| 1 |
2009/1/22 Duncan <1i5t5.duncan@×××.net>: |
| 2 |
> Richard Freeman <rich0@g.o> posted 49789D9C.7040001@g.o, |
| 3 |
> excerpted below, on Thu, 22 Jan 2009 11:23:56 -0500: |
| 4 |
> |
| 5 |
>> All of this assumes that luks contains no bugs. If the encryption layer |
| 6 |
>> botches your data all bets are off. That happened to me with lvm - I |
| 7 |
>> managed to hose half my system that way (an fsck on one logical volume |
| 8 |
>> managed to hose all the other logical volumes in the same volume group). |
| 9 |
>> It is a rare problem, but I'm now just running on bare md devices |
| 10 |
>> (and just running on md gives me some options for expanding storage |
| 11 |
>> later). |
| 12 |
> |
| 13 |
> Hmm, interesting. I run my main system and a backup image of same direct |
| 14 |
> on partitioned mdp/RAID (RAID doesn't cure the fat-finger or botched |
| 15 |
> upgrade problem, that's what the backup image is for), so I have all my |
| 16 |
> applications available without lvm, but I use lvm2 on top of RAID for |
| 17 |
> most of my data partitions and their backups. I've never had a problem |
| 18 |
> with that using reiserfs on lvm2 on RAID-6 here, nor have I heard of |
| 19 |
> anyone else having that sort of problems with lvm, at least not since the |
| 20 |
> lvm2 era. |
| 21 |
> |
| 22 |
> The problems I've had with LVM are simply its inconvenience and |
| 23 |
> administration complexity when there are layers on layers, since there's |
| 24 |
> no way to put / on it without using an initramfs/initrd, which I didn't |
| 25 |
> want to use. The partitioned RAID is nice in that regard since the |
| 26 |
> kernel can handle that directly. If I were to redo it today, I'd |
| 27 |
> consider eliminating the LVM2 layer for the data for that reason alone. |
| 28 |
> |
| 29 |
well, i think that the lvm2 layer is still good even when used on a |
| 30 |
single disk. especially when |
| 31 |
you don't know how the partitions would look like. i've had big time |
| 32 |
saves by resizing lvm2 |
| 33 |
array than copying, removing partitions, recreating them and then |
| 34 |
recopying files into |
| 35 |
the newer ones. |
| 36 |
as for the / i'm considering using / + /boot on a usb disk (nowadays |
| 37 |
booting from usb devices is |
| 38 |
no pain) and would prevent me from exposing ciphered luks data. it's |
| 39 |
true that loosing the key would |
| 40 |
mean a total disaster, but it's simpler to have 2-3 2gb usb keys |
| 41 |
(which mean about 20-30€) as root |
| 42 |
and have an entire luks+raided partition. if you'd were to go even |
| 43 |
further putting another external usb |
| 44 |
key as authentication key for the encrypted partion would be even more secure. |
| 45 |
|
| 46 |
-- |
| 47 |
dott. ing. beso |
Archives