| 1 |
Am Wed, Sep 14, 2022 at 08:55:26AM -0500 schrieb Dale: |
| 2 |
|
| 3 |
> I see the point but wasn't aware there was more than one way to do it |
| 4 |
> with cryptsetup. It seems there is several options for this. I was |
| 5 |
> pretty sure LVM was on bottom and mentioned it in my original post. |
| 6 |
|
| 7 |
Indeed you did and it confused me at first. Then I gave it some thought and |
| 8 |
concluded: why not? |
| 9 |
|
| 10 |
You do it like so: |
| 11 |
Block device --, |
| 12 |
Block device --+-- LVM --- LUKS --- File system |
| 13 |
Block device --' |
| 14 |
|
| 15 |
> After reading your post, I got to wondering, did I do this the right |
| 16 |
> way? |
| 17 |
|
| 18 |
Your advantage: only one LUKS header to take care of. That means no extra |
| 19 |
crypt management when adding or removing disks, except for resizing the |
| 20 |
crypt volume. And there is only a single place of storage for your keys (in |
| 21 |
case you ever need to change them). |
| 22 |
|
| 23 |
I’m not sure whether it’s the right™ way. It is *one* way. Perhaps there are |
| 24 |
drawbacks that I can’t think of right now. |
| 25 |
|
| 26 |
|
| 27 |
I would typically have done: |
| 28 |
Block device --- LUKS --, |
| 29 |
Block device --- LUKS --+-- LVM --- File system |
| 30 |
Block device --- LUKS --' |
| 31 |
|
| 32 |
That’s how my NAS works at the moment (with ZFS instead of LVM + filesystem). |
| 33 |
But that’s because ZFS didn’t have built-in encryption when I set it up some |
| 34 |
years ago. These days I would do: |
| 35 |
|
| 36 |
Block device --, |
| 37 |
Block device --+-- ZFS |
| 38 |
Block device --' |
| 39 |
|
| 40 |
That’s it. :D Encryption, disk arrays and file system all in one shop. |
| 41 |
|
| 42 |
> So, I started looking to see how to tell for sure. I used several |
| 43 |
> LVM type commands but didn't see anything that I recognized anyway. |
| 44 |
> Keep in mind, I'm not real sure what I'm looking for either. Then I ran |
| 45 |
> lsblk -f and found a clue that I've never noticed before. |
| 46 |
> |
| 47 |
> |
| 48 |
> sdd |
| 49 |
> |
| 50 |
> └─sdd1 LVM2_member LVM2 001 |
| 51 |
> pVnP2i-sj48-3co9-nJpa-9tQr-08pa-9JqASR |
| 52 |
> └─crypt-crypt crypto_LUKS 2 |
| 53 |
> 6e884aae-9377-49ef-a602-e13cba89a377 |
| 54 |
> └─crypt ext4 1.0 crypt |
| 55 |
> 76653316-329f-4747-8fed-fc9b1723bd14 3.5T 79% |
| 56 |
> /home/dale/Desktop/Crypt |
| 57 |
> |
| 58 |
> |
| 59 |
> I know that is going to be line wrapped and mess up things |
| 60 |
|
| 61 |
You could have redacted the long UUIDs which aren’t relavant anyways. I write my mail in mutt and vim, thus I can rewrap paragraphs individually and at will. That way I can paint ASCII art, paste over-long console output or write one-line paragraphs like this one. ;-) |
| 62 |
|
| 63 |
> but the part I noticed was the drive partition "sdd1" and "LVM2 member". |
| 64 |
> On top of that is crypto. So, LVM is on bottom. If that is the case, my |
| 65 |
> pvmove command should be moving what I think you call "raw data", doesn't |
| 66 |
> matter if it is encrypted or not, right? |
| 67 |
|
| 68 |
Yup. This kind of layering is one of the big beauty of Linux for me. It’s |
| 69 |
all interchangable and layer X doesn’t care what layer X+1 is doing and vice |
| 70 |
versa. |
| 71 |
|
| 72 |
> Just in case it matters, could I have done everything but the file system |
| 73 |
> resize while it was closed? It seems it is basically encrypted on the |
| 74 |
> layer just below the file system to me. |
| 75 |
|
| 76 |
I think so, yes. |
| 77 |
|
| 78 |
|
| 79 |
PS.: All your LVM threads made me embrace LVM on my PC when I recently |
| 80 |
switched it from SATA to NVMe. And because after many years of ignorance, I |
| 81 |
finally had an actual use case: my laptop’s root partition became too small |
| 82 |
and I had to give it some space from the data partition. In my early Gentoo |
| 83 |
years I didn’t use an initrd and didn’t want to, so LVM was never an option. |
| 84 |
But when I set up the (then brand-new) laptop, I used Sakaki’s howto for |
| 85 |
full-disk encryption, which used an initrd + LVM anyways. This saved the |
| 86 |
SSD from a full reformat and rewrite. |
| 87 |
|
| 88 |
-- |
| 89 |
Grüße | Greetings | Salut | Qapla’ |
| 90 |
Please do not share anything from, with or about me on any social network. |
| 91 |
|
| 92 |
The longer it rains, the better the prospect of nicer weather. |
Archives