Joined: 28 May 2002
|Posted: Thu Jan 08, 2004 2:34 pm Post subject: lvm2 + encrypted storage howto
|*** created quickly from my notes, probably not that readable. I'll clean it up a bit later if I remember , just didn't want someone else to do the same stuff again. ***
note that I use kernel 2.6, and util-linux 2.12-r4, for the diffrent versions of util-linux the syntax has changed a little.
Created startscript and stopscript:
until [ "$PASS1" = "$PASS2" -a -n "$PASS1" ]; do
# the bash read buitlin has to support the -s option.
# Don't use read without -s!!
read -s -p "Enter Passphrase: " PASS1; echo
read -s -p "Re-enter Passphrase: " PASS2; echo
echo "$PASS1" | hashalot sha512 | losetup -p 0 -e aes-256 /dev/loop/0 /mnt/enc/home
echo "$PASS1" | hashalot sha512 | losetup -p 0 -e aes-256 /dev/loop/1 /mnt/enc/lvm1
echo "$PASS1" | hashalot sha512 | losetup -p 0 -e aes-256 /dev/loop/2 /mnt/enc/lvm2
echo "$PASS1" | hashalot sha512 | losetup -p 0 -e aes-256 /dev/loop/3 /mnt/enc/lvm3
*note that I've used /mnt/enc/lvm1-3 here, and home. lvm1-3 I'm gonna change to /dev/hdb1 /dev/hdc1 and /dev/hdd1*
losetup -d /dev/loop/0
losetup -d /dev/loop/1
losetup -d /dev/loop/2
losetup -d /dev/loop/3
#Setup the pvcreate's on my encrypted loopback devices
Create main vg:
#vgcreate vgmain /dev/loop/1 /dev/loop/2
Dunno if this is needed, but it's in my notes so it stays :p
#vgchange -ay vgmain
Check how many free PE's we have with vgdisplay, I had 4 on my test, so I used all of it.
#lvcreate -l 4 vgmain -n storagelv
Just for the heck of it I used only 1 and 2 and then extended it.
#vgextend vgmain /dev/loop/3
Check http://tldp.org/HOWTO/LVM-HOWTO/x592.html for more info on how to resize when you have a filesystem on the volume you are resizing
Again I used vgdisplay to check free pe's, I had two
#lvextend -l+2 /dev/vgmain/storagelv
Formated it with mkfs, gonna use reiserfs later but it wont fit on my 10mb test volumes
Then it's up, you still have to change the startup and shutdown scripts, so it'll mount properly on boot.
on top I added:
and in /etc/init.d/halt.sh
This you have to change after the "vgchange -a n"
#sometimes this fails, I think umount tries to losetup -d, and when it fails without error, so this scans over the remaining ones and removes them too
What I'd still like to do before I move my main drives over:
Change the startscript/checkfs, so it only launches vgscan if losetup was successfull.
- then I can mount the main system with no password, login, and mount my encrypted lvm2.
do some performance testing