[linux-lvm] creating a LVM ontop of a cryptated (ppdd) loop back device

[linux-lvm] creating a LVM ontop of a cryptated (ppdd) loop back device

[Jon Bendtsen]

I'm trying to cryptate my filesystems, and be able to take snapshots of
them.
I cannot get a snapshot of a cryptated LV to work (maybe because it is
readonly)
So i wanted to go the other way, and put the encryption in the bottom.
But, i cant create a VG ontop of a cryptated (ppdd) loop back device. It
works on a
unencrypted device. 

It pvcreates just fine, but when it comes to vgcreate, it says:
ve:/# pvcreate /dev/loop1
pvcreate -- physical volume "/dev/loop1" successfully created

ve:/# vgcreate vgt /dev/loop1
vgcreate -- no valid physical volumes in command line



Does anyone know any other encryption that works with LVM and/or allows
one to take snapshots?




JonB

Re: [linux-lvm] creating a LVM ontop of a cryptated (ppdd) loop back device

[José Luis Domingo López]

On Thursday, 17 October 2002, at 18:01:41 +0200,
Jon Bendtsen wrote:

> I'm trying to cryptate my filesystems, and be able to take snapshots of
> them.
> I cannot get a snapshot of a cryptated LV to work (maybe because it is
> readonly)
>
I haven't tried, but wouldn't it be possible to just take a snapshots
from a LV containing an encrypted filesystem, and then loop-mount it
(assuming encrypted via the loop device), give the password, and then
backup ?

I think from the loop-aes type of filesystem encryption point of view.
But as I have said previously, I haven't tried if this works, although
if my understanding of all these things is OK, should work.

I will try to test this setup tomorrow when I get to work :-)

-- 
Jose Luis Domingo Lopez
Linux Registered User #189436     Debian Linux Woody (Linux 2.4.19-pre6aa1)

Re: [linux-lvm] creating a LVM ontop of a cryptated (ppdd) loop back device

[Jon Bendtsen]

José Luis Domingo López wrote:
> 
> On Thursday, 17 October 2002, at 18:01:41 +0200,
> Jon Bendtsen wrote:
> 
> > I'm trying to cryptate my filesystems, and be able to take snapshots of
> > them.
> > I cannot get a snapshot of a cryptated LV to work (maybe because it is
> > readonly)
> >
> I haven't tried, but wouldn't it be possible to just take a snapshots
> from a LV containing an encrypted filesystem, and then loop-mount it
> (assuming encrypted via the loop device), give the password, and then
> backup ?

maybe, but i cant losetup it, possibly because snapshots are readonly.
Further more i would like noninteraktive backup's. So, i _WANT_ to put
LVM ontop of a encrypted filesystem.

 
> I think from the loop-aes type of filesystem encryption point of view.
> But as I have said previously, I haven't tried if this works, although
> if my understanding of all these things is OK, should work.

i havent tried with loop-aes either, but with loop-ppdd, and ppdd didnt
work.


> I will try to test this setup tomorrow when I get to work :-)

cool, me too :)




JonB

Re: [linux-lvm] creating a LVM ontop of a cryptated (ppdd) loop back device

[Jose Luis Domingo Lopez]

On Friday, 18 October 2002, at 09:24:03 +0200,
Jon Bendtsen wrote:

> Jos� Luis Domingo L�pez wrote:
> > I haven't tried, but wouldn't it be possible to just take a snapshots
> > from a LV containing an encrypted filesystem, and then loop-mount it
> > (assuming encrypted via the loop device), give the password, and then
> > backup ?
> 
Well, I finally got to work, and made some test, as promised... And it
seems to work !. A list of commands used (and explanations) follows:

# First, create a test LV
# lvcreate --size 350M --name Test Group00
# Now, bind a loop device to the newly created LV (choose a password)...
# losetup -e blowfish /dev/loop0 /dev/Group00/Test
# ...and make a filesystem on the loop device (so it is encrypted in the LV)
# mke2fs /dev/loop0
# Detach the LV from the loop device...
# losetup -d /dev/loop0
# ...create a test mountpoint...
# mkdir /tmp/test
# ...and finally mount the encrypted FS (over a LV, passwprd needed)
# mount -t ext2 -o loop,encryption=blowfish /dev/Group00/Test /tmp/test

# Nothing fancy by now, just an encrypted filesystem, thanks to
# "loop-aes", but instead of using a partition, a simple test LV
# Now do whatever you want with this flashing new filesystem, for
# example, copy some files to it, so you have something to backup :-)

# Let's create a snapshot LV from the otriginal test LV
# lvcreate --size 50M --snapshot --name EncryptedSnapshot /dev/Group00/Test
# Make a directory to (hopefully) mount the encrypted volume
# mkdir /tmp/encryptedsnapshot
# And now, try to mount the snapshot volume. I don't know the details,
# but it seems by default the snapshot is read-only (don't know if you
# can change this with "lvchange"). So a "ro" argument to "mount" is 
# needed (you will need to supply the password chosen before).
# mount -t ext2 -o ro,loop,encryption=blowfish /dev/Group00/EncryptedSnapshot /tmp/encryptedsnapshot/
# Now you can backup from the snapshot volume, and then unmount...
# umount /tmp/encryptedsnapshot
# ...and be done with this snapshot...
# lvremove /dev/Grupo00/EncryptedSnapshot


As said in my first post to this thread, the encryption layer is
provided by loop-aes (loop-aes.sourceforge.net), which is easy to setup
and is quite well documented (except for one little but annoying detail:
instead of "AES", the algorithm is called "rijndael", otherwise "loop"
complains loudly about an "unknown algorithm type").

Hope this helps.

-- 
Jose Luis Domingo Lopez
Linux Registered User #189436     Debian Linux Woody (Linux 2.4.19-pre6aa1)

Re: [linux-lvm] creating a LVM ontop of a cryptated (ppdd) loop back device

[Jon Bendtsen]

Jose Luis Domingo Lopez wrote:
> 
> On Friday, 18 October 2002, at 09:24:03 +0200,
> Jon Bendtsen wrote:
> 
> > José Luis Domingo López wrote:
> > > I haven't tried, but wouldn't it be possible to just take a snapshots
> > > from a LV containing an encrypted filesystem, and then loop-mount it
> > > (assuming encrypted via the loop device), give the password, and then
> > > backup ?
> >
> Well, I finally got to work, and made some test, as promised... And it
> seems to work !. A list of commands used (and explanations) follows:

oops, i knew i forgot something. I made loop-aes work as well. Sorry.
I even talked with Jari, and he said the problem was that ppdd used the
first 1k of the block device, which AES (and other loop-aes ciphers)
didnt.


[cut]


> As said in my first post to this thread, the encryption layer is
> provided by loop-aes (loop-aes.sourceforge.net), which is easy to setup
> and is quite well documented (except for one little but annoying detail:
> instead of "AES", the algorithm is called "rijndael", otherwise "loop"
> complains loudly about an "unknown algorithm type").

hmm ?? rijndael ?
I've used it just fine with losetup -e AES256




JonB

Re: [linux-lvm] creating a LVM ontop of a cryptated (ppdd) loop back device

[Jose Luis Domingo Lopez]

On Sunday, 20 October 2002, at 10:19:11 +0200,
Jon Bendtsen wrote:

> > As said in my first post to this thread, the encryption layer is
> > provided by loop-aes (loop-aes.sourceforge.net), which is easy to setup
> > and is quite well documented (except for one little but annoying detail:
> > instead of "AES", the algorithm is called "rijndael", otherwise "loop"
> > complains loudly about an "unknown algorithm type").
> 
> hmm ?? rijndael ?
> I've used it just fine with losetup -e AES256
> 
Just a final note, and trying not to go too off-topic, this is maybe an
issue with my "mount" package version more than a "loop-aes" problem.
But I am not sure of which program or code checks for the "correctness"
of an algorithm name when you use "losetup" (in fact, the /proc/cipher
files don't appear on my system :-).

I will investigate it further, but this is off-topic here, so end of
thread on my part ;-).

-- 
Jose Luis Domingo Lopez
Linux Registered User #189436     Debian Linux Woody (Linux 2.4.19-pre6aa1)

Re: [linux-lvm] creating a LVM ontop of a cryptated (ppdd) loop back device

[Jon Bendtsen]

Jose Luis Domingo Lopez wrote:
> 
> On Sunday, 20 October 2002, at 10:19:11 +0200,
> Jon Bendtsen wrote:
> 
> > > As said in my first post to this thread, the encryption layer is
> > > provided by loop-aes (loop-aes.sourceforge.net), which is easy to setup
> > > and is quite well documented (except for one little but annoying detail:
> > > instead of "AES", the algorithm is called "rijndael", otherwise "loop"
> > > complains loudly about an "unknown algorithm type").
> >
> > hmm ?? rijndael ?
> > I've used it just fine with losetup -e AES256
> >
> Just a final note, and trying not to go too off-topic, this is maybe an
> issue with my "mount" package version more than a "loop-aes" problem.
> But I am not sure of which program or code checks for the "correctness"
> of an algorithm name when you use "losetup" (in fact, the /proc/cipher
> files don't appear on my system :-).
> 
> I will investigate it further, but this is off-topic here, so end of
> thread on my part ;-).

Not completely offtopic.
Why are you using mount ??
I'm talking about running LVM ontop of a encrypted loopback device, not
encrypting a lv.



JonB

Re: [linux-lvm] creating a LVM ontop of a cryptated (ppdd) loop back device

[Jose Luis Domingo Lopez]

On Sunday, 20 October 2002, at 17:57:34 +0200,
Jon Bendtsen wrote:

> Not completely offtopic.
>
I hope so :)

> Why are you using mount ??
>
What I described is an encrypted filesystem over a plain-and-simple LV,
and the procedure you could follow to take snapshots from this LV,
which holds an encrypted filesystem, and make filesystem-level backups
(such as those made with tar, cpio, rsync and others).

At least in Debian, "losetup" comes with the "mount" package.

> I'm talking about running LVM ontop of a encrypted loopback device, not
> encrypting a lv.
> 
Then maybe we are talking about different things here. I used an
encrypted filesystem over an unencrypted LV but, as loop-aes needs the
loop device to operate, I need to loop-mount the encrypted filesystem for
the system to be able to on-the-fly decrypt its contents.

Maybe I am confused, because I don't fully understand what you mean by
"running LVM ontop of a encrypted loopback device".

-- 
Jose Luis Domingo Lopez
Linux Registered User #189436     Debian Linux Woody (Linux 2.4.19-pre6aa1)

Re: [linux-lvm] creating a LVM ontop of a cryptated (ppdd) loop back device

[Jon Bendtsen]

Jose Luis Domingo Lopez wrote:
> 
> On Sunday, 20 October 2002, at 17:57:34 +0200,
> Jon Bendtsen wrote:


> Then maybe we are talking about different things here. I used an
> encrypted filesystem over an unencrypted LV but, as loop-aes needs the
> loop device to operate, I need to loop-mount the encrypted filesystem for
> the system to be able to on-the-fly decrypt its contents.
> 
> Maybe I am confused, because I don't fully understand what you mean by
> "running LVM ontop of a encrypted loopback device".

We are talking different things.
I'll sum up what i did with 2 lines

losetup -e AES256 /dev/loop0 /dev/sdb1
pvcreate /dev/loop0




JonB