From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from maude.comedia.it (maude.comedia.it [77.93.254.181]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Sun, 1 Nov 2009 00:39:48 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by maude.comedia.it (Postfix) with ESMTP id 25C3886F18 for ; Sun, 1 Nov 2009 00:39:48 +0100 (CET) Received: from maude.comedia.it ([127.0.0.1]) by localhost (maude.comedia.it [127.0.0.1]) (amavisd-new, port 10025) with LMTP id bNLGmNF0Y5C9 for ; Sun, 1 Nov 2009 00:39:48 +0100 (CET) Date: Sun, 1 Nov 2009 00:39:47 +0100 From: Luca Berra Message-ID: <20091031233947.GA17286@maude.comedia.it> References: <1256933154.21609.14.camel@markov.biostat.ucsf.edu> <20091031081240.GA18686@maude.comedia.it> <1257012182.17395.36.camel@corn.betterworld.us> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Disposition: inline In-Reply-To: <1257012182.17395.36.camel@corn.betterworld.us> Subject: Re: [dm-crypt] advice on encrypted snapshots List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On Sat, Oct 31, 2009 at 11:03:02AM -0700, Ross Boylan wrote: >On Sat, 2009-10-31 at 09:12 +0100, Luca Berra wrote: >> On Fri, Oct 30, 2009 at 01:05:54PM -0700, Ross Boylan wrote: >> >Does anyone have any advice about how to snapshot an encrypted volume so >> >that the snapshot won't leak information? >> > >> Do you mean linux-lvm snapshot >Yes. >> or some storage based one? >I'm not sure what that means, but I don't want to rsync or tar. The i meant a storage devices which presents disk space as one or more lun to a host using either fibre-channel or iscasi or similar means, but that's not your case. > >> In the first case I think the safest way is encrypting the PV. > >I don't think I can. Here's my setup: >V1E encrypted volume, built on top of >V1R raw volume, which is part of >VGA volume group, composed of >PVA physical volume (which is actually software RAID). > ... > >So if I snapshot V1E I think I must use VGA (at any rate, I have no >other space), which exposes the readable version of my data. it fails on me when creating the v1e-snap device, but maybe i am just too tired to figure it out now, see below... >Maybe I could snapshot V1R and use the same encryption key as for V1E to >make V2E? when i try to luksOpen a snapshot i get "Device Busy" and "device-mapper: ioctl: device doesn't appear to be in the dev hash table." in dmesg >Now that I think of it, I'm not even sure if LVM will snapshot the >product of dm-crypt (V1E). no, you have to do it by hand it could be something like: size=`blockdev --getsize /dev/mapper/v1e` cowsize=$(( $size / 2048 * 20 / 100 )) # 20% of v1e size chunk=8 lvcreate -n v1e-cow -l $cowsize /dev/vga dmsetup table v1e | dmsetup create v1e-real dmsetup suspend v1e echo 0 $size snapshot /dev/mapper/v1e /dev/vga/v1e-cow p $chunk | dmsetup create v1e-snap echo 0 $size snapshot-origin /dev/mapper/v1e | dmsetup create v1e-origin dmsetup table v1e-origin | dmsetup load v1e dmsetup resume v1e mount /dev/mapper/v1e-snap /wherever backup umount /dev/mapper/v1e-snap dmsetup suspend v1e dmsetup remove v1e-snap dmsetup remove v1e-origin dmsetup table v1e-real | dmsetup load v1e dmsetup resume v1e -- Luca Berra -- bluca@comedia.it Communication Media & Services S.r.l. /"\ \ / ASCII RIBBON CAMPAIGN X AGAINST HTML MAIL / \