LVM + LV encryption

To: debian-boot@lists.debian.org
Cc: ross@biostat.ucsf.edu
Subject: LVM + LV encryption
From: Ross Boylan <ross@biostat.ucsf.edu>
Date: Fri, 16 Nov 2007 13:56:20 -0800
Message-id: <[🔎] 1195250180.16150.41.camel@corn.betterworld.us>

I have a laptop I'd like to set up like this:
partition 1: MS Windows (already there)
partition 2: / or maybe just /boot
parition 3: LVM group
I want to create different logical volumes out of the LVM group, and
encrypt some of them.

Is this possible?  I ran into trouble trying to do it (see report
#450812), and can't tell clearly if it's supposed to work.

Reasons to think no:

1. The development version of the installation guide at
http://d-i.alioth.debian.org/manual/en.i386/ch06s03.html#di-partition in
section 6.3.2.1 only discusses the case in which you selected encrypted
LVM, apparently applying to the whole volume.  E.g., "When using LVM or
encrypted LVM, the installer will create most partitions inside one big
partition"

2. Although early discussion says "First you will be given the
opportunity to automatically partition either an entire drive, or
available free space on a drive," the later discussion of guided
partitions sounds as if it will wipe out the whole drive: "When using
encrypted LVM, the installer will also automatically erase the disk by
writing random data to it"; "If you choose guided partitioning using LVM
or encrypted LVM, some changes in the partition table will need to be
written to the selected disk while LVM is being set up. These changes
effectively erase all data that is currently on the selected hard disk"

I read this as saying any use of LVM with guided partitioning will wipe
out everything on the disk; I hope that is not what really happens.

3. The discussion of manual partitioning later in 6.3.2.1 has nothing
indicating partial encryption is possible with LVM.

4. Section 6.3.2.4 says "In the Partition settings menu, you need to
select physical volume for encryption at the Use as: option."  In LVM
"physical volume" differs from "logical volume."  I want to encrypt the
latter.  The (development) graphical installer itself used the "physical
volume" terminology.

Reasons to think yes:

1. 6.3.2.4 says "To use encryption, .... Another option is to choose an
existing partition (e.g. a regular partition, an LVM logical volume".
Unfortunately, this sentence is immediately followed by the one quoted
in point 4 above.

2. That would be a sensible way for the world to be.  If encryption is a
layer, it shouldn't care if it's sitting on top of a virtual or physical
partition/disk.  The items cited under "no" might just be sloppy or old
language.

http://www.debian.org/releases/stable/debian-installer/index#errata says
the graphical installer (which is what I used) has limited support for
encrypted volumes.  The development installation manual only mentions a
problem generating random keys, and the development installer I ran did
offer them as an option.  Since random keys only make sense for swap,
and since they disable suspend to disk, I don't want to use them anyway.

Of course, maybe the overhead of encrypting all the LVM volume is minor,
and I should just go ahead and do that.  I assume that if I encrypt
volumes separately I'll need to enter a password for each one each time
I start, which is a pain (but maybe it will try the first response on
later volumes?).  The laptop has an Intel Core 2 Duo T7300, 2GHz.

Thanks for any help you can offer.
Ross Boylan

Reply to:

Follow-Ups:
- Re: LVM + LV encryption
  - From: Frans Pop <elendil@planet.nl>

Prev by Date: Re: Issues building the g-i on PowerPC
Next by Date: Re: Please hint ttf-dejavu into testing
Previous by thread: Processed: Re: Bug#451535: debian-installer: allow to 'reuse' encrypted volumes
Next by thread: Re: LVM + LV encryption
Index(es):
- Date
- Thread