On Mon, Jul 18, 2011 at 10:22 PM, Bruno Wolff III <br...@wolff.to> wrote:
> On Mon, Jul 18, 2011 at 22:20:15 +1000, > yudi v <yudi....@gmail.com> wrote: > > On Mon, Jul 18, 2011 at 9:46 PM, Bruno Wolff III <br...@wolff.to> wrote: > > > > > On Mon, Jul 18, 2011 at 21:51:01 +1000, > > > yudi v <yudi....@gmail.com> wrote: > > > > > > > > fine without any issues and I only have to enter the pass phrase > once. > > > Now I > > > > would like to change this setup with the LVM layer below the LUKS > layer. > > > > That way I do not have to worry about decrypting 500Gb at every boot. > > > > > > This won't affect that unless you are only going to encrypt some of the > > > LVs (e.g. just /home). > > > > > > Yes I might only encrypt some of the LV's, I am not sure right now. One > of > > the main reasons for having the encryption layer on top of the LVM layer > is > > to leave the LV's unmounted and encrypted until I need them. This cannot > be > > achieved if the whole PV is encrypted. I will only decrypt /, /home, and > > swap at boot time and them will decrypt other LVs when I need them. > > Do you realize that the devices aren't actually decrypted as a whole? > Individual blocks are decrypted as needed. > I did not know that, I was under the impression once the encryption container is open all the data in that container is decrypted. > > > I could not infer what you meant by "this won't affect that .." > > Whether the encryption is on top or under the LV devices, will have little > affect on how much is decrypted during boot. The blocks that are needed > for booting will get decrypted as needed and those that aren't, won't. > All you save decrypting is some of the LVM metadata which won't be > decrypted in the case where only the LV contents are encrypted. > > It might be a significant savings if you are doing snapshots or the like > when LVM is manipulating the data opaquely. The encrypted data can be > copied around without having to decrypt it. > I guess you mean LV's can be moved around not the data per se. > > > > I would like to know if there is a way to decrypt all the encrypted > LVs > > > > with one pass phrase. > > > > > > If you use the same passphrase for the different encrypted devices you > > > will only need to enter it once (well, twice for now because of a bug > > > with handing off the passphrase to plymouth). > > > > > > > Cool, I did not know this. Thanks you. > > If you delay using the encrypted devices until after boot then you > will need to enter a passphrase when you open them. > I prefer to have the data locked up until I need it. I am certain I will not encrypt all my data only the stuff that matters. I will have lot of unassigned space in the VG. I can either increase the size of the containers or create new containers if need be. I was playing with Debian and tried this method with even the /boot in the LVM as GRUB2 can handle booting straight from the LVM but it fails when I try to have encryption on top of the LVM. Without encryption it works just fine. -- Kind regards, Yudi
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
