1 |
Am Wed, Sep 14, 2022 at 08:55:26AM -0500 schrieb Dale: |
2 |
|
3 |
> I see the point but wasn't aware there was more than one way to do it |
4 |
> with cryptsetup. It seems there is several options for this. I was |
5 |
> pretty sure LVM was on bottom and mentioned it in my original post. |
6 |
|
7 |
Indeed you did and it confused me at first. Then I gave it some thought and |
8 |
concluded: why not? |
9 |
|
10 |
You do it like so: |
11 |
Block device --, |
12 |
Block device --+-- LVM --- LUKS --- File system |
13 |
Block device --' |
14 |
|
15 |
> After reading your post, I got to wondering, did I do this the right |
16 |
> way? |
17 |
|
18 |
Your advantage: only one LUKS header to take care of. That means no extra |
19 |
crypt management when adding or removing disks, except for resizing the |
20 |
crypt volume. And there is only a single place of storage for your keys (in |
21 |
case you ever need to change them). |
22 |
|
23 |
I’m not sure whether it’s the right™ way. It is *one* way. Perhaps there are |
24 |
drawbacks that I can’t think of right now. |
25 |
|
26 |
|
27 |
I would typically have done: |
28 |
Block device --- LUKS --, |
29 |
Block device --- LUKS --+-- LVM --- File system |
30 |
Block device --- LUKS --' |
31 |
|
32 |
That’s how my NAS works at the moment (with ZFS instead of LVM + filesystem). |
33 |
But that’s because ZFS didn’t have built-in encryption when I set it up some |
34 |
years ago. These days I would do: |
35 |
|
36 |
Block device --, |
37 |
Block device --+-- ZFS |
38 |
Block device --' |
39 |
|
40 |
That’s it. :D Encryption, disk arrays and file system all in one shop. |
41 |
|
42 |
> So, I started looking to see how to tell for sure. I used several |
43 |
> LVM type commands but didn't see anything that I recognized anyway. |
44 |
> Keep in mind, I'm not real sure what I'm looking for either. Then I ran |
45 |
> lsblk -f and found a clue that I've never noticed before. |
46 |
> |
47 |
> |
48 |
> sdd |
49 |
> |
50 |
> └─sdd1 LVM2_member LVM2 001 |
51 |
> pVnP2i-sj48-3co9-nJpa-9tQr-08pa-9JqASR |
52 |
> └─crypt-crypt crypto_LUKS 2 |
53 |
> 6e884aae-9377-49ef-a602-e13cba89a377 |
54 |
> └─crypt ext4 1.0 crypt |
55 |
> 76653316-329f-4747-8fed-fc9b1723bd14 3.5T 79% |
56 |
> /home/dale/Desktop/Crypt |
57 |
> |
58 |
> |
59 |
> I know that is going to be line wrapped and mess up things |
60 |
|
61 |
You could have redacted the long UUIDs which aren’t relavant anyways. I write my mail in mutt and vim, thus I can rewrap paragraphs individually and at will. That way I can paint ASCII art, paste over-long console output or write one-line paragraphs like this one. ;-) |
62 |
|
63 |
> but the part I noticed was the drive partition "sdd1" and "LVM2 member". |
64 |
> On top of that is crypto. So, LVM is on bottom. If that is the case, my |
65 |
> pvmove command should be moving what I think you call "raw data", doesn't |
66 |
> matter if it is encrypted or not, right? |
67 |
|
68 |
Yup. This kind of layering is one of the big beauty of Linux for me. It’s |
69 |
all interchangable and layer X doesn’t care what layer X+1 is doing and vice |
70 |
versa. |
71 |
|
72 |
> Just in case it matters, could I have done everything but the file system |
73 |
> resize while it was closed? It seems it is basically encrypted on the |
74 |
> layer just below the file system to me. |
75 |
|
76 |
I think so, yes. |
77 |
|
78 |
|
79 |
PS.: All your LVM threads made me embrace LVM on my PC when I recently |
80 |
switched it from SATA to NVMe. And because after many years of ignorance, I |
81 |
finally had an actual use case: my laptop’s root partition became too small |
82 |
and I had to give it some space from the data partition. In my early Gentoo |
83 |
years I didn’t use an initrd and didn’t want to, so LVM was never an option. |
84 |
But when I set up the (then brand-new) laptop, I used Sakaki’s howto for |
85 |
full-disk encryption, which used an initrd + LVM anyways. This saved the |
86 |
SSD from a full reformat and rewrite. |
87 |
|
88 |
-- |
89 |
Grüße | Greetings | Salut | Qapla’ |
90 |
Please do not share anything from, with or about me on any social network. |
91 |
|
92 |
The longer it rains, the better the prospect of nicer weather. |