[dm-crypt] Need some suggestions on large drives

[dm-crypt] Need some suggestions on large drives

[Scott Castaline]

First, does anyone know how Fedora 12's installer installs LUKS with 
LVM2? Do they do LUKS over LVM2 or LVM2 over LUKS?

Second, I have my boot disk (WD 500GB) setup with 2 partitions, the 1st 
is non LVM or LUKS as ext4 300MB and used as the /boot. The rest of the 
drive or 2nd partition is my 1st VG which is all encrypted and is 
divided up with 7 LVs (/, /home, /dnlds, /docs, /graphics, /tmp, /var, 
swap01) I setup the swap01 with encrytion and is 1/2 of my total swap 
needed (4 GB of RAM total swap = 5 GB, 2.5GB swap01 + 2.5 GB swap02). Is 
this what you call mult-layed encryption? I saw that briefly mentioned 
in either the Aug 2009 or Sept 2009 archives. Am I wrong for doing that?

Third, I've been reading the discussion on the different encryption 
ciphers from the Aug 2009 archive and am thinking of using 
serpent-cbc-essiv:sha256. Would this be suitable for a 1TB drive? I'll 
be doing this manually so would I 1st create the partition with fdisk 
then the luksFormat finally doing the vgcreate and lvcreate. I'll be 
doing 2 seperate 1TB drives at the same time set up as separate VGs. One 
of them will also have an LV for swap02 which I was planning to 
additionally encrypt. Would this be wrong?

Finally, as mentioned in the second paragraph, I have /var as seperate 
LV which is within an encrypted VG. The LV is not additionally 
encrypted, I had to expand the LV using free space from the 1st VG. I 
did it through the GUI for LVM2. It never indicated any errors during 
the process and it appears now to have access to the full size of the 
expanded LV. However, I now get an error on boot referring to the LV 
that /var resides on. Does anyone know the proper way to use e2fsk? I 
tried shutting down to single user and unmounting the LV so that I could 
execute "e2fsck -VCa mapped-device", but I wasn't able to unmount the LV.

Sory for the long winded post and for going all over the place, but they 
are sort of inter-related and I'm trying to straighten them out all 
together.

Re: [dm-crypt] Need some suggestions on large drives

[Milan Broz]

On 03/06/2010 06:45 PM, Scott Castaline wrote:
> First, does anyone know how Fedora 12's installer installs LUKS with 
> LVM2? Do they do LUKS over LVM2 or LVM2 over LUKS?

You can (manually) configure both modes during partitioning, 
the "encrypt whole system" checkbox will create partition, LUKS on it,
and over it LVM2 with root + swap LV.

Anaconda (Fedora installer) developers decided to use aes-xts-plain
with 512 bits key (IOW AES256 in XTS mode).

> Finally, as mentioned in the second paragraph, I have /var as seperate 
> LV which is within an encrypted VG. The LV is not additionally 
> encrypted, I had to expand the LV using free space from the 1st VG. I 
> did it through the GUI for LVM2.

Not sure what's GUI - if it is system-config-lvm, it doesn't suport LUKS yet,
so you must be very careful. (and there were nasty bugs in this GUI, should
be fixed in recent version though).

But because LUKS have no underlying device size stored in header,
simply reactivate will reload the proper device size.
(or use cryptsetup resize command for online change).

...
> execute "e2fsck -VCa mapped-device", but I wasn't able to unmount the LV.
then you maybe need to run it from recovery or LiveCD.
(online resize LV is not problem, online resize FS on it - depends on configuration,
ext3 should allow online extension)

Milan

Re: [dm-crypt] Need some suggestions on large drives

[Scott Castaline]

On 03/06/2010 02:25 PM, Milan Broz wrote:
> On 03/06/2010 06:45 PM, Scott Castaline wrote:
>> First, does anyone know how Fedora 12's installer installs LUKS with
>> LVM2? Do they do LUKS over LVM2 or LVM2 over LUKS?
>
> You can (manually) configure both modes during partitioning,
> the "encrypt whole system" checkbox will create partition, LUKS on it,
> and over it LVM2 with root + swap LV.
>
> Anaconda (Fedora installer) developers decided to use aes-xts-plain
> with 512 bits key (IOW AES256 in XTS mode).
>
Is there a way to change it to another cipher? I'm asking as I might 
redo my install or I might just back up all filesystems on the 1st VG 
and then manually do the LUKS/LVM2 prep and then restore my system.

>> Finally, as mentioned in the second paragraph, I have /var as seperate
>> LV which is within an encrypted VG. The LV is not additionally
>> encrypted, I had to expand the LV using free space from the 1st VG. I
>> did it through the GUI for LVM2.
>
> Not sure what's GUI - if it is system-config-lvm, it doesn't suport LUKS yet,
> so you must be very careful. (and there were nasty bugs in this GUI, should
> be fixed in recent version though).
>
Too late for the warning, I had already done it. It fails only on boot 
right where it starts loading mods and starting services. It goes by 
fairly quick so I can't catch what is above the red [FAILED] and it does 
not show up in any of the logs that I've been able to find. All I've 
been able to see is a reference about /var is busy and already mounted 
then under that line is the red [FAILED]. I was thinking that it's 
trying to do a fsck, so that's why I'm trying to do it manually.
> But because LUKS have no underlying device size stored in header,
> simply reactivate will reload the proper device size.
> (or use cryptsetup resize command for online change).
>
> ...
>> execute "e2fsck -VCa mapped-device", but I wasn't able to unmount the LV.
> then you maybe need to run it from recovery or LiveCD.
> (online resize LV is not problem, online resize FS on it - depends on configuration,
> ext3 should allow online extension)
>
Everything seems to be ok as if I check sizes and such it comes back 
with all the right info, but I'm not sure if it's reporting just the LV 
or the filesystem.

> Milan

Re: [dm-crypt] Need some suggestions on large drives

[Arno Wagner]

On Sat, Mar 06, 2010 at 12:45:48PM -0500, Scott Castaline wrote:
[...]
> Third, I've been reading the discussion on the different encryption
> ciphers from the Aug 2009 archive and am thinking of using
> serpent-cbc-essiv:sha256. Would this be suitable for a 1TB drive?

Yes. Although there really is no reason to avoid AES. If it
has a backdoor, the portential economic damage would far
outweight the gains, so it is highly unlikely that there
is one.

Arno

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier