From: Luca Berra <bluca@comedia.it>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] advice on encrypted snapshots
Date: Sun, 1 Nov 2009 00:39:47 +0100 [thread overview]
Message-ID: <20091031233947.GA17286@maude.comedia.it> (raw)
In-Reply-To: <1257012182.17395.36.camel@corn.betterworld.us>
On Sat, Oct 31, 2009 at 11:03:02AM -0700, Ross Boylan wrote:
>On Sat, 2009-10-31 at 09:12 +0100, Luca Berra wrote:
>> On Fri, Oct 30, 2009 at 01:05:54PM -0700, Ross Boylan wrote:
>> >Does anyone have any advice about how to snapshot an encrypted volume so
>> >that the snapshot won't leak information?
>> >
>> Do you mean linux-lvm snapshot
>Yes.
>> or some storage based one?
>I'm not sure what that means, but I don't want to rsync or tar. The
i meant a storage devices which presents disk space as one or more lun
to a host using either fibre-channel or iscasi or similar means, but
that's not your case.
>
>> In the first case I think the safest way is encrypting the PV.
>
>I don't think I can. Here's my setup:
>V1E encrypted volume, built on top of
>V1R raw volume, which is part of
>VGA volume group, composed of
>PVA physical volume (which is actually software RAID).
>
...
>
>So if I snapshot V1E I think I must use VGA (at any rate, I have no
>other space), which exposes the readable version of my data.
it fails on me when creating the v1e-snap device, but maybe i am just
too tired to figure it out now, see below...
>Maybe I could snapshot V1R and use the same encryption key as for V1E to
>make V2E?
when i try to luksOpen a snapshot i get "Device Busy"
and "device-mapper: ioctl: device doesn't appear to be in the dev hash
table." in dmesg
>Now that I think of it, I'm not even sure if LVM will snapshot the
>product of dm-crypt (V1E).
no, you have to do it by hand
it could be something like:
size=`blockdev --getsize /dev/mapper/v1e`
cowsize=$(( $size / 2048 * 20 / 100 )) # 20% of v1e size
chunk=8
lvcreate -n v1e-cow -l $cowsize /dev/vga
dmsetup table v1e | dmsetup create v1e-real
dmsetup suspend v1e
echo 0 $size snapshot /dev/mapper/v1e /dev/vga/v1e-cow p $chunk | dmsetup create v1e-snap
echo 0 $size snapshot-origin /dev/mapper/v1e | dmsetup create v1e-origin
dmsetup table v1e-origin | dmsetup load v1e
dmsetup resume v1e
mount /dev/mapper/v1e-snap /wherever
backup
umount /dev/mapper/v1e-snap
dmsetup suspend v1e
dmsetup remove v1e-snap
dmsetup remove v1e-origin
dmsetup table v1e-real | dmsetup load v1e
dmsetup resume v1e
--
Luca Berra -- bluca@comedia.it
Communication Media & Services S.r.l.
/"\
\ / ASCII RIBBON CAMPAIGN
X AGAINST HTML MAIL
/ \
next prev parent reply other threads:[~2009-10-31 23:39 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-30 20:05 [dm-crypt] advice on encrypted snapshots Ross Boylan
2009-10-31 5:34 ` Arno Wagner
2009-10-31 7:13 ` Heinz Diehl
2009-10-31 8:12 ` Luca Berra
2009-10-31 18:03 ` Ross Boylan
2009-10-31 23:39 ` Luca Berra [this message]
2009-11-01 2:05 ` Arno Wagner
2009-11-01 3:29 ` Ross Boylan
2009-11-01 8:06 ` Luca Berra
2009-11-01 21:39 ` Arno Wagner
2009-11-04 0:43 ` [dm-crypt] advice on encrypted snapshots [solved] Ross Boylan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091031233947.GA17286@maude.comedia.it \
--to=bluca@comedia.it \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.