Re: Installing Fedora with LVM and LUKS, using the encryption layer on top of the LVM layer.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jul 18, 2011 at 22:20:15 +1000,
  yudi v <yudi.tux@xxxxxxxxx> wrote:
> On Mon, Jul 18, 2011 at 9:46 PM, Bruno Wolff III <bruno@xxxxxxxx> wrote:
> 
> > On Mon, Jul 18, 2011 at 21:51:01 +1000,
> >  yudi v <yudi.tux@xxxxxxxxx> wrote:
> > >
> > > fine without any issues and I only have to enter the pass phrase once.
> > Now I
> > > would like to change this setup with the LVM layer below the LUKS layer.
> > > That way I do not have to worry about decrypting 500Gb at every boot.
> >
> > This won't affect that unless you are only going to encrypt some of the
> > LVs (e.g. just /home).
> >
> > Yes I might only encrypt some of the LV's, I am not sure right now. One of
> the main reasons for having the encryption layer on top of the LVM layer is
> to leave the LV's unmounted and encrypted until I need them. This cannot be
> achieved if the whole PV is encrypted. I will only decrypt /, /home, and
> swap at boot time and them will decrypt other LVs when I need them.

Do you realize that the devices aren't actually decrypted as a whole?
Individual blocks are decrypted as needed.

> I could not infer what you meant by "this won't affect that .."

Whether the encryption is on top or under the LV devices, will have little
affect on how much is decrypted during boot. The blocks that are needed
for booting will get decrypted as needed and those that aren't, won't.
All you save decrypting is some of the LVM metadata which won't be
decrypted in the case where only the LV contents are encrypted.

It might be a significant savings if you are doing snapshots or the like
when LVM is manipulating the data opaquely. The encrypted data can be
copied around without having to decrypt it.

> >  I would like to know if there is a way to decrypt all the encrypted LVs
> > > with one pass phrase.
> >
> > If you use the same passphrase for the different encrypted devices you
> > will only need to enter it once (well, twice for now because of a bug
> > with handing off the passphrase to plymouth).
> >
> 
> Cool, I did not know this. Thanks you.

If you delay using the encrypted devices until after boot then you
will need to enter a passphrase when you open them.
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux