You are not logged in.
Hey guys, I just wanna be sure if it's gonna work this way.. I've got encrypted SSD with Arch installed, LVM over LUKS. I want to add a HDD to this LV and encrypt it over same LUKS. These are steps that I want to make in order to achieve my goal:
My lsblk:
sda disk
    sda1 part /boot
    sda2 part 
        lvm crypt
sdb diskWhat I want to achieve is to add sdb to LVM and mount it as /data. And of course encrypt whole LVM on LUKS, so I can use one password.
So I should boot into LiveUSB and then...
1. Random-fill sdb using dd:
dd if=/dev/urandom of=/dev/sdb bs=40962. Decrypt the LUKS volume:
cryptsetup luksOpen /dev/sda2 <physical_volume>3. Make LiveUSB see partition:
vgscan
vgchange -ay4. Resize LVM physical volume:
pvresize /dev/sdb5. Unlock LVM physical volume:
pvchange -x y /dev/mapper/<physical_volume>6. Create new logical volume:
lvcreate -L 100%FREE <volume_group> -n <new_logical_volume>7. Make ext4 filesystem on new logical volume:
mkfs.ext4 /dev/mapper/<volume_group>-<new_logical_volume>
mount /dev/mapper/<volume_group>-<new_logical_volume> /data8. Re-lock physical volume.
pvchange -x n /dev/mapper/<physical_volume>9. Resize the filesystem.
e2fsck -f /dev/mapper/<volume_group>-<new_logical_volume>
resize2fs -p /dev/mapper/<volume_group>-<new_logical_volume>Please give me advice on what's wrong with my plan.
[edit]
Typos
Last edited by niezniszczalny (2016-07-16 12:49:01)
Offline

1. Random-fill sdb using dd:
dd if=/dev/urandom of=/dev/sdb bs=4096
/dev/urandom will max out around 10MB/s. It's ultra slow and will take ages to overwrite a modern HDD.
Use `shred -vn1` it will go at full disk speed. If you think pseudorandom is not good enough, add cryptsetup in the mix (luksformat twice, once for overwriting, once again for actual data).
I want to add a HDD to this LV and encrypt it over same LUKS.
If it's LVM over LUKS as you said, i.e. LUKS is below LVM, then you can't extend it to the HDD. The HDD will be a separate LUKS container (which means you have to unlock two).
With LVM below LUKS (i.e. the LV itself is LUKS) it could be done but even then you really shouldn't, it doesn't make sense to have one half of a single filesystem on SSD and the other half on HDD.
4. Resize LVM physical volume:
pvresize /dev/sdb
You haven't made it a PV in the first place so that won't work. Also you should really be using a partition table.
1. shred sdb by all means if you want it to be filled with random data. (If there wasn't unencrypted data on it before, this step can be skipped)
2. use fdisk, parted, whatever you like to create a partition sdb1
3. cryptsetup luksFormat sdb1
4. cryptsetup luksOpen sdb1 as luks-sdb1 or whatever you like
5. pvcreate /dev/mapper/luks-sdb1
Then you can choose... actually make this a part of your existing VG? Mixing SSD and HDD might once again result in a LV that lives half on SSD, half on HDD (wasting SSD space since it's being pulled down to HDD speeds).
On my own system I went with two separate VGs, one called SSD that is backed by SSD media, another called HDD backed by HDD media. So I have LVs like SSD/root, SSD/home, HDD/movies, ... keeps things separate.
The key problem is getting two separate LUKS containers to open at boot (possibly without having to enter two passwords). There's several ways to do this, some people put it in their initcpio by duplicating the encrypt hook, but if the system itself (root, home) is on SSD you can also use a keyfile to open the other container during regular bootup. This should be in the wiki somewhere...
Offline
/dev/urandom will max out around 10MB/s. It's ultra slow and will take ages to overwrite a modern HDD.
Use `shred -vn1` it will go at full disk speed. If you think pseudorandom is not good enough, add cryptsetup in the mix (luksformat twice, once for overwriting, once again for actual data).
I followed the wiki as the first methods of wiping the disk were using /dev/urandom. Thanks for the tip, I'll definitely use it. And I think pseudorandom data is enough for me.
What I want is to have only data (music, movies, everything that doesn't need SSD speed) on HDD. And to use only one password to access all data when booting system. I don't want separate password for the HDD.
So I should create separate LV on separate LUKS (separate from SSD, where my root and /home is). I'd like to have partitions as you described: ssd/root, ssd/home, ssd/swap, hdd/data, so the system is on ssd and the /data alone is on hdd.
Is it necessary to create LV on the sdb then? Can't I just create a partition (sdb1) on sdb and encrypt it with LUKS? Will I be able then to resize/make new partitions inside the encrypted one?
Also you should really be using a partition table.
Yeah, I forgot about making partition table and partition on HDD.
Offline

Is it necessary to create LV on the sdb then? Can't I just create a partition (sdb1) on sdb and encrypt it with LUKS? Will I be able then to resize/make new partitions inside the encrypted one?
Yes. This is what you have done on the first disk by putting LVM on top of LUKS.
Ask yourself why you want multiple partitions/logical volumes on top of LUKS.
Is it to separate categories data? (music, warez, porn, wacky conspiracy theories, etc.)
Does each category of data really need to be encrypted?
If yes and yes, then each category should be on its own encrypted partition/logical volume. If you put everything on top of one encrypted partition, then you will have all of your data exposed on the system all of the time. That offers no protection. You probably want to have your music accessible whenever you're in front of the computer, but you probably don't want your warez, porn and conspiracy theories accessible all the time. Use LUKS on top of LVM. Forget about having a single password. If the data is worth encrypting, then it's worth typing a password for each category when you need to access it. If it's not worth the typing, don't bother encrypting it.
If yes and no, then you should only encrypt what needs to be encrypted. Otherwise you are just incurring overhead for nothing. Again, use LUKS on top of LVM. Only encrypt some of logical volumes.
If no and no, then I presume that you just want to have your entire system encrypted to prevent tampering when it's not on. You can use LUKS on top of LVM or vice versa. It depends on what you want to do.
I generally recommend LUKS on top of LVM. Create logical volumes for your system partitions. Encrypt the root partition with a password. If you want to avoid passwords for the other system partitions (e.g. home, var), encrypt them with key files and put the key file on the encrypted root partition. Your system partitions will then be protected when the system is off, but when it's running someone could access the key files. If that risk is unacceptable, you will have to use passwords (or keyfiles on an external drive, but that has it's own risks).
Put all of the data that you want accessible all of the time on the encrypted partitions that will be mounted whenever the system is on. Create a separate logical volume for all of the sensitive stuff that should only be accessible when you really need it (e.g. banking details, the photos you're using to blackmail a senator, your ranty manifesto and call to armed revolution ) on a separate encrypted logical volume that you only access with a password. Again, anything not worth a long password is not worth encrypting.
Keep in mind that there are also options for encrypting single files and directories (e.g. pgp, encfs, etc.). You can always put your blackmail photos and manifesto in there to avoid the hassle of partitions (fixed sizes, mounting, etc.). You'll need to type passwords there too.
My Arch Linux Stuff • Forum Etiquette • Community Ethos - Arch is not for everyone
Offline
I never thought that making up decision on how and why to encrypt computer can be such interesting topic. Unfortunately I only want to encrypt it because of privacy. I don't like anyone to look into my personal shelf with my documents etc. In the same time I want my computer to be as easy to use as it can, so I only want to type one password in order to unlock access to my data.
So.. no and no. 
As I've written before, my lsblk looks like that.
sda disk
    sda1 part /boot
    sda2 part 
        lvm crypt
sdb disk
    sdb1 partsdb1 is partition of 8e00 type.
On my sda2 (where my system is) there's already LVM on LUKS encryption. I want to make LUKS on LVM on sdb1 which will be opened with the same password as sda2. I want LUKS on LVM on sdb1 in case I will have to create another sdbY partition with really classified data and different password in the future.
So now I just have to
pvcreate /dev/sdb1
vgcreate hddlvm /dev/sdb1
lvcreate  -l 100%FREE  -n data hddlvmSo I created LV and I need to create LUKS now + generate keyfile.
Generate keyfile:
mkdir -m 700 /etc/luks-keys
dd if=/dev/random of=/etc/luks-keys/data bs=1 count=256Encrypt new logical volume with generated keyfile:
cryptsetup -v luksFormat /dev/hddlvm/data /etc/luks-keys/data
cryptsetup -d /etc/luks-keys/data open --type luks /dev/hddlvm/data datamkfs -t ext4 /dev/mapper/hddlvm-data
mkdir /data
mount /dev/mapper/hddlvm-data /dataAdd to /etc/crypttab:
data        /dev/hddlvm/data        /etc/luks-keys/dataAdd to /etc/fstab:
/dev/mapper/hddlvm-data        data        ext4        defaults        0        2Am I correct so far?
[edit]
Found out some mistakes in my approach and corrected them.
[edit2]
Stupid mistake - in crypttab it should be /dev/mapper/hddlvm-data instead /dev/mapper/data
And the same when mounting and mkfs. I should mkfs & mount /dev/mapper/hddlvm-data instead /data
Also changed 'mkfs -t ext4' to 'mkfs.ext4'
Last edited by niezniszczalny (2016-07-16 12:47:28)
Offline
It doesn't work, don't know why. When I boot I get this error:
...
[   OK   ] Mounted /home.
[   OK   ] Mounted /boot.
[   OK   ] Started Load/Save Random Seed.
[   OK   ] Started Load/Save RF Kill Switch Status.
[   OK   ]  Started Load/Save Screen Backlight Brightness of backlight:intel_backlight.
[   OK   ] Started Flush Journal to Persistent Storage.
[   OK   ] Started LVM2 PV scan on device 254:1.
[   OK   ] Started LVM2 PV scan od device 8:17.
[  TIME  ] Timed out waiting for device dev-mapper-data.device.
[DEPEND] Dependency failed for File Ststem Check on /dev/mapper/data.
[DEPEND] Dependency failed for /data.
[DEPEND] Dependency failed for Local File Systems.
[   OK   ] Reached target Bluetooth.
[   OK   ] Reached target Timers.
[   OK   ] Reached target Sockets.
[   OK   ] Reached target Network.
[   OK   ] Started Emergency Shell.
              Starting Create Volatitle Files and Directories...
[   OK   ] Reached target Emergency Mode.
[   OK   ] Started Create Volatile Files and Directories.
              Starting Update UTMP about System Boot/Shutdown...
[   OK   ] Started Update UTMP about System Boot/Shutdown.
Welcome to emergency mode! After logging in, type "journalctl -xb" to view
system logs, "systemctl reboot" to reboot, "systemctl default" or ^D to
try again to boot into default mode.
Give root password for maintenance
(or press Control-D to continue): _I guess I should change something in crypttab or fstab.
[EDIT]
Solved! Everything is in previous post. I should kill myself because of these typos and stupid mistakes ..
Last edited by niezniszczalny (2016-07-16 12:48:42)
Offline