Am Wed, Sep 14, 2022 at 08:55:26AM -0500 schrieb Dale: > I see the point but wasn't aware there was more than one way to do it > with cryptsetup. It seems there is several options for this. I was > pretty sure LVM was on bottom and mentioned it in my original post.
Indeed you did and it confused me at first. Then I gave it some thought and concluded: why not? You do it like so: Block device --, Block device --+-- LVM --- LUKS --- File system Block device --' > After reading your post, I got to wondering, did I do this the right > way? Your advantage: only one LUKS header to take care of. That means no extra crypt management when adding or removing disks, except for resizing the crypt volume. And there is only a single place of storage for your keys (in case you ever need to change them). I’m not sure whether it’s the right™ way. It is *one* way. Perhaps there are drawbacks that I can’t think of right now. I would typically have done: Block device --- LUKS --, Block device --- LUKS --+-- LVM --- File system Block device --- LUKS --' That’s how my NAS works at the moment (with ZFS instead of LVM + filesystem). But that’s because ZFS didn’t have built-in encryption when I set it up some years ago. These days I would do: Block device --, Block device --+-- ZFS Block device --' That’s it. :D Encryption, disk arrays and file system all in one shop. > So, I started looking to see how to tell for sure. I used several > LVM type commands but didn't see anything that I recognized anyway. > Keep in mind, I'm not real sure what I'm looking for either. Then I ran > lsblk -f and found a clue that I've never noticed before. > > > sdd > > > └─sdd1 LVM2_member LVM2 001 > pVnP2i-sj48-3co9-nJpa-9tQr-08pa-9JqASR > └─crypt-crypt crypto_LUKS 2 > 6e884aae-9377-49ef-a602-e13cba89a377 > └─crypt ext4 1.0 crypt > 76653316-329f-4747-8fed-fc9b1723bd14 3.5T 79% > /home/dale/Desktop/Crypt > > > I know that is going to be line wrapped and mess up things You could have redacted the long UUIDs which aren’t relavant anyways. I write my mail in mutt and vim, thus I can rewrap paragraphs individually and at will. That way I can paint ASCII art, paste over-long console output or write one-line paragraphs like this one. ;-) > but the part I noticed was the drive partition "sdd1" and "LVM2 member". > On top of that is crypto. So, LVM is on bottom. If that is the case, my > pvmove command should be moving what I think you call "raw data", doesn't > matter if it is encrypted or not, right? Yup. This kind of layering is one of the big beauty of Linux for me. It’s all interchangable and layer X doesn’t care what layer X+1 is doing and vice versa. > Just in case it matters, could I have done everything but the file system > resize while it was closed? It seems it is basically encrypted on the > layer just below the file system to me. I think so, yes. PS.: All your LVM threads made me embrace LVM on my PC when I recently switched it from SATA to NVMe. And because after many years of ignorance, I finally had an actual use case: my laptop’s root partition became too small and I had to give it some space from the data partition. In my early Gentoo years I didn’t use an initrd and didn’t want to, so LVM was never an option. But when I set up the (then brand-new) laptop, I used Sakaki’s howto for full-disk encryption, which used an initrd + LVM anyways. This saved the SSD from a full reformat and rewrite. -- Grüße | Greetings | Salut | Qapla’ Please do not share anything from, with or about me on any social network. The longer it rains, the better the prospect of nicer weather.
signature.asc
Description: PGP signature
