Hello list, I bought a Thinkpad T420 and installed CentOS 7 recently. I choosed to use lvm encryption for the entire volume group. It works so far. But now I am planning to install a second hard disk. My thought is to create a new volume group on this additional disk. But how can I integrate/do this according to the existing encryption so that it will be decrypted by the same passphrase I use at startup? Regards and thanks in advance Tim
On Thu, Mar 5, 2015 at 2:09 PM, Tim <lists at kiuni.de> wrote:> Hello list, > > I bought a Thinkpad T420 and installed CentOS 7 recently. > > I choosed to use lvm encryption for the entire volume group. It works so far. > > But now I am planning to install a second hard disk. My thought is to create a new volume group on this additional disk. > > But how can I integrate/do this according to the existing encryption so that it will be decrypted by the same passphrase I use at startup?http://linux.die.net/man/5/crypttab When you create a new entry in crypttab, you can use the 3rd field to point to a file that contains the passphrase for this new LUKS volume. In effect, one passphrase gives access to both drives. So there's a pro con here. Pro is that you could actually opt for a completely different passphrase for the 2nd drive, but never have to directly type it in. The con is that should you forget this passphrase, and its only location is on the primary drive that's already encrypted and that drive dies - then anything on the 2nd drive cannot be decrypted. Oops. So be careful of that. -- Chris Murphy
Hi Chris, thanks for your answer. It is the first time I decided to encrypt my lvm. I choosed to encrypt the volume group, not every logical volume itself, because in case of doing lvm snapshots in that group they will be encrypted too? And how do I create a new encrypted volume group? Regards Tim Am 6. M?rz 2015 01:58:23 MEZ, schrieb Chris Murphy <lists at colorremedies.com>:>On Thu, Mar 5, 2015 at 2:09 PM, Tim <lists at kiuni.de> wrote: >> Hello list, >> >> I bought a Thinkpad T420 and installed CentOS 7 recently. >> >> I choosed to use lvm encryption for the entire volume group. It works >so far. >> >> But now I am planning to install a second hard disk. My thought is to >create a new volume group on this additional disk. >> >> But how can I integrate/do this according to the existing encryption >so that it will be decrypted by the same passphrase I use at startup? > >http://linux.die.net/man/5/crypttab > >When you create a new entry in crypttab, you can use the 3rd field to >point to a file that contains the passphrase for this new LUKS volume. >In effect, one passphrase gives access to both drives. > >So there's a pro con here. Pro is that you could actually opt for a >completely different passphrase for the 2nd drive, but never have to >directly type it in. The con is that should you forget this >passphrase, and its only location is on the primary drive that's >already encrypted and that drive dies - then anything on the 2nd drive >cannot be decrypted. Oops. So be careful of that. > > >-- >Chris Murphy >_______________________________________________ >CentOS mailing list >CentOS at centos.org >http://lists.centos.org/mailman/listinfo/centos
On 03/05/2015 06:58 PM, Chris Murphy wrote:> On Thu, Mar 5, 2015 at 2:09 PM, Tim <lists at kiuni.de> wrote: >> Hello list, >> >> I bought a Thinkpad T420 and installed CentOS 7 recently. >> >> I choosed to use lvm encryption for the entire volume group. It works so far. >> >> But now I am planning to install a second hard disk. My thought is to create a new volume group on this additional disk. >> >> But how can I integrate/do this according to the existing encryption so that it will be decrypted by the same passphrase I use at startup? > > http://linux.die.net/man/5/crypttab > > When you create a new entry in crypttab, you can use the 3rd field to > point to a file that contains the passphrase for this new LUKS volume. > In effect, one passphrase gives access to both drives.You don't even need to do that. The init scripts try your passphrase on every encrypted volume. If that one passphrase unlocks everything, you're done. In a graphical boot, you don't even know which volume you are being prompted to unlock (and the order is not consistent). -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it.