Worked on this with G. the other day.
Create the underlying logical volume:
lvcreate -n datalv_crypted -L 1G vg00
Initialize a LUKS crypto device on the logical volume:
cryptsetup luksFormat /dev/vg00/datalv_crypted
If you have lost your mind and want to keep the passphrase in a file (which is what G.’s weirdo client had asked for):
dd if=/dev/urandom of=/etc/i_am_dumb count=256
cryptsetup luksFormat /dev/vg00/datalv_crypted /etc/i_am_dumb
Bring up the crypto device from the encrypted logical volume:
cryptsetup luksOpen /dev/vg00/datalv_crypted data # optionally -d /etc/i_am_dumb
Create a file system on the crypto device, /dev/mapper/data, which has now sprung to life:
Enter the crypto device in /etc/fstab:
/dev/mapper/data /data ext3 defaults 0 0
Don’t forget to create the mount point:
Enter the encrypted logical volume in /etc/crypttab. Substitute “none” with /etc/i_am_dumb if you are keeping the passphrase on the system.
data /dev/vg00/datalv_crypted none luks
Reboot. You will be prompted for the passphrase on bootup, unless you’re keeping it in a file. The new file system will be mounted on /data.
The usual process for resizing file systems now has to be extended by an additional step:
lvresize -L +1G /dev/vg00/datalv_crypted
cryptsetup resize /dev/mapper/data
That’s all there is to it. In another installment, I will hopefully write about encrypted physical volumes, allowing live migration of an entire volume group to encrypted storage during full operation.
With the technical details out of the way, some additional words about keeping the passphrase on-disk:
If you work for someone who wants this, he’s not neccessarily an idiot, but maybe just a bit naive. It is your duty as the expert to explain why keeping the passphrase in-band with the encrypted data is nothing more than just a waste of CPU cycles. Seriously. This, G., means you.