1 |
2009/1/22 Duncan <1i5t5.duncan@×××.net>: |
2 |
> Richard Freeman <rich0@g.o> posted 49789D9C.7040001@g.o, |
3 |
> excerpted below, on Thu, 22 Jan 2009 11:23:56 -0500: |
4 |
> |
5 |
>> All of this assumes that luks contains no bugs. If the encryption layer |
6 |
>> botches your data all bets are off. That happened to me with lvm - I |
7 |
>> managed to hose half my system that way (an fsck on one logical volume |
8 |
>> managed to hose all the other logical volumes in the same volume group). |
9 |
>> It is a rare problem, but I'm now just running on bare md devices |
10 |
>> (and just running on md gives me some options for expanding storage |
11 |
>> later). |
12 |
> |
13 |
> Hmm, interesting. I run my main system and a backup image of same direct |
14 |
> on partitioned mdp/RAID (RAID doesn't cure the fat-finger or botched |
15 |
> upgrade problem, that's what the backup image is for), so I have all my |
16 |
> applications available without lvm, but I use lvm2 on top of RAID for |
17 |
> most of my data partitions and their backups. I've never had a problem |
18 |
> with that using reiserfs on lvm2 on RAID-6 here, nor have I heard of |
19 |
> anyone else having that sort of problems with lvm, at least not since the |
20 |
> lvm2 era. |
21 |
> |
22 |
> The problems I've had with LVM are simply its inconvenience and |
23 |
> administration complexity when there are layers on layers, since there's |
24 |
> no way to put / on it without using an initramfs/initrd, which I didn't |
25 |
> want to use. The partitioned RAID is nice in that regard since the |
26 |
> kernel can handle that directly. If I were to redo it today, I'd |
27 |
> consider eliminating the LVM2 layer for the data for that reason alone. |
28 |
> |
29 |
well, i think that the lvm2 layer is still good even when used on a |
30 |
single disk. especially when |
31 |
you don't know how the partitions would look like. i've had big time |
32 |
saves by resizing lvm2 |
33 |
array than copying, removing partitions, recreating them and then |
34 |
recopying files into |
35 |
the newer ones. |
36 |
as for the / i'm considering using / + /boot on a usb disk (nowadays |
37 |
booting from usb devices is |
38 |
no pain) and would prevent me from exposing ciphered luks data. it's |
39 |
true that loosing the key would |
40 |
mean a total disaster, but it's simpler to have 2-3 2gb usb keys |
41 |
(which mean about 20-30€) as root |
42 |
and have an entire luks+raided partition. if you'd were to go even |
43 |
further putting another external usb |
44 |
key as authentication key for the encrypted partion would be even more secure. |
45 |
|
46 |
-- |
47 |
dott. ing. beso |