| 1 |
Wol wrote: |
| 2 |
> On 27/03/2022 21:13, Dale wrote: |
| 3 |
>> Wol wrote: |
| 4 |
>>> On 27/03/2022 20:17, Dale wrote: |
| 5 |
>>>> Howdy, |
| 6 |
>>>> |
| 7 |
>>>> I sort of started this on another thread but wanted to nail a few |
| 8 |
>>>> things |
| 9 |
>>>> down first. I'm wanting to encrypt some parts of my data on /home. |
| 10 |
>>>> This is what I got hard drive wise. |
| 11 |
>>>> |
| 12 |
>>>> |
| 13 |
>>>> root@fireball / # pvs |
| 14 |
>>>> PV VG Fmt Attr PSize PFree |
| 15 |
>>>> /dev/sda7 OS lvm2 a-- <124.46g 21.39g |
| 16 |
>>>> /dev/sdb1 Home2 lvm2 a-- <5.46t 0 |
| 17 |
>>>> /dev/sdc1 Home2 lvm2 a-- <7.28t 0 |
| 18 |
>>>> /dev/sdd1 Home2 lvm2 a-- <7.28t 0 |
| 19 |
>>>> /dev/sde1 backup lvm2 a-- 698.63g 0 |
| 20 |
>>>> root@fireball / # |
| 21 |
>>>> |
| 22 |
>>> One big piece of missing information. What does fdisk say about |
| 23 |
>>> sd[b,c,d]1? And can you add sdf1? |
| 24 |
>> |
| 25 |
>> I have the entire drive as one large partition for each drive. I could |
| 26 |
>> have done it as a whole device but I wanted partitions to give a hint |
| 27 |
>> that the drive is in use, if booted from other medium for example. |
| 28 |
>> |
| 29 |
>> I have enough extra space that I can remove either a 6TB or a 8TB |
| 30 |
>> drive. Once that is done, I can start to encrypt and move data around. |
| 31 |
>> This is some additional info from df for /home: |
| 32 |
>> |
| 33 |
>> |
| 34 |
>> /dev/mapper/Home2-Home2 20T 8.7T 12T 45% /home |
| 35 |
>> |
| 36 |
>> |
| 37 |
>> If I remove a 8TB drive, I'd still have enough room for my data. I |
| 38 |
>> could then rebuild /home starting with the 8TB drive just freed up. |
| 39 |
>> Then as I move data, I could expand them one at a time encrypting as I |
| 40 |
>> go. I'd rather not have to buy a hard drive right now. Tight budget |
| 41 |
>> given other things I got going on. I do have backups, more than one in |
| 42 |
>> a couple important data spots. |
| 43 |
>> |
| 44 |
> Do you need to shrink your fs first though? |
| 45 |
|
| 46 |
From my understanding of my google results, I need to unmount /home, |
| 47 |
shrink the file system, then I can remount /home, use pvmove to move |
| 48 |
data off whichever drive I want to take LVM off of, then pvremove the |
| 49 |
drive to make the drive available just like a new drive. I can then use |
| 50 |
it to start building the LVM and it be encrypted. As I remove other |
| 51 |
drives with the same method above, I can expand the encrypted drives. |
| 52 |
I'm still trying to figure out whether to use the 6TB or 8TB drive in |
| 53 |
normal mode. I think the 6TB would be large enough for the normal /home |
| 54 |
and let the encrypted be on the other drives. |
| 55 |
|
| 56 |
> |
| 57 |
> My three 3TB partitions are raided, and /dev/md/home is my PV. I've |
| 58 |
> only allocated the space to LVs that they need, so I could probably |
| 59 |
> shrink the PV and remove a drive without needing to mess about with my |
| 60 |
> LVs at all. I get the impression you may have allocated all your |
| 61 |
> space, not a good idea. |
| 62 |
|
| 63 |
I did allocate all the space because at the time, I wasn't considering |
| 64 |
encrypting any of that data or dividing it up. Things have changed and |
| 65 |
I want to move things around. This is one of the good things about ext4 |
| 66 |
and LVM. They can shrink in size fairly easy. Of course, backups are |
| 67 |
always a good idea. |
| 68 |
|
| 69 |
> |
| 70 |
> My attitude is my data is backed up, expanding an LV/FS is low risk, |
| 71 |
> I'll just grow stuff as I need to ... my /home partition contains |
| 72 |
> proper home drives, things like videos may be in /home/videos, but |
| 73 |
> they're actually a separate partition, etc etc. |
| 74 |
|
| 75 |
That's sort of what I'm going to do. I'm going to divide things into |
| 76 |
sections with some encrypted and some not. |
| 77 |
|
| 78 |
|
| 79 |
>> |
| 80 |
>>> |
| 81 |
>>> I'm guessing you've got three 8TB drives? Or is it two 8s and a 6? Can |
| 82 |
>>> you get a third 8TB? And if you're encrypting *parts* of /home ... |
| 83 |
>>> what parts? |
| 84 |
>>>> |
| 85 |
>>>> I've done some checking on sizes of things I want to encrypt and am |
| 86 |
>>>> weighing options. I use LVM which should help make things easier. |
| 87 |
>>>> I've |
| 88 |
>>>> downloaded and printed some howtos regarding shrinking the file system |
| 89 |
>>>> and LVM thingys. It seems I need to shrink the file system while my |
| 90 |
>>>> /home partition is unmounted. Then move the data off whichever |
| 91 |
>>>> drive I |
| 92 |
>>>> want to remove and then remove the drive itself. After that I can |
| 93 |
>>>> encrypt the just removed drive and start moving files over, using |
| 94 |
>>>> rsync |
| 95 |
>>>> is my plan. I think that is the basic steps. |
| 96 |
>>> |
| 97 |
>>> Not necessarily. |
| 98 |
>>>> |
| 99 |
>>>> My question now comes to this. When I encrypt one of the drives, |
| 100 |
>>>> can I |
| 101 |
>>>> then expand that drive with it being encrypted or is that not a |
| 102 |
>>>> option? |
| 103 |
>>>> I plan to encrypt two of the drives as one volume group and leave one |
| 104 |
>>>> other volume group as normal. I just want to be sure whether or not I |
| 105 |
>>>> can expand a encrypted LVM drive the same as a normal LVM since both |
| 106 |
>>>> uses LVM. I use cryptsetup commands to accomplish the encryption if |
| 107 |
>>>> that matters. So as a example, I start with one 7TB drive encrypted, |
| 108 |
>>>> move some data to it, then want to add either the 5TB or 7TB |
| 109 |
>>>> drive. Can |
| 110 |
>>>> I just expand it like a normal LVM or does it being encrypted change |
| 111 |
>>>> things? |
| 112 |
>>>> |
| 113 |
>>>> Thoughts? My remove steps look sensible? Expanding encrypted LVM |
| 114 |
>>>> possible? |
| 115 |
>>> |
| 116 |
>>> If you are using LVM to do the encryption, then I can't see any |
| 117 |
>>> problems adding a new PV to an encrypted VG. |
| 118 |
>>>> |
| 119 |
>>>> Dale |
| 120 |
>>>> |
| 121 |
>>> Personally, I'd use dm-crypt to encrypt the drive, and then the whole |
| 122 |
>>> lot is encrypted, and put plain LVM over that. I've got dedicated |
| 123 |
>>> layers for everything. |
| 124 |
>>> |
| 125 |
>>> It looks like your home2 is 6TB+8TB+8TB. I'd get a new 8TB, put |
| 126 |
>>> dm-crypt on it, and add it. Now I can remove the first 8TB, dm-crypt |
| 127 |
>>> it and re-add it. Same with the second 8TB. Now remove the 6TB and |
| 128 |
>>> there you are ... |
| 129 |
>>> |
| 130 |
>>> My layout's rather different from yours, so I don't think I ought to |
| 131 |
>>> say too much :-) |
| 132 |
>>> |
| 133 |
>>> Cheers, |
| 134 |
>>> Wol |
| 135 |
>>> |
| 136 |
>>> |
| 137 |
>> |
| 138 |
>> |
| 139 |
>> What is the advantage of dm-crypt over cryptsetup? I've learned how to |
| 140 |
>> use cryptsetup with my external drive so was hoping to stick with what I |
| 141 |
>> already know. Unless there is a advantage to dm-crypt. |
| 142 |
>> |
| 143 |
> I don't know either. I'm just far more familiar with the dm/md layer |
| 144 |
> because I run md-raid over dm-integrity. Hence dm-crypt. |
| 145 |
> |
| 146 |
> Is cryptsetup a layer in its own right, or part of lvm? I prefer the |
| 147 |
> Unix "use several tools each of which does one thing well", other |
| 148 |
> people prefer a swiss army knife like ZFS or btrfs. I don't know where |
| 149 |
> cryptsetup lies on that spectrum, and I don't know your preferences on |
| 150 |
> that spectrum. |
| 151 |
> |
| 152 |
> Cheers, |
| 153 |
> Wol |
| 154 |
> |
| 155 |
> |
| 156 |
|
| 157 |
|
| 158 |
Based on the reply from Rich, thanks for the info, cryptsetup is just a |
| 159 |
upper level of dm-crypt. Basically, cryptsetup just has some user |
| 160 |
friendly bits added on top of it. Security wise, should be secure |
| 161 |
either way. |
| 162 |
|
| 163 |
The biggest thing, can I encrypt a LVM group and then expand it. It |
| 164 |
seems I can. I've found where google results say the same but some |
| 165 |
results are dated. Things change. Sometimes for the good, sometimes not. |
| 166 |
|
| 167 |
Dale |
| 168 |
|
| 169 |
:-) :-) |
Archives