From: lejeczek <peljasz@yahoo.co.uk>
To: LVM general discussion and development <linux-lvm@redhat.com>
Subject: Re: [linux-lvm] [Bulk] Re: lvm protected against crypt/luks
Date: Tue, 8 Mar 2016 14:02:21 +0000 [thread overview]
Message-ID: <56DEDB6D.2030502@yahoo.co.uk> (raw)
In-Reply-To: <20160308111228.GA18072@hex.gsslab.fab.redhat.com>
On 08/03/16 11:12, Bryn M. Reeves wrote:
> On Mon, Mar 07, 2016 at 03:03:10PM -0500, John Stoffel wrote:
>> lejeczek> Do I need to wipe block devices clean off any LVM traces in
>> lejeczek> order to encrypt them?
>>
>> No... but it's probably a good idea to do so initially, which is
>> really to just zero it out. But LV information is stored within the
>> VG, which is stored within the PVs which make it up.
> Better to overwrite it with garbage (/dev/urandom for e.g.). This can
> take a very long time for large volumes but makes attacks on the
> ciphered data harder.
>
> The Arch wiki has some discussion of this:
>
> https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation
>
> You also need to decide where you want the encrypted layer to sit:
> you can encrypt PVs (meaning that the entire volume group using
> those PVs is encrypted), or you can encrypt individual LVs.
>
> The choice depends on what you want to protect and how much of a
> performance penalty you are willing to take for the encryption.
>
>> Of course they can. Then you just loop mount the encrypted LUKS
>> device (physical disk or LV, or even a file) and then put a filesystem
>> on the new device. Then you mount that filesystem and away you go.
superb, thanks chaps,
on keyfiles, would you know why this:
cryptsetup luksOpen /dev/h300Int1/0 h300Int1.0_crypt
/etc/crypttab.key --keyfile-offset 12
won't work? Whenever I use offset, I will not get:
Key slot 0 unlocked.
Command successful.
thanks.
> No need for loop devices or mounts - a dm-crypt layer looks just
> like a regular linear device-mapper device and can be mounted or
> passed to tools like mkfs just like any other.
>
> The only extra things you have to deal with are the rather long
> UUID-based names that luks uses by default and the need to give
> the passphrase or key to unlock the device at boot or activation
> time - there are mechanisms integrated in most modern distros to
> assist with this either via configuration files or interactive
> prompts.
>
> Again, Arch have a pretty good overview in their wiki:
>
> https://wiki.archlinux.org/index.php/Dm-crypt
>
> Regards,
> Bryn.
>
> _______________________________________________
> linux-lvm mailing list
> linux-lvm@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-lvm
> read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
>
next prev parent reply other threads:[~2016-03-08 14:02 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-07 17:31 [linux-lvm] lvm protected against crypt/luks lejeczek
2016-03-07 20:03 ` John Stoffel
2016-03-08 11:12 ` Bryn M. Reeves
2016-03-08 14:02 ` lejeczek [this message]
2016-03-08 14:14 ` [linux-lvm] [Bulk] " Ondrej Kozina
2016-03-08 15:36 ` lejeczek
2016-03-08 16:09 ` Ondrej Kozina
2016-03-07 20:29 ` [linux-lvm] " f-lvm
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56DEDB6D.2030502@yahoo.co.uk \
--to=peljasz@yahoo.co.uk \
--cc=linux-lvm@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.