You are not logged in.

Pages: 1

#1 2014-09-15 01:56:21

davermont
Member
Registered: 2014-09-07
Posts: 21

LVM on LUKS on LVM

Does anyone know if, on a system with LVM on LUKS on LVM, a logical volume created inside a LUKS container can be added to the same volume group that the LUKS container is in? Even if this is possible, is it this just a bad idea from a security perspective? Should the outer LVM and inner LVM each have their own physical devices, volume groups, and logical volumes?

Offline

#2 2014-09-15 09:30:59

bstaletic
Member
Registered: 2014-02-02
Posts: 658

Re: LVM on LUKS on LVM

LVM needs designated virtual groups upon designated physical volumes. A physical volume can not belog to more than one virtual group at the same time. That said I can not see why can't you use LUKS device as a new physical volumeand use only that physical volume for virtual group. I never used LUKS so Ican't be sure about that part. Security wise I have no idea.

Out of curiosity, why do you need such a setup?

My dotfiles

Offline

#3 2014-09-15 12:15:20

davermont
Member
Registered: 2014-09-07
Posts: 21

Re: LVM on LUKS on LVM

I want my unencrypted / partition inside a logical volume. However, I also want encrypted /var, /home, /tmp, and swap partitions inside logical volumes as well. LVM on LUKS on LVM was the best solution I could come up with. I am also new to LUKS and I've never tried nesting LVM containers either.

Offline

#4 2014-09-15 12:22:13

clfarron4
Member
From: London, UK
Registered: 2013-06-28
Posts: 2,163
Website

Re: LVM on LUKS on LVM

Head-scratching...

Something like:

sda
└─sda1
  └─Storage 254:0    0 XG  0 lvm 
    ├─Storage-lrootvol                        254:1    0    XG  0 lvm   /
    └─luks 254:0    0 XG  0 crypt
      ├─Storage-lvarvol                         254:2    0    XG  0 lvm   /var
      ├─Storage-lhomevol                        254:3    0   XG  0 lvm   /home
      ├─Storage-ltmpvol                        254:4    0   XG  0 lvm   /tmp
      └─Storage-lswapvol                        254:5    0   XG  0 lvm   swap

Note: This is only a conceptual mock-up.

Last edited by clfarron4 (2014-09-15 12:26:30)

Claire is fine.
Problems? I have dysgraphia, so clear and concise please.
My public GPG key for package signing
My x86_64 package repository

Offline

#5 2014-09-15 12:25:33

bstaletic
Member
Registered: 2014-02-02
Posts: 658

Re: LVM on LUKS on LVM

Was that a typo or do you want /, /var, /home, /tmp and swap as encrypted logical volumes?

If it wasn't a typo you could just make one large volume group containing all the drives. Make logical LVM partitions and then encrypt those using LUKS. It is a simpler approach.


This is a schematic of how I imagined your setup:
___________________________
|                 LUKS                    |
| / | /var | /home| /tmp | swap |
|          volume group             |
|        physical volumes          |

My dotfiles

Offline

#6 2014-09-15 12:55:53

th3voic3
Member
Registered: 2012-03-20
Posts: 92

Re: LVM on LUKS on LVM

davermont wrote:

I want my unencrypted / partition inside a logical volume. However, I also want encrypted /var, /home, /tmp, and swap partitions inside logical volumes as well. LVM on LUKS on LVM was the best solution I could come up with. I am also new to LUKS and I've never tried nesting LVM containers either.

Why don't you just encrypt the root partition as well? Any reason why that wouldn't work for you?

Github

Offline

#7 2014-09-15 13:02:29

davermont
Member
Registered: 2014-09-07
Posts: 21

Re: LVM on LUKS on LVM

sda
└─sda1
  └─Storage 254:0    0 XG  0 lvm
    ├─Storage-lrootvol                        254:1    0    XG  0 lvm   /
    └─luks 254:0    0 XG  0 crypt
      ├─Storage-lvarvol                         254:2    0    XG  0 lvm   /var
      ├─Storage-lhomevol                        254:3    0   XG  0 lvm   /home
      ├─Storage-ltmpvol                        254:4    0   XG  0 lvm   /tmp
      └─Storage-lswapvol                        254:5    0   XG  0 lvm   swap

Yes, that's what I was thinking, except that it's all on sda2 because sda1 is my EFI System partion.

Why don't you just encrypt the root partition as well? Any reason why that wouldn't work for you?

This is on a laptop, so I was trying to avoid the performance/battery life penalty of encrypting the root partition.

Offline

#8 2014-09-15 19:35:44

clfarron4
Member
From: London, UK
Registered: 2013-06-28
Posts: 2,163
Website

Re: LVM on LUKS on LVM

davermont wrote:

Why don't you just encrypt the root partition as well? Any reason why that wouldn't work for you?

This is on a laptop, so I was trying to avoid the performance/battery life penalty of encrypting the root partition.

I don't really notice the performance penalties for encrypting the whole thing and with modern laptops shipping with AES-NI, encryption performance shouldn't be noticeable for most people.

Claire is fine.
Problems? I have dysgraphia, so clear and concise please.
My public GPG key for package signing
My x86_64 package repository

Offline

#9 2014-09-16 01:22:09

davermont
Member
Registered: 2014-09-07
Posts: 21

Re: LVM on LUKS on LVM

This does have AES-NI acceleration, so maybe I will try that. Still not sure what the battery life implications are though.

Last edited by davermont (2014-09-16 01:22:55)

Offline

Pages: 1

Board footer

Powered by FluxBB