Re: Make fully encrypted disk without LVM during install

["J.A. de Vries" <hdv.jadev@gmail.com>]

Hi Jon,

> The system on which you might want to read the disk will need to know
> how to decrypt it.  Do you anticipate hot-plugging it to a running
> machine, or trying to boot from it?

In this situation I will have a disk which is used to boot one machine, but 
does contain data that will be needed on another machine. That machine will 
definitely not use this disk to boot from, but just as a data disk.

I know I could move the data around as an encrypted archive, but my customer 
wants a solution where the data is only stored on one disk. And yes, they are 
aware of the potential risks that brings with it. Still, that's how the want 
it.

> The convenience-partitioning-scheme offered by d-i which uses LVM and
> encryption also creates a non-encrypted, non-LVM /boot partition, within
> which the kernel and initramfs are stored. These are set up to
> understand how to interpret both the encryption and LVM.  I'm having
> trouble seeing why LVM would be much more pain than encryption already
> brings you, from a portable POV. (I suppose it's one fewer command to
> type!)

Ever tried to put a fully encrypted disk with LVM in another machine, without 
booting from it? If you boot from it there's almost no hassle at all. I know 
it is possible to mount such a disk. I've used the scenario described at 
http://canonical.org/~kragen/crypted-disk.html often enough. However, for this 
sitation I need something a bit more userfriendly. Preferably a scenario where 
my customer only needs to enter his password when mounting. That's why I 
thought of leaving LVM out of the picture altogether. In this situation it has 
no purpose at all, so why use it then?

Thanks for trying to help.

Grx HdV