Best practice for large encrypted volume

Having many encrypted disks in a Logical Volume Manager (LVM) or vice versa many disks which are encrypted later by Linux Unified Key Setup (LUKS)?

The first variant is LVM-over-LUKS, where many disks or partitions are encrypted independently and can be combined into a large volume. The disadvantage is that all disks have to be opened with a separate password, but after that the volume can be extended in a simple way. The encryption is transparent for the volume.

The other variant is LUKS-over-LVM, where many disks are in a large volume group and the logical volume is encrypted. The disadvantage is that changing the size of a volume also means a handling of the encryption, but you just have a single password for encryption.

If you want the full features of creating volumes and snapshots with LVM than use it over LUKS encrypted devices. The following guide will explain the steps of the first variant LVM-over-LUKS.

1. Prepare system

Install the required software packages

apt install lvm2 cryptsetup

And activate the Kernel module for encryption

modprobe dm-crypt

2. Create a partition on the disks

Inside the VM list all block devices with the lsblk command to find the device names of the disk to works with. In this example it will be sdb, sdc, sdd and sde.

root@vm201:~# lsblk
sda 8:0 0 16G 0 disk
├─sda1 8:1 0 15G 0 part /
├─sda2 8:2 0 1K 0 part
└─sda5 8:5 0 1022M 0 part [SWAP]
sdb 8:16 0 3,7T 0 disk
sdc 8:32 0 3,7T 0 disk
sdd 8:48 0 3,7T 0 disk
sde 8:64 0 3,7T 0 disk
sr0 11:0 1 335M 0 rom

For each disk a new primary partition on the 1st place will be created with the full size of the device and written to the disk. Just type “n”, “p”, “1”, and a couple of times enter for the defaults and finally “w” in fdisk.

fdisk /dev/sdb
fdisk /dev/sdc
fdisk /dev/sdd
fdisk /dev/sde

3. Encrypt the partitions with LUKS

Each of the newly created first partition have to be encrypted separately. Please choose a secure passphrase.

cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sdb1
cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sdc1
cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sdd1
cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sde1

Afterwards the encrypted partitions has to be opened for the next steps. You will be prompted for the passphrase each time.

cryptsetup luksOpen /dev/sdb1 sdb1_crypt
cryptsetup luksOpen /dev/sdc1 sdc1_crypt
cryptsetup luksOpen /dev/sdd1 sdd1_crypt
cryptsetup luksOpen /dev/sde1 sde1_crypt

Optional: Have a look on the status of the an encrypted partition and show its place in the device mapper.

cryptsetup status sdb1_crypt
ls /dev/mapper/

4. Create volumes with LVM

With Logical Volume Manager (LVM) we have a transparent way to use physical volumes (PV) inside a volume group (VG) to have one or more logical volumes (LV) inside.

Activate the encrypted partitions as a PV in LVM

pvcreate /dev/mapper/sdb1_crypt /dev/mapper/sdc1_crypt /dev/mapper/sdd1_crypt /dev/mapper/sde1_crypt

Create a new VG “vgpool” in LVM

vgcreate vgpool /dev/mapper/sdb1_crypt /dev/mapper/sdc1_crypt /dev/mapper/sdd1_crypt /dev/mapper/sde1_crypt

Create a LV with the name “lvbackup” and the size of 12TB. Its good to have some free space in the pool for additional volumes or snapshots.

lvcreate -n lvbackup -L 12TB vgpool

Optional: Show the result


5. Format and mount the volume

The volume will be formated with ext4 and mounted to a new folder

mkfs.ext4 /dev/mapper/vgpool-lvbackup
mkdir /mnt/backup
mount /dev/mapper/vgpool-lvbackup /mnt/backup

6. Prepare reboot

Adjust /etc/crypttab so that the disks can easily encrypted, but without prompting for a password at boot time

sdb1_crypt /dev/sdb1 none luks,noauto
sdc1_crypt /dev/sdc1 none luks,noauto
sdd1_crypt /dev/sdd1 none luks,noauto
sde1_crypt /dev/sde1 none luks,noauto

Adjust /etc/fstab so that the disks can easily mounted, but not automatically at reboot

/dev/mapper/vgpool-lvbackup /mnt/backup ext4 defaults,noauto 0 2

Now you can reboot the system

7. Congratulations

After each reboot the disks have to be opened and mounted manually

cryptdisks_start sdb1_crypt sdc1_crypt sdd1_crypt sde1_crypt
mount /mnt/backup

Author: admirableadmin

Hello World! Ich bin Andreas Peichert und entwickle und programmiere Software seit 2000. Zurzeit arbeite ich nicht als Senior System Engineer & Consultant und mache ein Sabbatical.

Leave a Reply

Your email address will not be published. Required fields are marked *