Having many encrypted disks in a Logical Volume Manager (LVM) or vice versa many disks which are encrypted later by Linux Unified Key Setup (LUKS)?
The first variant is LVM-over-LUKS, where many disks or partitions are encrypted independently and can be combined into a large volume. The disadvantage is that all disks have to be opened with a separate password, but after that the volume can be extended in a simple way. The encryption is transparent for the volume.
The other variant is LUKS-over-LVM, where many disks are in a large volume group and the logical volume is encrypted. The disadvantage is that changing the size of a volume also means a handling of the encryption, but you just have a single password for encryption.
If you want the full features of creating volumes and snapshots with LVM than use it over LUKS encrypted devices. The following guide will explain the steps of the first variant LVM-over-LUKS.
1. Prepare system
Install the required software packages
apt install lvm2 cryptsetup
And activate the Kernel module for encryption
2. Create a partition on the disks
Inside the VM list all block devices with the lsblk command to find the device names of the disk to works with. In this example it will be sdb, sdc, sdd and sde.
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 16G 0 disk
├─sda1 8:1 0 15G 0 part /
├─sda2 8:2 0 1K 0 part
└─sda5 8:5 0 1022M 0 part [SWAP]
sdb 8:16 0 3,7T 0 disk
sdc 8:32 0 3,7T 0 disk
sdd 8:48 0 3,7T 0 disk
sde 8:64 0 3,7T 0 disk
sr0 11:0 1 335M 0 rom
For each disk a new primary partition on the 1st place will be created with the full size of the device and written to the disk. Just type “n”, “p”, “1”, and a couple of times enter for the defaults and finally “w” in fdisk.
3. Encrypt the partitions with LUKS
Each of the newly created first partition have to be encrypted separately. Please choose a secure passphrase.
cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sdb1
cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sdc1
cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sdd1
cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sde1
Afterwards the encrypted partitions has to be opened for the next steps. You will be prompted for the passphrase each time.
cryptsetup luksOpen /dev/sdb1 sdb1_crypt
cryptsetup luksOpen /dev/sdc1 sdc1_crypt
cryptsetup luksOpen /dev/sdd1 sdd1_crypt
cryptsetup luksOpen /dev/sde1 sde1_crypt
Optional: Have a look on the status of the an encrypted partition and show its place in the device mapper.
cryptsetup status sdb1_crypt
4. Create volumes with LVM
With Logical Volume Manager (LVM) we have a transparent way to use physical volumes (PV) inside a volume group (VG) to have one or more logical volumes (LV) inside.
Activate the encrypted partitions as a PV in LVM
pvcreate /dev/mapper/sdb1_crypt /dev/mapper/sdc1_crypt /dev/mapper/sdd1_crypt /dev/mapper/sde1_crypt
Create a new VG “vgpool” in LVM
vgcreate vgpool /dev/mapper/sdb1_crypt /dev/mapper/sdc1_crypt /dev/mapper/sdd1_crypt /dev/mapper/sde1_crypt
Create a LV with the name “lvbackup” and the size of 12TB. Its good to have some free space in the pool for additional volumes or snapshots.
lvcreate -n lvbackup -L 12TB vgpool
Optional: Show the result
5. Format and mount the volume
The volume will be formated with ext4 and mounted to a new folder
mount /dev/mapper/vgpool-lvbackup /mnt/backup
6. Prepare reboot
Adjust /etc/crypttab so that the disks can easily encrypted, but without prompting for a password at boot time
sdb1_crypt /dev/sdb1 none luks,noauto
sdc1_crypt /dev/sdc1 none luks,noauto
sdd1_crypt /dev/sdd1 none luks,noauto
sde1_crypt /dev/sde1 none luks,noauto
Adjust /etc/fstab so that the disks can easily mounted, but not automatically at reboot
/dev/mapper/vgpool-lvbackup /mnt/backup ext4 defaults,noauto 0 2
Now you can reboot the system
After each reboot the disks have to be opened and mounted manually
cryptdisks_start sdb1_crypt sdc1_crypt sdd1_crypt sde1_crypt