From: Jean-Marc Saffroy <saffroy+redhat@gmail.com>
To: linux-lvm@redhat.com
Subject: [linux-lvm] Can I combine LUKS and LVM to achieve encryption and snapshots?
Date: Mon, 25 Sep 2023 00:09:47 +0200 [thread overview]
Message-ID: <CAM5YWZfo5q5rP+E2JFudGaHJLQ-2bk2UfpR=En5eDF37JKq2rw@mail.gmail.com> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 1433 bytes --]
Hello LVM experts,
I am trying to create a volume with the following properties:
- the volume can be resized
- the volume is encrypted
- the volume can be snapshotted (for online backups)
So I thought I'd create the volume with LVM, encrypt it with LUKS, and
snapshot it with LVM. However, LVM doesn't want to snapshot the unencrypted
LUKS volume, as it is not an actual logical volume known to LVM (and I am
not keen on snapshotting the encrypted volume, as that means the backup
process would need the passphrase to mount the encrypted snapshot).
Is there a good way to achieve this with LUKS and LVM, or should I look
elsewhere?
I have two ideas but I don't know if they are safe or practical:
- I could try running LVM (snapshots) on top of LUKS (encryption) itself on
top of LVM (resize)
- or I could try working with dmsetup to fill the gap between LUKS and LVM
I did simple tests with dmsetup, and that *seems* to work, however I am not
sure at all if that would be robust. An outline of my test:
- create an LVM volume (lvcreate) from a larger volume group
- make it a LUKS volume (cryptsetup lukfsFormat)
- "open" the LUKS volume (cryptsetup open)
- create a snapshot-origin volume from the open LUKS volume (dmsetup create)
- mount that as my active volume
- every time I want to do a backup:
create a temporary snapshot volume from the origin, mount it, run the
backup, unmount it, delete it
Thoughts?
Cheers,
JM
[-- Attachment #1.2: Type: text/html, Size: 1805 bytes --]
[-- Attachment #2: Type: text/plain, Size: 202 bytes --]
_______________________________________________
linux-lvm mailing list
linux-lvm@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-lvm
read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
next reply other threads:[~2023-09-26 6:59 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-24 22:09 Jean-Marc Saffroy [this message]
2023-09-26 9:26 ` [linux-lvm] Can I combine LUKS and LVM to achieve encryption and snapshots? Harald Dunkel
2023-09-26 20:00 ` Zdenek Kabelac
2023-09-26 23:10 ` Jean-Marc Saffroy
2023-09-26 23:32 ` Stuart D Gathman
2023-09-27 1:43 ` Demi Marie Obenour
2023-09-27 9:58 ` Zdenek Kabelac
2023-09-27 13:26 ` Roberto Fastec
2023-09-27 15:13 ` Jean-Marc Saffroy
2023-09-27 13:45 ` Jean-Marc Saffroy
2023-09-27 15:40 ` Zdenek Kabelac
2023-09-28 12:23 ` Jean-Marc Saffroy
2023-09-29 13:41 ` Zdenek Kabelac
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAM5YWZfo5q5rP+E2JFudGaHJLQ-2bk2UfpR=En5eDF37JKq2rw@mail.gmail.com' \
--to=saffroy+redhat@gmail.com \
--cc=linux-lvm@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).