Re: [linux-lvm] Can I combine LUKS and LVM to achieve encryption and snapshots?

From: Zdenek Kabelac <zdenek.kabelac@gmail.com>
To: LVM general discussion and development <linux-lvm@redhat.com>,
	Jean-Marc Saffroy <saffroy+redhat@gmail.com>
Subject: Re: [linux-lvm] Can I combine LUKS and LVM to achieve encryption and snapshots?
Date: Tue, 26 Sep 2023 22:00:50 +0200	[thread overview]
Message-ID: <6e0faedf-f450-4454-a86b-6448a1b4747b@gmail.com> (raw)
In-Reply-To: <CAM5YWZfo5q5rP+E2JFudGaHJLQ-2bk2UfpR=En5eDF37JKq2rw@mail.gmail.com>

Dne 25. 09. 23 v 0:09 Jean-Marc Saffroy napsal(a):
> Hello LVM experts,
> 
> I am trying to create a volume with the following properties:
> - the volume can be resized
> - the volume is encrypted
> - the volume can be snapshotted (for online backups)
> 
> So I thought I'd create the volume with LVM, encrypt it with LUKS, and 
> snapshot it with LVM. However, LVM doesn't want to snapshot the unencrypted 
> LUKS volume, as it is not an actual logical volume known to LVM (and I am not 
> keen on snapshotting the encrypted volume, as that means the backup process 
> would need the passphrase to mount the encrypted snapshot).
> 
> Is there a good way to achieve this with LUKS and LVM, or should I look elsewhere?
> 
> I have two ideas but I don't know if they are safe or practical:
> - I could try running LVM (snapshots) ontop of LUKS (encryption)itself ontop 
> of LVM (resize)

Hi

Yep typical usage is to encrypt underlying PV - and then create LVs and its 
snapshots on encrypted device.

> - or I could try working with dmsetup to fill the gap between LUKS and LVM
> 
> I did simple tests with dmsetup, and that *seems* to work, however I am not 
> sure at all if that would be robust. An outline of my test:
> - create an LVM volume (lvcreate) from a larger volume group
> - make it a LUKS volume (cryptsetup lukfsFormat)
> - "open" the LUKS volume (cryptsetup open)
> - create a snapshot-origin volume from the open LUKS volume (dmsetup create)
> - mount that as my active volume
> - every time I want to do a backup:
>    create a temporary snapshot volume from the origin, mount it, run the 
> backup, unmount it, delete it

Usually those 'into encryption' want to have encrypted everything - thus even 
layout of the whole storage.

Encrypting 'individual' LVs - while certainly 'doable' would i.e. create a 
considerable larger amount of volumes that would need individual 'unlocking' 
with each activation.

Speaking about snapshots - you should consider switching to 'thin-pools'  for 
far better performance...

Regards

Zdenek

_______________________________________________
linux-lvm mailing list
linux-lvm@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-lvm
read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/