Worked on this with G. the other day.
Create the underlying logical volume:
lvcreate -n datalv_crypted -L 1G vg00
Initialize a LUKS crypto device on the logical volume:
cryptsetup luksFormat /dev/vg00/datalv_crypted
If you have lost your mind and want to keep the passphrase in a file (which is what G.’s weirdo client had asked for):
dd if=/dev/urandom of=/etc/i_am_dumb count=256
cryptsetup luksFormat /dev/vg00/datalv_crypted /etc/i_am_dumb
Bring up the crypto device from the encrypted logical volume:
cryptsetup luksOpen /dev/vg00/datalv_crypted data # optionally -d /etc/i_am_dumb
Create a file system on the crypto device, /dev/mapper/data, which has now sprung to life:
mkfs.ext3 /dev/mapper/data
Enter the crypto device in /etc/fstab:
/dev/mapper/data /data ext3 defaults 0 0
Don’t forget to create the mount point:
mkdir /data
Enter the encrypted logical volume in /etc/crypttab. Substitute “none” with /etc/i_am_dumb if you are keeping the passphrase on the system.
data /dev/vg00/datalv_crypted none luks
Reboot. You will be prompted for the passphrase on bootup, unless you’re keeping it in a file. The new file system will be mounted on /data.
The usual process for resizing file systems now has to be extended by an additional step:
lvresize -L +1G /dev/vg00/datalv_crypted
cryptsetup resize /dev/mapper/data
resize2fs /dev/mapper/data
That’s all there is to it. In another installment, I will hopefully write about encrypted physical volumes, allowing live migration of an entire volume group to encrypted storage during full operation. 🙂
With the technical details out of the way, some additional words about keeping the passphrase on-disk:
If you work for someone who wants this, he’s not neccessarily an idiot, but maybe just a bit naive. It is your duty as the expert to explain why keeping the passphrase in-band with the encrypted data is nothing more than just a waste of CPU cycles. Seriously. This, G., means you. 😉
In this case, $CUSTOMER only asked for encryption. He never asked for security. Now, this is what he gets 😉 btw.: keeping the PW in /path/to/file ensures a fast reboot.
Comment by G. — January 19, 2009 @ 10:27 am
[…] under: Security, UNIX & Linux — Tags: encryption, luks, lvm — martin @ 11:48 pm In an earlier article, I had promised live migration of LVM data to encrypted storage. I was able to acquire an external […]
Pingback by Re-Layering LVM encryption « #!/bin/blog — February 14, 2009 @ 11:48 pm