[SOLVED] Setting up LUKS on top of LVM

ajrl · 2013-05-25 18:29:20

Maybe I'm missing a step, but I can't seem to get LUKS set up on my LVM partition.

cgdisk:

1007.0 KiB free space
1 1024.0 KiB BIOS boot partition
2 596.2 GiB Linux LVM
327.5 KiB free space

lsblk:

sda2
|__________vg1-swap (dm-1) 1G lvm
|__________vg1-root (dm-2) 10G lvm
|__________vg1-home (dm-3) 585.2G lvm

Once I boot into the Arch CD, this is the dialog:

# cryptsetup -c aes-xts-plain64 -s 512 -h sha512 -i 5000 -y --use-random luksFormat /dev/sda2

WARNING
========
This will overwrite data on /dev/sda2 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Cannot format device /dev/sda2 which is still in use.
#

Issuing the mount command doesn't show that /dev/sda2 is mounted.

I'm probably making a really obvious mistake, but I can't figure it out.

Last edited by ajrl (2013-05-25 20:41:27)

WonderWoofy · 2013-05-25 19:13:51

You are trying to set up Luks on the device you already have an LVM on. I think what you are probably trying to acomplish is haveing LVM on top of Luks. It is in this way that you can have a single Luks container that is decrypted on boot. Otherwise, you will have several Luks containers that all need to be decrypted individually.

Is there anything on the LVM you have set up? I would hope not if you are trying to format it with random data. So if this is the case, then use the LVM tools to remove the LVM on sda2. Then use the Luks tools to create a Luks container on /dev/sda2. So when you do that, you attach the device (decrypt it) and it will put it in /dev/mapper with the name of your choosing. So then you create the LVM on that Luks container (use /dev/mapper/<your conatiner>). Once you have done that, then you can again use the LVM tools, but this time to create logical volumes on the LVM that is now on top of the Luks container.

If indeed you really want to be using Luks on top of LVM, then you will need to be making Luks containers on /dev/mapper/vg1-root, /dev/mapper/vg1-home, etc. Though this will result in multiple containers being created, it is not as bad as it might seem. You can use the /etc/crypttab file to have the system decrypt the rest of the filesystem on its own. There is a caveat though. When you use crypttab, you have to use keyfiles. So if your plan was to be super password happy, then you really want to go the other route. But basically once the rootfs is decrypted, then the system begins to boot, and it can then reference the crypttab to determine where the containers are and where in the decrypted filesystem the keyfiles can be found.

Personally I would go the way of LVM on top of Luks, as I really like the simplicity of having that single partition to decrypt. Also, I personally don't see any added benefit of security when you have them encrypted separately. Once the rootfs is decrypted, the information encessary is right there, plain as day to decrypt the others, so in my mind it is no different than having them all on a single volume group.

ajrl · 2013-05-25 19:37:11

Thank you. I'm just now realizing that I was trying to do two completely different things. That's what I get for using two separate tutorials. Everything is working fine now. I have LVM set up on top of LUKS.

Also, for anyone who has this same problem, these two guides (1 and 2) show in very few steps how to set up LVM on top of an encrypted partition.

Last edited by ajrl (2013-05-25 19:41:56)

WonderWoofy · 2013-05-25 20:19:06

The second one is better. Although it references the old AIF installer, the Luks/LVM part is the same anyway and that particular guide gives better explanantion about what and why you are doing what you are doing. The first linked guide is more of a copy-and-paste kind of situation, and that is bad for something like encryption, where if something goes wrong and you don't understand it, you are pretty much sh*t outta luck!

Edit: BTW, the best reference is still probably the wiki, as although it is a cluster f* of information, all scattered in a jumble of chaos, the information there is very good, very accurate, and very plentiful. I would recommend anyone who wants to use Luks/dm-crypt should go and wade through that page to at least get a feel for what is about to go down before referencing any other guide, which will likely be far less verbose.

Edit2: Please mark your thread as [Solved] by editing the first post and prepending that to the title.

Last edited by WonderWoofy (2013-05-25 20:21:38)

cfr · 2013-05-25 21:38:18

Unless somebody has added it, you have to use a non-wiki guide for LVM-on-LUKS but the wiki basically points you to one at the appropriate place and you can use that in conjunction with the information in the wiki. At least, that's how it worked when I set it up. But, as I say, maybe somebody has extended the wiki internally since then.

ajrl · 2013-05-25 23:10:59

I'm having a problem now with my initramfs not knowing how to load the encrypted partition. My hooks are "base udev autodetect modconf block encrypt lvm2 filesystems keyboard fsck shutdown." Am I missing something here? Every time I boot up, I get "ERROR: device '/dev/mapper/vg1-root' not found."

cfr · 2013-05-25 23:13:38

Adjust your kernel command line. It needs to know about the encrypted container!

ajrl · 2013-05-25 23:25:34

Are you talking about /etc/default/grub? I added GRUB_CMDLINE_LINUX="cryptdevice=/dev/mapper/vg1-root:cryptroot," but I get the same error. I have no idea if I entered that value correctly though. I've tried various combinations.

Strike0 · 2013-05-25 23:28:25

For completeness, let me add that a new subsection has been created on this subject recently: https://wiki.archlinux.org/index.php/Encrypted_LVM
It arguably requires some style editing, but already provides a good run through of installation steps (similar to link 1 in #3) in a more straight forward way as the old section (which still has all the info too, if you dont need a step-by-step guide). It is currently linked from the main section on Luks with LVM here: https://wiki.archlinux.org/index.php/Dm … _LVM_setup
So, the wiki got more choice!

cfr · 2013-05-25 23:28:29

I use cryptdevice=/dev/disk/by-uuid/<uuid>:lvm.

ajrl · 2013-05-25 23:31:32

Is the first path (/dev/mapper/vg1-root in my example) the root volume or the overall LVM partition?

Strike0 · 2013-05-25 23:34:52

Take cfr's example. It is the root luks blockdevice (your "cryptroot"). The kernel line you used is for luks on lvm.

ajrl · 2013-05-25 23:46:06

Everything's working perfectly now. Thank you.

Arch Linux

#1 2013-05-25 18:29:20

[SOLVED] Setting up LUKS on top of LVM

#2 2013-05-25 19:13:51

Re: [SOLVED] Setting up LUKS on top of LVM

#3 2013-05-25 19:37:11

Re: [SOLVED] Setting up LUKS on top of LVM

#4 2013-05-25 20:19:06

Re: [SOLVED] Setting up LUKS on top of LVM

#5 2013-05-25 21:38:18

Re: [SOLVED] Setting up LUKS on top of LVM

#6 2013-05-25 23:10:59

Re: [SOLVED] Setting up LUKS on top of LVM

#7 2013-05-25 23:13:38

Re: [SOLVED] Setting up LUKS on top of LVM

#8 2013-05-25 23:25:34

Re: [SOLVED] Setting up LUKS on top of LVM

#9 2013-05-25 23:28:25

Re: [SOLVED] Setting up LUKS on top of LVM

#10 2013-05-25 23:28:29

Re: [SOLVED] Setting up LUKS on top of LVM

#11 2013-05-25 23:31:32

Re: [SOLVED] Setting up LUKS on top of LVM

#12 2013-05-25 23:34:52

Re: [SOLVED] Setting up LUKS on top of LVM

#13 2013-05-25 23:46:06

Re: [SOLVED] Setting up LUKS on top of LVM

Board footer