On Friday 16 November 2007, Ross Boylan wrote: > 1. The development version of the installation guide at > http://d-i.alioth.debian.org/manual/en.i386/ch06s03.html#di-partition in > section 6.3.2.1 only discusses the case in which you selected encrypted > LVM, apparently applying to the whole volume. E.g., "When using LVM or > encrypted LVM, the installer will create most partitions inside one big > partition" That not is after a sentence that starts "If you choose guided partitioning, [...]". You can set up other schemes using manual partitioning. > 2. Although early discussion says "First you will be given the > opportunity to automatically partition either an entire drive, or > available free space on a drive," the later discussion of guided > partitions sounds as if it will wipe out the whole drive: "When using > encrypted LVM, the installer will also automatically erase the disk by > writing random data to it"; "If you choose guided partitioning using LVM > or encrypted LVM, some changes in the partition table will need to be > written to the selected disk while LVM is being set up. These changes > effectively erase all data that is currently on the selected hard disk" > > I read this as saying any use of LVM with guided partitioning will wipe > out everything on the disk; I hope that is not what really happens. If you use unencrypted LVM, the disk will not be physically wiped, but data will still become effectively erased as the old partition table is lost early in the process. If you use guided partitioning to set up encrypted LVM, the data will also be physically wiped. > 3. The discussion of manual partitioning later in 6.3.2.1 has nothing > indicating partial encryption is possible with LVM. 6.3.2.4 has a general description of setting up encrypted volumes and IMO indicates clearly enough that this can be done for any partition and even includes the sentence "Another option is to choose an existing partition (e.g. a regular partition, an LVM logical volume or a RAID volume)." > 4. Section 6.3.2.4 says "In the Partition settings menu, you need to > select physical volume for encryption at the Use as: option." In LVM > "physical volume" differs from "logical volume." I want to encrypt the > latter. The (development) graphical installer itself used the "physical > volume" terminology. I agree that the use of "physical volume" can be somewhat confusing. We'll have to reconsider this. Please file a minor bug report against partman-crypto to suggest that and also mention that the installation guide will need updating after that is changed. One thing to keep in mind is that if you want to set up encrypted partitions manually, it is assumed that you already know how encrypted partitions works and know what the capabilities/limitations are. The installation guide is _not_ intended to offer full documentation on encryption. > http://www.debian.org/releases/stable/debian-installer/index#errata says > the graphical installer (which is what I used) has limited support for > encrypted volumes. The development installation manual only mentions a > problem generating random keys, and the development installer I ran did > offer them as an option. Since random keys only make sense for swap, > and since they disable suspend to disk, I don't want to use them anyway. Note that using unencrypted swap severely weakens the fact that you're using encrypted volumes. It is not advised. > Of course, maybe the overhead of encrypting all the LVM volume is minor, > and I should just go ahead and do that. I assume that if I encrypt > volumes separately I'll need to enter a password for each one each time > I start, which is a pain (but maybe it will try the first response on > later volumes?). I cannot offer you any help with that decision. Cheers, FJP
Attachment:
signature.asc
Description: This is a digitally signed message part.