You are not logged in.

#1 2010-01-01 23:19:52

rafmav
Member
From: Haute-Loire/Auvergne/France
Registered: 2009-07-28
Posts: 20
Website

[lvm luks] luks over lvm or lvm over luks ?

What it the best:
- luks over lvm
or
- lvm over luks ?

Do both run, please ?

Offline

#2 2010-01-02 08:56:27

seiichiro0185
Member
From: Leipzig/Germany
Registered: 2009-04-09
Posts: 226
Website

Re: [lvm luks] luks over lvm or lvm over luks ?

I use lvm over luks normally, it has the advantage of unlocking all lvm-volumes with one password and one can change the lvm-volumes more easily because its not neccesary to change something with the encryption.

both variants should run although I havent used the luks over lvm method so far.


My System: Dell XPS 13 | i7-7560U | 16GB RAM | 512GB SSD | FHD Screen | Arch Linux
My Workstation/Server: Supermicro X11SSZ-F | Xeon E3-1245 v6 | 64GB RAM | 1TB SSD Raid 1 + 6TB HDD ZFS Raid Z1 | Proxmox VE
My Stuff at Github: github
My Homepage: Seiichiros HP

Offline

#3 2010-01-02 11:25:57

Dieter@be
Forum Fellow
From: Belgium
Registered: 2006-11-05
Posts: 2,000
Website

Re: [lvm luks] luks over lvm or lvm over luks ?

both work. but i also prever lvm over luks because of the two advantages seiichiro0185 said.


< Daenyth> and he works prolifically
4 8 15 16 23 42

Offline

#4 2010-01-02 14:11:04

rafmav
Member
From: Haute-Loire/Auvergne/France
Registered: 2009-07-28
Posts: 20
Website

Re: [lvm luks] luks over lvm or lvm over luks ?

thanks for the replies.

I asked this because:
1)  I installed luks over lvm (like the tutorial in the wiki), which give the possibility to encrypt each logical volume with a different password; only the root password is need at boot up, the others are stored in /etc/luks-keys/{home swap tmp ...}: the one who finds my usb key or the root passphrase find the other ones... so there are useless; and if I store them on the same usb key,they are useless too!
2) I use encryption for fun (does it run, etc.) and  in case I loose my laptop or it is stolen; if one can find what are and where are my logical volumes, it is not really good too!

so if it is possible to put lvm over luks, I notice i.. and have to reinstall arch on my laptop.

I believe I will like to give the possibilité to each user to have an encrypted "/home/$USER":
is it possible to create a luks partition on a logicial volume which is on a luks partition: "luks over lvm over luks..." ?

Offline

#5 2010-01-02 14:17:17

Dieter@be
Forum Fellow
From: Belgium
Registered: 2006-11-05
Posts: 2,000
Website

Re: [lvm luks] luks over lvm or lvm over luks ?

in principle "luks over lvm over luks" should work fine.  I can't come up with a reason why it shouldn't work (in theory).
In practice however, at least for / this will not work because the Arch initcpio does not support it. for other partitions (/home/$user) it might work, by using /etc/crypttab

the good news is the Arch installer makes it very easy nowadays to install a "luks on lvm" (or "lvm on luks" ), so you can first install a working system and then just try and see if the /home/$user filesystems work..

Last edited by Dieter@be (2010-01-02 14:17:36)


< Daenyth> and he works prolifically
4 8 15 16 23 42

Offline

#6 2010-01-02 15:07:11

newgargamel
Member
From: PL, CZ
Registered: 2005-08-28
Posts: 156

Re: [lvm luks] luks over lvm or lvm over luks ?

Dieter@be wrote:

the good news is the Arch installer makes it very easy nowadays to install a "luks on lvm" (or "lvm on luks" ), so you can first install a working system and then just try and see if the /home/$user filesystems work..

I don't agree with that - I've been trying to install LVM over LUKS since yesterday but after a restart the system is hanging at "Enter LUKS passphrase". Maybe you have some idea why?

Offline

#7 2010-01-02 15:18:35

Dieter@be
Forum Fellow
From: Belgium
Registered: 2006-11-05
Posts: 2,000
Website

Re: [lvm luks] luks over lvm or lvm over luks ?

newgargamel wrote:
Dieter@be wrote:

the good news is the Arch installer makes it very easy nowadays to install a "luks on lvm" (or "lvm on luks" ), so you can first install a working system and then just try and see if the /home/$user filesystems work..

I don't agree with that - I've been trying to install LVM over LUKS since yesterday but after a restart the system is hanging at "Enter LUKS passphrase". Maybe you have some idea why?

uhm.. you need to type the passphrase? (and press enter)


< Daenyth> and he works prolifically
4 8 15 16 23 42

Offline

#8 2010-01-02 16:40:16

newgargamel
Member
From: PL, CZ
Registered: 2005-08-28
Posts: 156

Re: [lvm luks] luks over lvm or lvm over luks ?

Dieter@be wrote:
newgargamel wrote:
Dieter@be wrote:

the good news is the Arch installer makes it very easy nowadays to install a "luks on lvm" (or "lvm on luks" ), so you can first install a working system and then just try and see if the /home/$user filesystems work..

I don't agree with that - I've been trying to install LVM over LUKS since yesterday but after a restart the system is hanging at "Enter LUKS passphrase". Maybe you have some idea why?

uhm.. you need to type the passphrase? (and press enter)

I'm not able to enter my password for some strange reason

Offline

#9 2010-01-02 17:36:26

Dieter@be
Forum Fellow
From: Belgium
Registered: 2006-11-05
Posts: 2,000
Website

Re: [lvm luks] luks over lvm or lvm over luks ?

newgargamel wrote:

I'm not able to enter my password for some strange reason

open a new topic. don't hijack this one


< Daenyth> and he works prolifically
4 8 15 16 23 42

Offline

#10 2010-01-02 18:49:02

rafmav
Member
From: Haute-Loire/Auvergne/France
Registered: 2009-07-28
Posts: 20
Website

Re: [lvm luks] luks over lvm or lvm over luks ?

@newgargamel:
1- I agree with you, I could not install my luks over lvm on my laptop with the arch installer /arch/setup: I did not found how to do! but that is true that it can create dm-crypt partitions and logical volumes... it probably only need a tuto for it. I installed it with the help of the wiki of archlinux.org "System encryption" http://wiki.archlinux.org/index.php/Sys … r_dm-crypt AND with /arch/setup, I explained it on archlinux.fr on
[tuto] linux sur lvm2 et luks: http://forums.archlinux.fr/topic5205.html (because my tailor is rich... and my english is not...).

2- For the problem of passphrase, yes open a new topic! and it is interesting...


@all:
3- Thanks for the reply, I will try whenever I have time and post here if it runs...

4- The good thing should be that the /home/$USER have for luks passphrase the usual password... More, I think that the password should be applied on all the files belonging to $USER, wherever they are... I can imagine a logical volume for each $USER!

5- I mean, for now, some say that gsrub needs to find stage1 stage1_5 stage2, kernel and initrd and cannot luks-decrypt the partition for luks and lvm over luks to find them. Is it possible to integrate the /boot partition in luks and lvm ?

Last edited by rafmav (2010-01-02 20:24:01)

Offline

#11 2010-01-03 10:39:13

rafmav
Member
From: Haute-Loire/Auvergne/France
Registered: 2009-07-28
Posts: 20
Website

Re: [lvm luks] luks over lvm or lvm over luks ?

One more question:
if you create lvm over luks, so you:

1. create 2 partitions (fdisk or cfdisk or parted on /dev/sda),
1. /dev/sda1 for the future /boot (this will be not crypted and outside logical volumes)
2. format it (mkfs.ext2 by example),
3. /dev/sda2 one for / (linux root)
4. format it (mkfs.something),
3. luks it (cryptsetup luksFormat then luks Open),
4. lvm it (pvcreate then vgcreate)
5. then lvcreate for each (root, home, swap, tmp, var, etc...
6. then vgchange -ay
5. format each lv (mkfs.something).
6. install linux on them

a. Which kind of partition for / in fdisk L : 82, 8e, something else ?
b. Which format for /dev/sda2 which will be "luks" ?
c. Can I create the partition I want for each lv ?

Offline

#12 2010-01-03 14:52:29

theDOC
Member
From: Aachen, Germany
Registered: 2009-06-18
Posts: 50

Re: [lvm luks] luks over lvm or lvm over luks ?

One downside of using lvm inside luks is, that there is only one dm-crypt device. dm-crypt doesn't support multicore systems very well (at all?), so the performance when copying from one partition to another is worse compared to creating one crypt device for each partition.

Offline

#13 2010-01-03 15:32:31

newgargamel
Member
From: PL, CZ
Registered: 2005-08-28
Posts: 156

Re: [lvm luks] luks over lvm or lvm over luks ?

rafmav wrote:

One more question:
if you create lvm over luks, so you:

1. create 2 partitions (fdisk or cfdisk or parted on /dev/sda),
1. /dev/sda1 for the future /boot (this will be not crypted and outside logical volumes)
2. format it (mkfs.ext2 by example),
3. /dev/sda2 one for / (linux root)
4. format it (mkfs.something),
3. luks it (cryptsetup luksFormat then luks Open),
4. lvm it (pvcreate then vgcreate)
5. then lvcreate for each (root, home, swap, tmp, var, etc...
6. then vgchange -ay
5. format each lv (mkfs.something).
6. install linux on them

a. Which kind of partition for / in fdisk L : 82, 8e, something else ?
b. Which format for /dev/sda2 which will be "luks" ?
c. Can I create the partition I want for each lv ?

I did everything except point 6.

I've decided to try different setup - dm-crypt + reiser4 with cryptocompres plugin but it will take me more time (I need patched kernel)

Offline

#14 2010-01-06 10:34:34

newgargamel
Member
From: PL, CZ
Registered: 2005-08-28
Posts: 156

Re: [lvm luks] luks over lvm or lvm over luks ?

rafmav wrote:

For the problem of passphrase, yes open a new topic! and it is interesting...

It's solved now and I added the solution given me by brain0 to the wiki (System_Encryption_with_LUKS_for_dm-crypt)

If you have USB keyboard you need the "usbinput" hook in mkinitcpio.conf. Without it, no USB keyboard will work in early userspace.

Offline

#15 2010-01-06 22:23:58

moljac024
Member
From: Serbia
Registered: 2008-01-29
Posts: 2,676

Re: [lvm luks] luks over lvm or lvm over luks ?

rafmav wrote:

One more question:
if you create lvm over luks, so you:

1. create 2 partitions (fdisk or cfdisk or parted on /dev/sda),
1. /dev/sda1 for the future /boot (this will be not crypted and outside logical volumes)
2. format it (mkfs.ext2 by example),
3. /dev/sda2 one for / (linux root)
4. format it (mkfs.something),
3. luks it (cryptsetup luksFormat then luks Open),
4. lvm it (pvcreate then vgcreate)
5. then lvcreate for each (root, home, swap, tmp, var, etc...
6. then vgchange -ay
5. format each lv (mkfs.something).
6. install linux on them

a. Which kind of partition for / in fdisk L : 82, 8e, something else ?
b. Which format for /dev/sda2 which will be "luks" ?
c. Can I create the partition I want for each lv ?

Why format it first and then luks it, instead of the other way around?


The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner.
--------------------------------------------------------------------------------------------------------------
But if they tell you that I've lost my mind, maybe it's not gone just a little hard to find...

Offline

#16 2010-01-11 20:59:45

rafmav
Member
From: Haute-Loire/Auvergne/France
Registered: 2009-07-28
Posts: 20
Website

Re: [lvm luks] luks over lvm or lvm over luks ?

ARCHLINUX OVER LVM OVER LUKS:

@moljac024: you are right: it is not neccesary to format /dev/sda2 before luks it! one step less for doing that stuff!

So, here are all the steps needed to install "/arch/setup" "archlinux over lvm over luks":

0. erase all the disk (not mandatory)
with this:

badblocks -c 10240 -w -t random -s -v /dev/sda

it will write random data on the disk: it will be harder to find the good data with this!

for a 250Go Hard disk: let it run a good part of your night!

1. fdisk

fdisk /dev/sda

cfdisk, parted or gparted can be also used on /dev/sda:
- create /dev/sda1 ("bootable" "a", code "82" Linux)
- and /dev/sda2 (code "82" for "Linux" or "8e" for "Linux LVM");
goal of this step:
- for the future /boot, I use /dev/sda1 (this will be not crypted and outside logical volumes, this for "grub"): 100Mo or less will be enough for /boot (I made it exactly 64Mo, size of my old usb key; count in cylinders and under fdisk, cfdisk and parted seem unable to do that);
- the rest of the disk for /dev/sda2, so close to 250Go for me (less 64Mo ;-) )!

2. luks

cryptsetup luksFormat -c aes-xts-plain -s 512 /dev/sda2 mykeyfile
cryptsetup luksOpen /dev/sda2 sda2 --key-file mykeyfile

# /dev/sda2 is now /dev/mapper/sda2
# replace mykeyfile by the location of your keyfile
# mine is on a usb key mounted and copied to /root/mykeyfile
This will crypt all the data now written on the partition /dev/sda2

- to add a passphrase in case your usb key is lost or stolen:

cryptsetup luksAddKey /dev/sda2 --key-slot 1 --key-file mykeyfile

a passphrase will be asked twice here and added to the keys of luks (8 keys are possible)/
this is in case of usb key stolen or loosed!
Nota: --key-file is for the autorisation to add another passphrase... not to add the same mykeyfile to slot 1 (there is 8 slots).

- to add another keyfile (on another usb key):

cryptsetup luksAddKey /dev/sda2 newkeyfile --key-slot 2 --key-file mykeyfile

3. lvm

lvm pvcreate /dev/mapper/sda2 # physical volume on all /dev/sda2
lvm vgcreate lvm /dev/mapper/sda2 # volume group: /dev/lvm
lvm lvcreate -C y -L 16G -n root lvm # /dev/lvm/root
lvm lvcreate -C y -L 4G -n swap lvm # /dev/lvm/swap
lvm lvcreate -C y -L 4G -n tmp lvm # /dev/lvm/tmp
lvm lvcreate -C y -L 4G -n var lvm # /dev/lvm/var
lvm lvcreate -C y -L 16 Go -n home lvm # /dev/lvm/home

in lvm lvcreate: -C y is for contiguous zones
- use if needed:

vgchange -ay lvm

4. setup

/arch/setup
1. Prepare Hard Drive
3. Manually configure block devices, filesystems and mounpoints
Disc selection /dev/sda

At this step, several filesystems, block devices and virtual devices are proposed: choose these ones:

boot: /boot /dev/sda1 ext2
swap: /swap /dev/mapper/swap swap
root: / /dev/mapper/root reiserfs

home: /home/dev/mapper/home reiserfs
tmp: /tmp /dev/mapper/tmp reiserfs
var: /var /dev/mapper/var reiserfs
...

Do not use /dev/sda2 for mountpoint or all the work before it will be destroyed: luks (/dev/mapper/sda2) and /dev/lvm will be erased!
Use /dev/mapper/sda2 instead!

7. install arch
after all this, follow the steps in /arch/setup as usual

...

8. configuration:
/etc/rc.conf

USELVM="yes"

/etc/mkinitcpio.conf

MODULES="reiserfs"
HOOKS="base resume udev autodetect pata scsi sata usb usbinput encrypt lvm2 filesystems keymap"

in MODULES:
reiserfs is for a / (root) reiserfs filesystems.
in HOOKS:
usb is for usb
usbinput if for "mykeyfile" one a usb key
encrypt is for encryption (like luks)
lvm2 is for lvm

9. boot menu for grub

/boot/grub/menu.lst

# (0) Arch
title  Arch Linux
root   (hd0,0)
kernel /vmlinuz26 cryptdevice=/dev/sda2:lvm cryptkey=/dev/sdb1:ext3:/mykeyfile root=/dev/mapper/lvm-root ro
initrd /kernel26.img
# () Arch Fallback
title  Arch Linux Fallback
root   (hd0,0)
kernel /vmlinuz26 cryptdevice=/dev/sda2:lvm cryptkey=/dev/sdb1:ext3:/mykeyfile root=/dev/mapper/lvm-root ro
initrd /kernel26-fallback.img

10. reboot

ALL THIS HAVE NOT BE TRIED:
- IS THE GRUB menu correct ?
- DID I MISSED SOMETHING ?

Because I do not understand how to do all the installation steps with "/arch/setup" when I create and use "luks" and "lvm: If someone know how to do all these steps with "/arch,setup", please tell me know how!

Last edited by rafmav (2010-01-13 08:22:18)

Offline

#17 2010-03-29 00:11:30

JonnyJD
Member
From: Berlin
Registered: 2007-11-05
Posts: 50

Re: [lvm luks] luks over lvm or lvm over luks ?

theDOC wrote:

One downside of using lvm inside luks is, that there is only one dm-crypt device. dm-crypt doesn't support multicore systems very well (at all?), so the performance when copying from one partition to another is worse compared to creating one crypt device for each partition.

I fixed that with a raid 10 (f2) on top of two luks disks. This way I have two cores decrypting. I have to type the passphrase twice, but this is still less than 7 times (for my 7 lvolumes). This setup is good if you need full speed for single processes (like backups).

If you have parallel IO requests, using raid 1 might perform better for redundancy and you might put luks on TOP of the raid (using a single passphrase).


just for reference:
I have two drives, two partitions each. One is in raid 1 for / (including /boot /bin and stuff) and the other one on each disk is luks encrypted, raid 10 on top of that and lvm on top of that (/usr /var /opt and /home are there).
Note: I had to create/change hooks for raid and crypt, because I assemble one raid, boot stuff, decrypt, assemble another raid.

Offline

#18 2010-03-29 10:41:46

Dieter@be
Forum Fellow
From: Belgium
Registered: 2006-11-05
Posts: 2,000
Website

Re: [lvm luks] luks over lvm or lvm over luks ?

uhm guys.. like i said before: the arch installer supports lvm and dm_crypt.  And both over each other in both ways.
it will automatically fix your fstab, mkinitcpio.conf and grub menu.lst.


< Daenyth> and he works prolifically
4 8 15 16 23 42

Offline

#19 2010-03-29 12:01:20

JonnyJD
Member
From: Berlin
Registered: 2007-11-05
Posts: 50

Re: [lvm luks] luks over lvm or lvm over luks ?

Not in combination with raid two different levels of the stack (meaning assembling them at two specific times in the boot process) At least it didn't when I created my stack (somewhen last year).

Didn't try it again, though.
Right now I have "... mymdadm mycrypt uresume filesystems" in mkinitcpio.
In mymdadm I extract only the part of mymdadm.conf referring to the boot partitions. I might also work using bare mdadm here, but I don't like errors at boot time about not finding raid arrays (which it can't find, because they are still encrypted)
mycrypt is basically used to decrypt the right partitions and put them in the right places, in order for the upcoming (second) raid to work smoothly.

LVM together with crypt wasn't a problem, yes. Mixing in my multi stage raid was, though.


Well, my setup worked perfectly until I did some major arch updating recently. It still works right now, but I get fail stats in late boot for raid/lvm. Looks like something changed in raid handling.
Not sure if I would do the same setup again though. One simple raid 1, luks on top and lvm afterwords should work "out of the box" in arch. Raid 1 isn't faster than plain disk for a single thread, so using 1 core for crypt should also be enough.
(only with raid 10, f2 you can get single process performance gains in reading)

Offline

#20 2010-03-30 10:54:56

Dieter@be
Forum Fellow
From: Belgium
Registered: 2006-11-05
Posts: 2,000
Website

Re: [lvm luks] luks over lvm or lvm over luks ?

JonnyJD wrote:

Not in combination with raid

true


< Daenyth> and he works prolifically
4 8 15 16 23 42

Offline

#21 2012-07-30 14:51:42

pathanck
Member
Registered: 2012-07-30
Posts: 2

Re: [lvm luks] luks over lvm or lvm over luks ?

Hi. From my experience it works, but not for all partitioning schemes - LVM over LUKS works for: /boot + LVs - /, /home, swap, but it didn't work for: /boot + LV: /, /tmp, /var, /usr, ... , swap (kernel panic). I used Arch with no installer (2012.07.15 - for this version there are installation scripts, but the installer has been removed) ... The documentation, at least the practical side of disk encryption, is very confusing - there should be a step by step guide for at least the basic installations like LVM over LUKS.

Offline

#22 2012-07-30 15:09:20

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,739

Re: [lvm luks] luks over lvm or lvm over luks ?

Hi Pathanck.  Welcome to Arch. 

This is an old thread.  Don;t worry about it, we all get caught sometimes smile  I agree there probably room for improvement in the guide.  I am not familiar with this topic, and I don't know how many people are.   This is a community effort, I suggest that, once you have some confidence in your ability to do so, take a crack at a guide.

I am going to close this thread though tongue

Edit: Good Morning Inxsible   VV

Last edited by ewaller (2012-07-30 15:11:03)


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#23 2012-07-30 15:10:04

Inxsible
Forum Fellow
From: Chicago
Registered: 2008-06-09
Posts: 9,183

Re: [lvm luks] luks over lvm or lvm over luks ?

pathanck, welcome to the ArchLinux forums. This thread is quite old and irrelevant given the number of changes in the last 2 yrs.

Please do not necrobump threads. here are our forum rules ::  https://wiki.archlinux.org/index.php/Forum_Etiquette

edit :: ewaller, where did you come from ?? wink  Good morning !


Forum Rules

There's no such thing as a stupid question, but there sure are a lot of inquisitive idiots !

Offline

Board footer

Powered by FluxBB