this way, you will never have to resize the crypted device.
You will just have to resize the logical volume and the filesystem
as usual.

****** To be abble to do this, you need to edit the /etc/lvm/lvm.conf
file and change the "type" line to :
types = [ "device-mapper", 16 ]

Another advantage of this "crypted md" architecture (compare to
crypt the logical volume) is that the whole volume group are crypted,
included all the lvm metadata.

With your implementation, anybody can have access to the volume group
metadata, the logicals volumes names and so on...
(naming a logical volume "mpeg3_and_warez_fuck_riaa_lv" may not be a
good idea here ;o)

With all lvm metadata crypted, nobody can even know that you are
using lvm...

Of course, there are some drawback :(
First, It's mean that the same key will be use for a whole /dev/dm.
So, if you make a volme group on it, and.. let's say 10 logical
volume, it's mean than theses 10 lvs will be crypted with the same
key and that you can't choose to mount only 9 and think the last
one is "secure"

I did'nt decide wich way I will choose yet... but I need to have
a logical volume that don't have the same key as the other.
So I can't choose my way. I will surely make as you did... or mix the two ways.
(crypt the /dev/dm, make a vg, make lvs and for one particular lv,
crypt it again :o) Of course, I guess I will need cpu power here ;o)

So, I can't answer to your questions, I just also wonder about the
better way of putting all theses tools together...

Any comments are welcome...

Stephane Dupuis
()  ascii ribbon campaign
/\      - against html e-mail 
        - against microsoft attachments

More information about the linux-lvm mailing list