Using an encrypted LVM for linux
I first posted on the use of an encrypted LVM in almost one year ago, in a post at my other blog. There, I suggested that it was reasonably easy to setup. And it was in my first test using an older machine. I have since switched to using an encrypted LVM on a newer laptop and on my desktop. And it turned out to be harder than I had anticipated.
In this post, I’ll discuss the difficulties that I had, and how I managed to get around them. But first a little background.
Why use an encrypted LVM?
There are two things that I liked about the encrypted LVM system.
- Everything is encrypted. Well, almost everything. A separate small unencrypted “/boot” partition is needed. The kernel is loaded from there, and the crypto setup is done there. With almost everything encrypted, there is no concern about leakage of sensitive information. Everything I do that goes to disk will go to encrypted space. The only exception is the system kernel an few modules and configuration used in startup. What I do in my normal usage of the system is unlikely to ever end up in the “/boot” partition, so it is not a worry that “/boot” is unencrypted.
- Almost all of the linux install is within a single partition (the partition assigned to the LVM). This still allows me to have separate file systems for “/” and “/home” and separate swap. But those all live within the same LVM, resulting in a simpler disk organization.
My first LVM install
As mentioned above, my first install using an encrypted LVM seemed to be reasonably easy. The computer was an older (2004 vintage) laptop, with a 60G hard drive. I was using around 21G of that for Windows XP, with a 100M primary partition for linux “/boot”, and linux partitions for “/”, “/home” and swap consumed the rest of the disk space.
When I indicated to the installer (this was with opensuse 11.4) that I wanted to go with an encrypted LVM, the installer wanted to delete the partitions I had used for “/”, for “/home” and for swap, and replace with an LVM. This seemed reasonable enough, so I went with it. The install went smoothly. The system ran well under an encrypted LVM.
I later switched to opensuse 12.1 using the same LVM, but with a clean install (reformatting the root file system, but retaining the “/home”). That also went well. That computer is now running 12.2 Milestone 3, also with the same LVM and also with a clean install but preserving “/home”.
My second LVM install
Armed with my experience from the first such install, I planned to move my newer laptop to an LVM. The laptop itself has a 500G hard drive, with around 100G for Windows 7. I had 11.4 installed there with encrypted “/home” and encrypted swap, and I also had the 12.1 Beta release installed in a separate partition.
My plan had been to delete all of the linux partitions, use the 100M OEM partition (from Dell) as “/boot”, retain the Windows 7 partitions, and install 12.1 in a single LVM partition of around 110G.
I booted the 12.1 install disk (the DVD image on a USB). The installer was not cooperative. It wanted to create an LVM in the unused part of the disk, and leave everything else where it was. I could not coax it to do things the way I wanted.
I rebooted to a Magic Gparted cd, deleted the old partition, created the new partitions as I wanted them, including a 110 partition which I set with partition type code 8e, intending that to be used for the LVM. And I changed the type code of the OEM partition to 83, and reformatted that to ext2, ready for use with linux.
I again booted from the 12.1 install disk. The installer was still uncooperative. It still wanted to create a new LVM in an unassigned part of the disk. Back to the old drawing board.
I could probably have managed to do what I wanted by booting the install disk to rescue mode, then creating the LVM manually from the command line. This would have used “cryptsetup” to make it a LUKS encrypted partition, followed by “vgcreate” go create the LVM inside the encrypted space. However, I decided to try another method that worked pretty well.
I booted to the live KDE system. I’m not sure if I used the live KDE system for 12.1 or for 11.4, but it should not have mattered. Once I was up and running on the live KDE system, I got into Yast, and selected the disk partitioner option. That allowed me to setup the LVM as I wanted. With a graphic interface, I was able to select the 110G partition that I had previously created, and set it up for an encrypted LVM. I gave the LVM the name “Main”. Then, in further graphic screens, I could create file systems within that LVM. I named those “root”, “home” and “swap”.
With the encrypted LVM already created, I now booted from the 12.1 installer. The installer listed the LVM partition as an encrypted partition, and asked for the encryption key (with an option to not use that partition). I provided the key.
Continuing with the install, on the partitioning section I went with “create partitions”. The installer screen there listed the existing partitions, and it listed the existing file systems within the encrypted LVM. So all I had to do was tell it to assign the existing 100M partition to “/boot”, the root volume in the LVM to “/”, the home volume to “/home” and the swap volume to swap.
From there, the install went smoothly. I later restored the content of “/home” from a backup I had made prior to the install, thus getting my old files back. I have been quite happy with that setup. I later installed 12.1 in an encrypted LVM on my desktop, using the same procedure.
Access from a rescue disk
If you ever need to fix something in your linux install, you will need to access it while booting from a rescue disk or from the magic parted CD or similar. Here is what I do in that situation:
cryptsetup luksOpen /dev/sda6 Main ## make accessible vgscan ## scan for volume groups vgchange -a y ## make the volume groups accessible ls /dev/mapper ## see what virtual file systems are available mount /dev/mapper/Main-root /mnt ## mount the root system mount /dev/mapper/Main-home /mnt/home ## mount the home partition mount /dev/sda1 /mnt/boot ## mount the boot partition
Your device names will probably be different from the sda6 and sda1 that I used, but the same approach should work. And now my encrypted system is mounted under “/mnt” where I can do repairs or make backups as needed.