Hi Chris, thanks for your answer. It is the first time I decided to encrypt my lvm. I choosed to encrypt the volume group, not every logical volume itself, because in case of doing lvm snapshots in that group they will be encrypted too? And how do I create a new encrypted volume group? Regards Tim Am 6. M?rz 2015 01:58:23 MEZ, schrieb Chris Murphy <lists at colorremedies.com>:>On Thu, Mar 5, 2015 at 2:09 PM, Tim <lists at kiuni.de> wrote: >> Hello list, >> >> I bought a Thinkpad T420 and installed CentOS 7 recently. >> >> I choosed to use lvm encryption for the entire volume group. It works >so far. >> >> But now I am planning to install a second hard disk. My thought is to >create a new volume group on this additional disk. >> >> But how can I integrate/do this according to the existing encryption >so that it will be decrypted by the same passphrase I use at startup? > >http://linux.die.net/man/5/crypttab > >When you create a new entry in crypttab, you can use the 3rd field to >point to a file that contains the passphrase for this new LUKS volume. >In effect, one passphrase gives access to both drives. > >So there's a pro con here. Pro is that you could actually opt for a >completely different passphrase for the 2nd drive, but never have to >directly type it in. The con is that should you forget this >passphrase, and its only location is on the primary drive that's >already encrypted and that drive dies - then anything on the 2nd drive >cannot be decrypted. Oops. So be careful of that. > > >-- >Chris Murphy >_______________________________________________ >CentOS mailing list >CentOS at centos.org >http://lists.centos.org/mailman/listinfo/centos
On Thu, Mar 5, 2015 at 10:25 PM, Tim <lists at kiuni.de> wrote:> Hi Chris, > > thanks for your answer. > > It is the first time I decided to encrypt my lvm. I choosed to encrypt the > volume group, not every logical volume itself, because in case of doing lvm > snapshots in that group they will be encrypted too?Yes, anything that's COW'd is also encrypted in this case.> And how do I create a new encrypted volume group?Strictly speaking the VG isn't the target of the encryption, the underlying PV is. Also, it's not absolutely necessary to partition the drive at all if you have no need for unencrypted space on this new drive. Since I use drives on multiple platforms, I always partition so that other OS's recognize the drive space is spoken for instead of appearing unpartitioned and hence blank. Linux via libblkid always looks at disk contents whether partitioned or not so if this is a Linux only drive you don't have to partition it. 1. Use cryptsetup to create a LUKS volume on the whole disk or a partition thereof. For the exact command, you can cheat by doing 'grep cryptsetup /var/log/anaconda/program.log' which will show you the command Anaconda used when setting up your first drive. PLEASE make sure you don't use that command directly or it'll wipe the LUKS header on your current drive. You have to change the /dev/sdX designation to point to the new drive or partition. 2 cryptsetup luksOpen /dev/sdX newdrive 3. pvcreate /dev/mapper/newdrive 4. vgcreate newvg /dev/mapper/newdrive 5. lvcreate -L 300G -n morestuff newvg 6. mkfs.xfs /dev/mapper/newvg-morestuff Adapt as needed. Don't forget crypttab is used to point to the LUKS volume, once it's unlocked the PV is revealed and lvm will activate the VG and the LVs on it, and then in your fstab you'll have the UUID for the XFS volume and mount this whereever you want it mounted. -- Chris Murphy
I will have a look at the anaconda log. Thanks for the first help. I will have to buy a new Ultrabay case. Am 6. M?rz 2015 07:10:31 MEZ, schrieb Chris Murphy <lists at colorremedies.com>:>On Thu, Mar 5, 2015 at 10:25 PM, Tim <lists at kiuni.de> wrote: >> Hi Chris, >> >> thanks for your answer. >> >> It is the first time I decided to encrypt my lvm. I choosed to >encrypt the >> volume group, not every logical volume itself, because in case of >doing lvm >> snapshots in that group they will be encrypted too? > >Yes, anything that's COW'd is also encrypted in this case. > >> And how do I create a new encrypted volume group? > >Strictly speaking the VG isn't the target of the encryption, the >underlying PV is. Also, it's not absolutely necessary to partition the >drive at all if you have no need for unencrypted space on this new >drive. Since I use drives on multiple platforms, I always partition so >that other OS's recognize the drive space is spoken for instead of >appearing unpartitioned and hence blank. Linux via libblkid always >looks at disk contents whether partitioned or not so if this is a >Linux only drive you don't have to partition it. > >1. Use cryptsetup to create a LUKS volume on the whole disk or a >partition thereof. For the exact command, you can cheat by doing 'grep >cryptsetup /var/log/anaconda/program.log' which will show you the >command Anaconda used when setting up your first drive. PLEASE make >sure you don't use that command directly or it'll wipe the LUKS header >on your current drive. You have to change the /dev/sdX designation to >point to the new drive or partition. > >2 cryptsetup luksOpen /dev/sdX newdrive >3. pvcreate /dev/mapper/newdrive >4. vgcreate newvg /dev/mapper/newdrive >5. lvcreate -L 300G -n morestuff newvg >6. mkfs.xfs /dev/mapper/newvg-morestuff > >Adapt as needed. Don't forget crypttab is used to point to the LUKS >volume, once it's unlocked the PV is revealed and lvm will activate >the VG and the LVs on it, and then in your fstab you'll have the UUID >for the XFS volume and mount this whereever you want it mounted. > > > > >-- >Chris Murphy >_______________________________________________ >CentOS mailing list >CentOS at centos.org >http://lists.centos.org/mailman/listinfo/centos
I'm sorry, but grep -i crypt /var/log/anaconda/anaconda.program.log
returns nothing. But I have got an entry in /etc/crypttab.
I only found this with grep -i luks /var/log/anaconda/anaconda.*:
/var/log/anaconda/anaconda.storage.log:20:47:55,959 DEBUG blivet:
LUKS.__init__:
/var/log/anaconda/anaconda.storage.log:20:49:25,009 DEBUG storage.ui:
LUKS.__init__:
/var/log/anaconda/anaconda.storage.log:20:49:25,009 DEBUG storage.ui:
getFormat('luks') returning LUKS instance
/var/log/anaconda/anaconda.storage.log:20:49:25,014 DEBUG storage.ui:
PartitionDevice._setFormat: sda2 ; current: None ;
type: luks ;
/var/log/anaconda/anaconda.storage.log:20:49:25,015 INFO storage.ui:
registered action: [23] Create Format luks on partition sda2 (id 15)
/var/log/anaconda/anaconda.storage.log:20:49:25,018 DEBUG storage.ui:
LUKSDevice._setFormat: luks-sda2 ; current: None ;
type: lvmpv ;
/var/log/anaconda/anaconda.storage.log:20:49:25,019 INFO storage.ui:
added luks/dm-crypt luks-sda2 (id 21) to device tree
/var/log/anaconda/anaconda.storage.log:20:49:25,019 INFO storage.ui:
registered action: [24] Create Device luks/dm-crypt luks-sda2 (id 21)
/var/log/anaconda/anaconda.storage.log:20:49:25,019 INFO storage.ui:
registered action: [25] Create Format lvmpv on luks/dm-crypt luks-sda2
(id 21)
/var/log/anaconda/anaconda.storage.log:20:49:25,020 DEBUG storage.ui:
LUKSDevice.addChild: kids: 0 ; name: luks-sda2 ;
...
Seems as there is no command to crib. :-(
Regards
Tim
Am 06.03.2015 um 07:10 schrieb Chris Murphy:> On Thu, Mar 5, 2015 at 10:25 PM, Tim <lists at kiuni.de> wrote:
>> Hi Chris,
>>
>> thanks for your answer.
>>
>> It is the first time I decided to encrypt my lvm. I choosed to encrypt
the
>> volume group, not every logical volume itself, because in case of doing
lvm
>> snapshots in that group they will be encrypted too?
>
> Yes, anything that's COW'd is also encrypted in this case.
>
>> And how do I create a new encrypted volume group?
>
> Strictly speaking the VG isn't the target of the encryption, the
> underlying PV is. Also, it's not absolutely necessary to partition the
> drive at all if you have no need for unencrypted space on this new
> drive. Since I use drives on multiple platforms, I always partition so
> that other OS's recognize the drive space is spoken for instead of
> appearing unpartitioned and hence blank. Linux via libblkid always
> looks at disk contents whether partitioned or not so if this is a
> Linux only drive you don't have to partition it.
>
> 1. Use cryptsetup to create a LUKS volume on the whole disk or a
> partition thereof. For the exact command, you can cheat by doing 'grep
> cryptsetup /var/log/anaconda/program.log' which will show you the
> command Anaconda used when setting up your first drive. PLEASE make
> sure you don't use that command directly or it'll wipe the LUKS
header
> on your current drive. You have to change the /dev/sdX designation to
> point to the new drive or partition.
>
> 2 cryptsetup luksOpen /dev/sdX newdrive
> 3. pvcreate /dev/mapper/newdrive
> 4. vgcreate newvg /dev/mapper/newdrive
> 5. lvcreate -L 300G -n morestuff newvg
> 6. mkfs.xfs /dev/mapper/newvg-morestuff
>
> Adapt as needed. Don't forget crypttab is used to point to the LUKS
> volume, once it's unlocked the PV is revealed and lvm will activate
> the VG and the LVs on it, and then in your fstab you'll have the UUID
> for the XFS volume and mount this whereever you want it mounted.
>
>
>
>