Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Complete Encrypted LVM Install?

If none of the specific sub-forums seem right for your thread, ask here.
Message
Author
User avatar
kce
Posts: 265
Joined: 2008-10-31 16:48

Complete Encrypted LVM Install?

#1 Post by kce »

Does anyone know if the Squeeze/Sid installer supports an encrypted LVM? I specifically mean where the LVM partition itself is encrypted and instead of just encrypting the logical volumes inside the LVM individually. I would rather much like to avoid this kind of thing.

* Why aren't there options for guiding partitioning using existing free space? A 'Guided - Use Free Space for Encrypted LVM' would be fantastic. Perhaps a feature request is in order?
More paranoid than AMLJ!

User avatar
kce
Posts: 265
Joined: 2008-10-31 16:48

Re: Complete Encrypted LVM Install?

#2 Post by kce »

OK. After some fiddling I've found it's possible to do this but its not entirely intuitive.

* This is all done under manual partitioning
* Make your /boot partition
* Make "physical volume for encryption" logical partition.
* Configure encrypted volumes (I prefer AES256)
* Select the encrypted volume, and choose to use it as a "physical volume for lvm"
* Configure LVM
* Add your desired volume group and logical volumes (all of which will be encrypted)
* Select the newly made logical volumes, and choose to use them as "ext4" and make them mountable as /, swap, etc.

...perhaps I should write up a HOWTO?
More paranoid than AMLJ!

Polaris96
Posts: 555
Joined: 2009-06-17 18:37

Re: Complete Encrypted LVM Install?

#3 Post by Polaris96 »

How is this advantageous?

Just curious, but I like the flexibility of having encrypted and unencrypted data on the same partition. Also, it's sometimes advantageous to have different 'crypt volumes within a single partition. Some things you want every time you login, others can stay in the safe until you have need of them.

You can do the same thing inside a fully encrypted volume, but I don't see how all of that effort adds additional security.
for as long as the world remains. for as long as time remains. so, too, will I remain. To serve. To help. And to make my contribution. Also, never forget our family at debianuserforums.org If we can't solve your problem, they probably can.

User avatar
kce
Posts: 265
Joined: 2008-10-31 16:48

Re: Complete Encrypted LVM Install?

#4 Post by kce »

I prefer an encrypted LVM over a file/directory/partition approach for a few reasons:
  • If you have your sensitive information in an encrypted file, there' s no way to know for sure it hasn't been written to swap while you're reading/writing it as plaintext. So I feel its necessary to encrypt your swap space.
  • Applications are unpredictable/unreliable regarding temporary files, sometimes they're in your /home directory, sometimes /tmp, sometimes who-knows-where so just encrypting your /home directory or a "crypt" directory/partition is not adequate for maintaining policy integrity.
  • I want to use suspend-to-memory which precludes using a random key for swap encryption.
  • Encrypting the LVM's volume group allows for a single password for multiple logical volumes (getting around the suspend-to-memory + encrypted swap issue)... its also much more convenient than having a separate passphrase for each partition.
  • You don't need to worry about your sensitive information getting written to a plaintext file because everything is encrypted before it touches the hard disk.
  • Disposal of the hard disk is safer for the above reason... there's no question as to whether or not your data (in plaintext) is still on the hard drive.
There are of course some disadvantages: system recovery via a livecd becomes less than trivial, data recovery is basically impossible if something happens to the partition map (i.e., you better have *good* backups) and there is a performance penalty which may or may not be negilable depending on you hardware and requirements.

I admit it is a bit of sledgehammer approach but it's the only way to be sure. I consider my risk substantially greater because my system is a laptop which greatly increases its steal-ability.
More paranoid than AMLJ!

Polaris96
Posts: 555
Joined: 2009-06-17 18:37

Re: Complete Encrypted LVM Install?

#5 Post by Polaris96 »

ok those are some pretty valid points.

There are utilities available to reinitialize swap for just that reason. Also, if you've got "big" memory, you can make your swap really small (say 250Meg) which will assure it's frequently overwritten. I know plenty of people who just drop their swap space, but it makes me leery ... never know what nifty forgotten core app from the '80s is going to want it there.

So far as encrypting an entire VG goes. Let me know when you've got that working. I'm curious to see somebody do it.

Best regards and good luck even though I didn't have much to add - apologies there.
for as long as the world remains. for as long as time remains. so, too, will I remain. To serve. To help. And to make my contribution. Also, never forget our family at debianuserforums.org If we can't solve your problem, they probably can.

User avatar
kce
Posts: 265
Joined: 2008-10-31 16:48

Re: Complete Encrypted LVM Install?

#6 Post by kce »

Polaris96 wrote:There are utilities available to reinitialize swap for just that reason. Also, if you've got "big" memory, you can make your swap really small (say 250Meg) which will assure it's frequently overwritten. I know plenty of people who just drop their swap space, but it makes me leery ... never know what nifty forgotten core app from the '80s is going to want it there.
But then you've just pushed the problem elsewhere. You'll need to remember (or make a cron-job) to periodically re-initialize your swap space (and if this happens somewhere besides startup how well will programs handle this) and then you'll have to rely on that program to do it correctly. As far as I can tell re-initializing swap doesn't re-write over the space, it is *possible* that stuff still remains there. Of course this doesn't address the issues of temp files at all.

Moving to smaller swap space is probably a bad idea for the reasons you've mentioned.

Again, if you're going to go so far as to rely on encryption, you might as well just encrypt everything to be sure. Crypto is hardly ever a solution in of itself, and many of the less thorough (or paranoid) solutions can, at least theoretically, easily be circumnavigated for some of the reasons we've discussed. It's like the steel door with eight locks on it (analogous to the AES-512 encrypted top-secret directory). Why try to go through the door, when a Sawzall will get you through the wall (analogous to your private information being written in temporary files to /home, /tmp or swap? And if that's the case all the effort on the door has been wasted.
Polaris96 wrote:So far as encrypting an entire VG goes. Let me know when you've got that working. I'm curious to see somebody do it.
It's working fine as we speak. I think if you have a fresh hard drive or you don't mind giving the whole drive to Debian the encrypted LVM is rather trivial to setup using the Guided partitioning feature. It's harder (see my second post) if you want to do it manually... I wanted to keep my first partition intact. On Fedora Core, its as easy as just selecting a checkbox labeled "Encrypt". This isn't exotic or difficult. I think people who have walkabout laptops, (particularly if they use it at all for business) should seriously consider this kind of thing.
More paranoid than AMLJ!

Polaris96
Posts: 555
Joined: 2009-06-17 18:37

Re: Complete Encrypted LVM Install?

#7 Post by Polaris96 »

Cool. I just wondered how lvm would like parsing a vg that's encrypted. Pretty cool info thanks for sharing.
for as long as the world remains. for as long as time remains. so, too, will I remain. To serve. To help. And to make my contribution. Also, never forget our family at debianuserforums.org If we can't solve your problem, they probably can.

macias
Posts: 9
Joined: 2011-01-26 17:53

Re: Complete Encrypted LVM Install?

#8 Post by macias »

@kce, thank you for those steps.

I have problem though. With Debian Squeeze RC2, after installing the dependencies between dmcrypt and LVM are not correctly set, and first LVM tries to set up partitions. It fails, then dmcrypt tries to encrypt them (it succeeds), and then again LVM.

Maybe it is my mistake somewhere, or there is a bug in Debian boot process.

The thing is, I installed system with Desktop environment, and despite this, there is no startx command, and no WM/DM kicks in. I am wondering if this has something to do with the initial problem during booting (however after booting is finished, I see correct partitions).

fsmithred
Posts: 1873
Joined: 2008-01-02 14:52

Re: Complete Encrypted LVM Install?

#9 Post by fsmithred »

macias wrote: I have problem though. With Debian Squeeze RC2, after installing the dependencies between dmcrypt and LVM are not correctly set, and first LVM tries to set up partitions. It fails, then dmcrypt tries to encrypt them (it succeeds), and then again LVM.
I just installed squeeze with encrypted LVM from debian-sq-di-rc1-amd64-netinst.iso, and I'm getting error messages at boot, too. It says it can't find the volume group, then it finds hda2_crypt, then it asks for the password and boots normally. It's similar to the message I get when I boot my lenny install with encrypted LVM - when it tries to mount the root filesystem, it can't find the volume group, then it asks for the password and boots normally when I enter it. I don't think it's a problem.

The thing is, I installed system with Desktop environment, and despite this, there is no startx command, and no WM/DM kicks in. I am wondering if this has something to do with the initial problem during booting (however after booting is finished, I see correct partitions).
This is probably not related to the error messages you get at boot. I didn't install any desktop, to save time and space, so I can't say any more about it.

macias
Posts: 9
Joined: 2011-01-26 17:53

Re: Complete Encrypted LVM Install?

#10 Post by macias »

Thank you for the reply. I left computer for night to do a second install, I get the LVM error at start as before, but this time I have the desktop. So for the desktop it has to be something wrong with installer.
fsmithred wrote:
macias wrote: I just installed squeeze with encrypted LVM from debian-sq-di-rc1-amd64-netinst.iso, and I'm getting error messages at boot, too. It says it can't find the volume group, then it finds hda2_crypt, then it asks for the password and boots normally. It's similar to the message I get when I boot my lenny install with encrypted LVM - when it tries to mount the root filesystem, it can't find the volume group, then it asks for the password and boots normally when I enter it. I don't think it's a problem.
Yes, I get exactly this. I am glad it is nothing serious, nevertheless it would be useful to see LVM-dmcrypt are installed with dependencies set (i.e. which one kicks in first).

User avatar
dotlj
Posts: 646
Joined: 2009-12-25 17:21

Re: Complete Encrypted LVM Install?

#11 Post by dotlj »

Some users only encrypt /home, swap, /tmp leaving /usr, /var unencrypted because they mostly contain their OS (Debian) which is easily obtained from the internet.
One advantage of encrypting /etc, is that someone who steals your computer can't boot it with a rescue disk, mount / and change your root password.
afaik the /boot partition needs to be unencrypted, which is what I think you said. For real security, put the /boot partition on a removeable USB flash disk, so that the computer won't boot without it and if stolen, the hard disk is 100% encrypted, so no problems with keys being written to /tmp or anywhere else.

With maximum RAM, it is quite doubtful if an encrypted swap, actually if any swap is going to be used, but better to be safe and have it encrypted with everything else. The other big advantage of a LVG is that you can resize the logical partitions within the group.

macias
Posts: 9
Joined: 2011-01-26 17:53

Re: Complete Encrypted LVM Install?

#12 Post by macias »

@dotij, /var can potentially contain sensitive info.

Maybe another perspective -- why NOT to encrypt? /boot has to be plain partition, but the rest can be encrypted, so I advice to encrypt.

Even with 2GB of RAM -- and considering performance (i.e. lack of it) of linux scheduler -- it is better not to have swap partition at all. Heavy I/O can freeze computer for good (w/o swap), and if you add swapping to it... better not.

smv
Posts: 10
Joined: 2010-11-19 14:42
Location: Galați, România

Re: Complete Encrypted LVM Install?

#13 Post by smv »

Last year I wrote http://wiki.debian.org/AesXtsEncryptedLvm and although some things have changed a bit I think it's still a good way to build.
I've shorten the whole thing but never managed to rewrite that wiki page.

User avatar
kce
Posts: 265
Joined: 2008-10-31 16:48

Re: Complete Encrypted LVM Install?

#14 Post by kce »

macias wrote:
fsmithred wrote:
macias wrote: I just installed squeeze with encrypted LVM from debian-sq-di-rc1-amd64-netinst.iso, and I'm getting error messages at boot, too. It says it can't find the volume group, then it finds hda2_crypt, then it asks for the password and boots normally. It's similar to the message I get when I boot my lenny install with encrypted LVM - when it tries to mount the root filesystem, it can't find the volume group, then it asks for the password and boots normally when I enter it. I don't think it's a problem.
Yes, I get exactly this. I am glad it is nothing serious, nevertheless it would be useful to see LVM-dmcrypt are installed with dependencies set (i.e. which one kicks in first).
Same here. I think it has to do with the order of various things in the init scripts.


dotlj wrote:Some users only encrypt /home, swap, /tmp leaving /usr, /var unencrypted because they mostly contain their OS (Debian) which is easily obtained from the internet.

One advantage of encrypting /etc, is that someone who steals your computer can't boot it with a rescue disk, mount / and change your root password.
afaik the /boot partition needs to be unencrypted, which is what I think you said. For real security, put the /boot partition on a removeable USB flash disk, so that the computer won't boot without it and if stolen, the hard disk is 100% encrypted, so no problems with keys being written to /tmp or anywhere else.

With maximum RAM, it is quite doubtful if an encrypted swap, actually if any swap is going to be used, but better to be safe and have it encrypted with everything else. The other big advantage of a LVG is that you can resize the logical partitions within the group.
I don't see how encrypting the partitions storing the OS does anything for "security". I don't particularly care about the confidentiality of the operating system; in fact because it's open source, it's about as far away from confidential as you can get. I care about the confidentiality of my data and for the reasons listed in my earlier post, if you really want to be sure your data is safe, you need to encrypt the whole disk.

As for whether or not swap will have sensitive data written too, yeah I agree it's unlikely. But again... encrypting everything is the only way to be sure.

The issue you brought up about the /boot partition being unencrypted and thus vulnerable is an important one. One of the easiest ways to subvert full disk encryption is by using a bootkit. By replacing the normal bootloader with a malicious bootloader one, the attacker can gain access to your encryption keys and passphrase (and hence your data). This is particularly an issue with laptops as it's difficult to control physical access.

It's important with "security" to remember what you're getting and what you're not (and what you gave up to get it). Full disk encryption is definitely not a silver bullet; there are some pretty elementary kinds of attacks that it can't do anything to prevent. TrueCrypt's security model does a good job of illustrating the limitations of full disk encryption.
More paranoid than AMLJ!

macias
Posts: 9
Joined: 2011-01-26 17:53

Re: Complete Encrypted LVM Install?

#15 Post by macias »

> I don't see how encrypting the partitions storing the OS does anything for "security".

Various programs use the system directories as placement for config -- passwords for your ISP, system messages, and so on. For good reason those data are only available for root user only, but if you get the disk off, the restrictions no longer apply.

I ask again -- is there ANY reason you skip encrypting entire disk? IMHO there is none. It's cheap, it's fast, it is better to be a little more secured, than little more unsecured.


Btw. thank you for reminding about /boot. There is a remedy for it, and again, there no reason why I would skip the countermeasure for it. Even, if all I have to protect is my mail folder :-).

User avatar
kce
Posts: 265
Joined: 2008-10-31 16:48

Re: Complete Encrypted LVM Install?

#16 Post by kce »

macias wrote:Various programs use the system directories as placement for config -- passwords for your ISP, system messages, and so on. For good reason those data are only available for root user only, but if you get the disk off, the restrictions no longer apply.
I disagree here. Any program worth its salt (hah, get it?) should be storing its authentication information in a secure manner regardless of the underlying filesystem. Again. I'm not worried about the operating system, I'm worried about my data. The issue I think we're circling is, that if my /etc and /usr directory are sitting on an encrypted LVM while that LVM is active and the encrypted file system is mounted and someone remotely attacks my machine, say through a vulnerability, FDE does nothing to stop that attack. They will just be attacking binaries, libraries, and configuration files that are "transparently encrypted".

This is important: If you leave your machine on, and the bad guys find it in that state, full disk encryption will DO NOTHING to protect your data. The same principle applies to attack, remote or otherwise. Maybe I'm not understanding your point here...

Of course, if your machine is off... then yes, it certainly helps - for reasons already discussed.
macias wrote:I ask again -- is there ANY reason you skip encrypting entire disk? IMHO there is none. It's cheap, it's fast, it is better to be a little more secured, than little more unsecured.
Agreed. If your data is confidential enough that cryptography is warranted, you should encrypt the entire disk. The only real draw back is that recovery of said data becomes impossible if you forget your password and/or your key files become corrupted (and you don't have backups of them.)

macias wrote:Btw. thank you for reminding about /boot. There is a remedy for it, and again, there no reason why I would skip the countermeasure for it. Even, if all I have to protect is my mail folder :-).
A BIOS password goes a long way... although it is certainly not bullet-proof either.
More paranoid than AMLJ!

macias
Posts: 9
Joined: 2011-01-26 17:53

Re: Complete Encrypted LVM Install?

#17 Post by macias »

> Again. I'm not worried about the operating system, I'm worried about my data.

I am user and root. The root data are my data. I need to cover them too.

Code: Select all

more /etc/ppp/peers/your_ISP_config
I bet it contains the password.

> This is important: If you leave your machine on, and the bad guys find it in that state, full disk encryption will DO NOTHING to protect your data. The same
> principle applies to attack, remote or otherwise. Maybe I'm not understanding your point here...

Indeed, securing your box is not an easy task, but I am not willing to step back just because I cannot step forward.

> Agreed. If your data is confidential enough that cryptography is warranted, you should encrypt the entire disk. The only real draw back is that recovery of said data
> becomes impossible if you forget your password and/or your key files become corrupted (and you don't have backups of them.)

OK. Agreed on that part :-)

> A BIOS password goes a long way... although it is certainly not bullet-proof either.[/quote]

Oh no, God forbid! I was thinking about booting from pendrive. Once the computer started, pendrive is removed. I've never tried it, but AFAIR it is doable, and once again thank you for reminding me about it.

cbd
Posts: 2
Joined: 2012-02-25 15:12

Re: Complete Encrypted LVM Install?

#18 Post by cbd »

I have created a step by step set up for an encrypted LVM on Squeeze. There are undoubtedly better ways of doing this but I hope this may be of some help to those who have not previously done this type of installation on Debian Squeeze (6.04).

Partitioning a disk to create an Encrypted LVM system using the Debian 'Graphical expert' installation mode.

Introduction:
The existing documentation describing how to install an Encrypted LVM disk system on Debian Squeeze (6.0.4) is not very explanatory. Here below is an attempt to save time for installers new to this process on Debian. You will have to adapt the process to fit your own requirements, but it is hoped the following example based documentation will be of some help.

You can see an example of the partitioned system documented here at the end of this text.

Since it was necessary to repeat the installation process many times to achieve the required partitioning, the 'Graphical expert' installation process was eventually used since it proved faster to interact with than the alternative non graphical expert mode. The installation was mainly done from a DVD using the 'debian-6.0.4-amd64-DVD-1.iso' 2012-01-28 4.3 GB image.

Warning: This installation eventually failed to load 'grub2' into the /boot partition. See bug report # 659116 et al. But this issue is not believed to be a function of the disk partitioning as described here.

See note added below on 2012-03-05. Failing to load 'grub2' into the /boot partition IS a function of this partitioning scheme on BIOS based systems. The method described here however should successfully partition a disk system smaller than 2TiB without the 'grub2' loading problems

Start installation ….

From the: 'Load installer components from CD' screen near the start of the installation process
it may be necessary to load:
'crypto-dm-modules ...'
'crypto-modules ...'
'parted-udeb: Manually partition a hard disk (parted)'

Continue with the installation process. The partitioning section starts with the process 'Detect disks.' and this documentation continues from that point. The associated entry numbers are part of this documentation and will not be found within the Graphical expert installation text.

1. Detect disks.
The installer finds disks available to system.

2. Partition disks.
We are going to manually create an Encrypted LVM system. In this example it is for one disk, with one Volume Group.
Adapt the following instructions for more than one disk and or Volume Group, remembering the possibility of usefully using more than one stripe when using more than one disk.

2.1 Select 'Manual'.

2.2 Delete any existing partitions.
2.2.1 Double click or otherwise select the partition(s) and choose 'Delete the partition'.
The disk space should now be in one block.

2.3 Create a boot partition - 'New Partition size:' 256MB
2.3.1 Select 'Location for the new partition:' Beginning
2.3.2 Edit the 'Partition settings:'
'Use as:' Ext4 ...
'Format the partition: yes, format it'
'Mount point:' /boot
'Bootable flag:' on (though this should not be necessary on a purely linux system.)

'Done setting up the partition.'
Click 'Continue'

You should now be back on the main partitioning screen.

2.4 Create a new Encrypted partition on the remaining 'FREE SPACE'.
(You could create more than one encrypted partition on one or more disks if you wished.)
2.4.1 Select the remaining FREE SPACE and click 'Continue' (or just double click on the FREE SPACE.)
2.4.2 Select 'Create a new partition'
2.4.3 Keep the existing partition size and click 'Continue'.
2.4.4 Select the 'Use as:' field ('Continue' or double click.) and then select
'physical volume for encryption'. On the next screen ...

2.4.5 Choose 'Erase data:' 'yes' - if you wish to erase the data on the partition and overwrite with
random data. Choose 'no' - if you do not wish to do this.
Be aware that on a 2 terabyte partition, for example, 'yes' could take many hours to complete. It is however more secure when this is done.

You should now be back on the main partition screen with new partitions showing something like:

'> #1 256.0 MB f ext4 /boot'
'> #2 2.0 TB K crypto not active'

2.5 Now select 'Configure encrypted volumes' from this screen.
Do NOT double click to make this selection.
2.5.1 Select 'Create encrypted volumes'
2.5.2 Choose which 'Devices to encrypt:'
2.5.3 Choose 'Finish'
The next screen will inform you that the current partitions must be written to disk and cannot be undone.
2.5.4 When you are sure all is as you wish choose 'o Yes' on this screen.
2.5.5 Select 'Finish'.
2.5.6 Enter your 'Encryption passphrase:' twice into the two text entry fields. Note the length of passphrase recommendations on this screen.

You should now be back on the main partitioning screen. The encrypted partition should now show '(sda2_crypt)' or something similar, in place of 'not active'. There should also now be a new entry 'Encrypted volume (sda2_crypt) ...' on this screen
2.6 Set up the file system on the encrypted volume.
2.6.1 Select the > #1 part of the new field 'Encrypted volume ...' that is select:
> #1 2.0TB f Ext3
and on the 'You are editing partition #1 of Encrypted volume ...' screen set
2.6.2 'Use as:' Ext4
2.6.3 Select 'Done setting up the partition'

2.6.4 Select 'Configure the Logical Volume Manager'
The next screen will inform you that the changes to the encrypted partition(s) must be written to disk and cannot be changed.
2.6.5 When you are sure all is as you wish choose 'o Yes' on this screen.
You will now see a sliding bar display while the Ext4 file system is written to
partition #1 of Encrypted volume (sda2_crypt). There will now be a delay of several minutes.

2.7 Create the volume group.
You should eventually be shown a screen 'Summary of current LVM configuration:'
2.7.1 Select 'Create volume group'
2.7.2 Enter the name of the volume group in the text field and click 'Continue'.
(In this example the name 'VOLUME' is chosen.)
You may now select more than one device over which the Volume Group will preside. However in our case we will only use the Volume Group on the Encrypted partition.

2.7.3 Select '/dev/mapper/sda2_cypt ...' and click 'Continue'

There is now 'Volume Groups:' '1' showing on the 'Summary of current LVM configuration:' screen.

2.8 Create the logical volumes.
2.8.1 Select 'Create logical volume' and on the next screen double click on (in this case) 'VOLUME'.
2.8.2 Now enter the 'Logical volume name:' in the text field.
(In our example we choose the name 'HOME')
2.8.3 Now enter the size of logical volume (HOME).
(In our example we choose 800GB.)

The summary screen now shows 'Logical Volumes:' '1'.
2.8.4 Now 'Create logical volume' (ROOT with a size of 200GB in our example)
and in turn, all the other logical volumes and sizes by repeating steps 2.8.1 to 2.8.4 as required.


Do not forget to create a 'SWAP' logical volume somewhere in the volume group.

2.8.5 When you have created all the volume groups and logical volumes select 'Finish'.

You should now be back on the main partitioning screen.
In addition to the earlier additions you should now also see a summary of all your logical volumes within the volume group(s) (in our case one volume group: 'VOLUME').
The beginning of the list will look something like:


LVM VG VOLUME, LV HOME - 800.0 GB Linux device-mapper (linear)
> #1 800 GB

LVM VG VOLUME, LV ROOT - 200.0 GB Linux device-mapper (linear)
> #1 200 GB

LVM VG VOLUME, LV SWAP - 16.0 GB Linux device-mapper (linear)
> #1 16.0 GB

...

2.9 Now set up the file systems and mount points for all the logical volumes.
2.9.1 Select the first logical volume (HOME) by selecting
> #1 800 GB
2.9.2 Choose the 'Use as:' file system (in this example Ext4)
2.9.3 Select the 'Mount point:' /home (in this case).
2.9.4 Select 'Done setting up the partition'.
2.9.5 Repeat steps 2.9.1 to 2.9.4 for all the logical volumes.

On the main partitioning screen you could now see, for example:

LVM VG VOLUME, LV HOME - 800.0 GB Linux device-mapper (linear)
> #1 800 GB f ext4 /home

LVM VG VOLUME, LV ROOT - 200.0 GB Linux device-mapper (linear)
> #1 200 GB f ext4 /

LVM VG VOLUME, LV SWAP - 16.0 GB Linux device-mapper (linear)
> #1 16.0 GB f swap swap

… with your other logical volumes if any.

2.10 Finish partitioning and write to disk.
On the main screen select:
2.10.1 'Finish partitioning and write changes to disk' and click on 'Continue'.
You now have a final chance to change the LV settings,
Or 'Write changes to disks?'
2.10.2 'o Yes' and click 'Continue'.

You will see a sliding bar screen showing the file system being written into the volume groups.

You have finished setting up your Encrypted LVM system. The result of carrying out the above configuration could be described in the following way:


Device Size Enc Type FS Type Mount point
/dev/sda 2.0 TB WDC ...diskname

/dev/sda1 256.00 MB Linux native Ext4 /boot
/dev/sda2 2.0 TB E Linux LVM

/dev/VOLUME 2.0 TB LVM2
/dev/VOLUME/HOME 800.00 GB LV Ext4 /home
/dev/VOLUME/ROOT 200.00 GB LV Ext4 /
/dev/VOLUME/SWAP 16.00 GB LV SWAP SWAP
/dev/VOLUME/TEMP 400.00 GB LV Ext4 /tmp
/dev/VOLUME/USER 446.75 GB LV Ext4 /usr

This shows the single disk device 'sda' and the two partitions it contains: 'sda1' and 'sda2'.
Of which 'sda1' is the boot partition which is not encrypted and not part of the Logical Volume Manager.
The second partition, 'sda2' is shown as 'E' encrypted and set up as Linux LVM.

The encrypted LVM 'volume group' within the encrypted partition is then defined with the name (in this case) VOLUME and the 'logical volumes' VOLUME/HOME to VOLUME/USERS are shown within it.
Last edited by cbd on 2012-03-05 17:06, edited 1 time in total.

User avatar
craigevil
Posts: 5391
Joined: 2006-09-17 03:17
Location: heaven
Has thanked: 28 times
Been thanked: 39 times

Re: Complete Encrypted LVM Install?

#19 Post by craigevil »

wow all I did was click Yes or maybe Ok when the installer asked if I wanted to encrypt my disk. Nothing else to it.

Code: Select all

$ df -h
Filesystem               Size  Used Avail Use% Mounted on
rootfs                    16G   13G  2.3G  85% /
udev                    1008M     0 1008M   0% /dev
tmpfs                    203M  384K  203M   1% /run
/dev/mapper/debian-root   16G   13G  2.3G  85% /
tmpfs                    5.0M     0  5.0M   0% /run/lock
tmpfs                    406M   44K  406M   1% /tmp
tmpfs                    406M  860K  405M   1% /run/shm
/dev/sda1                228M   37M  180M  17% /boot
Raspberry PI 400 Distro: Raspberry Pi OS Base: Debian Sid Kernel: 5.15.69-v8+ aarch64 DE: MATE Ram 4GB
Debian - "If you can't apt install something, it isn't useful or doesn't exist"
My Giant Sources.list

macias
Posts: 9
Joined: 2011-01-26 17:53

Re: Complete Encrypted LVM Install?

#20 Post by macias »

Are you sure you answered yes to question "lvm AND encryption"? If yes, it would seem Debian has so far the easiest LVM+encryption installation, quite surprise.

Post Reply