[linux-lvm] lvm protected against crypt/luks
Bryn M. Reeves
bmr at redhat.com
Tue Mar 8 11:12:29 UTC 2016
On Mon, Mar 07, 2016 at 03:03:10PM -0500, John Stoffel wrote:
> lejeczek> Do I need to wipe block devices clean off any LVM traces in
> lejeczek> order to encrypt them?
> No... but it's probably a good idea to do so initially, which is
> really to just zero it out. But LV information is stored within the
> VG, which is stored within the PVs which make it up.
Better to overwrite it with garbage (/dev/urandom for e.g.). This can
take a very long time for large volumes but makes attacks on the
ciphered data harder.
The Arch wiki has some discussion of this:
You also need to decide where you want the encrypted layer to sit:
you can encrypt PVs (meaning that the entire volume group using
those PVs is encrypted), or you can encrypt individual LVs.
The choice depends on what you want to protect and how much of a
performance penalty you are willing to take for the encryption.
> Of course they can. Then you just loop mount the encrypted LUKS
> device (physical disk or LV, or even a file) and then put a filesystem
> on the new device. Then you mount that filesystem and away you go.
No need for loop devices or mounts - a dm-crypt layer looks just
like a regular linear device-mapper device and can be mounted or
passed to tools like mkfs just like any other.
The only extra things you have to deal with are the rather long
UUID-based names that luks uses by default and the need to give
the passphrase or key to unlock the device at boot or activation
time - there are mechanisms integrated in most modern distros to
assist with this either via configuration files or interactive
Again, Arch have a pretty good overview in their wiki:
More information about the linux-lvm