[linux-lvm] Can I combine LUKS and LVM to achieve encryption and snapshots?
Zdenek Kabelac
zdenek.kabelac at gmail.com
Tue Sep 26 20:00:50 UTC 2023
Dne 25. 09. 23 v 0:09 Jean-Marc Saffroy napsal(a):
> Hello LVM experts,
>
> I am trying to create a volume with the following properties:
> - the volume can be resized
> - the volume is encrypted
> - the volume can be snapshotted (for online backups)
>
> So I thought I'd create the volume with LVM, encrypt it with LUKS, and
> snapshot it with LVM. However, LVM doesn't want to snapshot the unencrypted
> LUKS volume, as it is not an actual logical volume known to LVM (and I am not
> keen on snapshotting the encrypted volume, as that means the backup process
> would need the passphrase to mount the encrypted snapshot).
>
> Is there a good way to achieve this with LUKS and LVM, or should I look elsewhere?
>
> I have two ideas but I don't know if they are safe or practical:
> - I could try running LVM (snapshots) ontop of LUKS (encryption)itself ontop
> of LVM (resize)
Hi
Yep typical usage is to encrypt underlying PV - and then create LVs and its
snapshots on encrypted device.
> - or I could try working with dmsetup to fill the gap between LUKS and LVM
>
> I did simple tests with dmsetup, and that *seems* to work, however I am not
> sure at all if that would be robust. An outline of my test:
> - create an LVM volume (lvcreate) from a larger volume group
> - make it a LUKS volume (cryptsetup lukfsFormat)
> - "open" the LUKS volume (cryptsetup open)
> - create a snapshot-origin volume from the open LUKS volume (dmsetup create)
> - mount that as my active volume
> - every time I want to do a backup:
> create a temporary snapshot volume from the origin, mount it, run the
> backup, unmount it, delete it
Usually those 'into encryption' want to have encrypted everything - thus even
layout of the whole storage.
Encrypting 'individual' LVs - while certainly 'doable' would i.e. create a
considerable larger amount of volumes that would need individual 'unlocking'
with each activation.
Speaking about snapshots - you should consider switching to 'thin-pools' for
far better performance...
Regards
Zdenek
More information about the linux-lvm
mailing list