From: "Bryn M. Reeves" <bmr@redhat.com>
To: LVM general discussion and development <linux-lvm@redhat.com>
Subject: Re: [linux-lvm] lvm protected against crypt/luks
Date: Tue, 8 Mar 2016 11:12:29 +0000 [thread overview]
Message-ID: <20160308111228.GA18072@hex.gsslab.fab.redhat.com> (raw)
In-Reply-To: <22237.56958.981481.778563@quad.stoffel.home>
On Mon, Mar 07, 2016 at 03:03:10PM -0500, John Stoffel wrote:
> lejeczek> Do I need to wipe block devices clean off any LVM traces in
> lejeczek> order to encrypt them?
>
> No... but it's probably a good idea to do so initially, which is
> really to just zero it out. But LV information is stored within the
> VG, which is stored within the PVs which make it up.
Better to overwrite it with garbage (/dev/urandom for e.g.). This can
take a very long time for large volumes but makes attacks on the
ciphered data harder.
The Arch wiki has some discussion of this:
https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation
You also need to decide where you want the encrypted layer to sit:
you can encrypt PVs (meaning that the entire volume group using
those PVs is encrypted), or you can encrypt individual LVs.
The choice depends on what you want to protect and how much of a
performance penalty you are willing to take for the encryption.
> Of course they can. Then you just loop mount the encrypted LUKS
> device (physical disk or LV, or even a file) and then put a filesystem
> on the new device. Then you mount that filesystem and away you go.
No need for loop devices or mounts - a dm-crypt layer looks just
like a regular linear device-mapper device and can be mounted or
passed to tools like mkfs just like any other.
The only extra things you have to deal with are the rather long
UUID-based names that luks uses by default and the need to give
the passphrase or key to unlock the device at boot or activation
time - there are mechanisms integrated in most modern distros to
assist with this either via configuration files or interactive
prompts.
Again, Arch have a pretty good overview in their wiki:
https://wiki.archlinux.org/index.php/Dm-crypt
Regards,
Bryn.
next prev parent reply other threads:[~2016-03-08 11:12 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-07 17:31 [linux-lvm] lvm protected against crypt/luks lejeczek
2016-03-07 20:03 ` John Stoffel
2016-03-08 11:12 ` Bryn M. Reeves [this message]
2016-03-08 14:02 ` [linux-lvm] [Bulk] " lejeczek
2016-03-08 14:14 ` Ondrej Kozina
2016-03-08 15:36 ` lejeczek
2016-03-08 16:09 ` Ondrej Kozina
2016-03-07 20:29 ` [linux-lvm] " f-lvm
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160308111228.GA18072@hex.gsslab.fab.redhat.com \
--to=bmr@redhat.com \
--cc=linux-lvm@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).