System encryption :: Luks on lvm or Lvm on Luks?

whitethorn · 2011-09-19 13:16:31

Hello,

I was reading up about lvm and luks and decided I want to encrypt my system. Until now I have been using truecrypt to encrypt a data partition which get mounted during boot. I recently bought myself a netbook and since then I've been pondering how to make the most use of HD space and keeping it secure should it get stolen.

I have 3 Harddrives in my tower. One of the HDs is my backup drive. The other two are for OSs. What I would like to do is

1) Create an encrypted volume group on HD 1 (has about 650 Gb).
2) Create 2 LVs for /root /home on HD1
3) Rsync /root and /home to the LVs HD2 -> HD1
4) HD2 secure erase
5) create VG on HD2 and add it to VG on HD1

*** My Question ***
While reading up on lvm and luks I came upon this article and I'm not quite sure which one is better suited for my situation. I don't know how easy it is to grow/add to an encrypted vg or lg.

There are two ways of setting up an encrypted disk using LVM:
1. Create the LVM and encrypt every volume separately
2. Set up LVM on top of an encrypted partition

source :: http://www.pindarsign.de/webblog/?p=767

Update : Using badblocks on /dev/sda4 didn't work as intended. It completely wiped /dev/sda. One way of going Windows free.
Luckily enough windows 7 was still able to boot without a partition table (scratches head), so I was able to copy some saved games and the downloads folder.

Last edited by whitethorn (2011-09-19 15:12:12)

parintachin · 2011-09-19 19:54:41

i went with an lvm on a encrypted partition with my netbook (thinpad S10) and am happy with it plus i think it is much more conveniant to just type in one key on booting and i have an encrypted swap that way.
Don't forget that you need an extra /boot partition the rest can be done by the installer of the new release

whitethorn · 2011-09-19 22:12:22

parintachin wrote:

i went with an lvm on a encrypted partition with my netbook (thinpad S10) and am happy with it plus i think it is much more conveniant to just type in one key on booting and i have an encrypted swap that way.
Don't forget that you need an extra /boot partition the rest can be done by the installer of the new release

Would this work with a multiple Disk system? I guess I'll just give it a try and see what happens, if it doesn't work I can always go the distance and follow the luks howto .

Dieter@be · 2011-09-20 10:08:26

AFAIK you cannot resize luks/dm_crypt devices, so you lose a lot of the flexibility if you put luks on top. of lvm.
personally i do full disk encryption with luks/dm_crypt, then lvm on top of that.

btw the arch installer supports both scenarios out of the box.

Last edited by Dieter@be (2011-09-20 10:08:57)

whitethorn · 2011-09-20 22:19:53

Dieter@be wrote:

AFAIK you cannot resize luks/dm_crypt devices, so you lose a lot of the flexibility if you put luks on top. of lvm.
personally i do full disk encryption with luks/dm_crypt, then lvm on top of that.
btw the arch installer supports both scenarios out of the box.

Sounds like what I'm doing right now. I encrypted my first HD then added lvm on top of that. It took a little while to get a seperate boot working and chroot to get all the files setup how I want. At the moment I'm randomizing a 2 Tb harddrive 10 hours 85%. Once it finishes encrypt the drive and add lvm on top. I'm not quite sure if I can grow my /home with the space from the 2nd drive and how to decrypt it during boot

Arch Linux

#1 2011-09-19 13:16:31

System encryption :: Luks on lvm or Lvm on Luks?

#2 2011-09-19 19:54:41

Re: System encryption :: Luks on lvm or Lvm on Luks?

#3 2011-09-19 22:12:22

Re: System encryption :: Luks on lvm or Lvm on Luks?

#4 2011-09-20 10:08:26

Re: System encryption :: Luks on lvm or Lvm on Luks?

#5 2011-09-20 22:19:53

Re: System encryption :: Luks on lvm or Lvm on Luks?

Board footer