On Mon, Jul 18, 2011 at 10:22 PM, Bruno Wolff III <bruno@xxxxxxxx> wrote:
I did not know that, I was under the impression once the encryption container is open all the data in that container is decrypted.
I guess you mean LV's can be moved around not the data per se.
On Mon, Jul 18, 2011 at 22:20:15 +1000,
yudi v <yudi.tux@xxxxxxxxx> wrote:Do you realize that the devices aren't actually decrypted as a whole?
> On Mon, Jul 18, 2011 at 9:46 PM, Bruno Wolff III <bruno@xxxxxxxx> wrote:
>
> > On Mon, Jul 18, 2011 at 21:51:01 +1000,
> > yudi v <yudi.tux@xxxxxxxxx> wrote:
> > >
> > > fine without any issues and I only have to enter the pass phrase once.
> > Now I
> > > would like to change this setup with the LVM layer below the LUKS layer.
> > > That way I do not have to worry about decrypting 500Gb at every boot.
> >
> > This won't affect that unless you are only going to encrypt some of the
> > LVs (e.g. just /home).
> >
> > Yes I might only encrypt some of the LV's, I am not sure right now. One of
> the main reasons for having the encryption layer on top of the LVM layer is
> to leave the LV's unmounted and encrypted until I need them. This cannot be
> achieved if the whole PV is encrypted. I will only decrypt /, /home, and
> swap at boot time and them will decrypt other LVs when I need them.
Individual blocks are decrypted as needed.
I did not know that, I was under the impression once the encryption container is open all the data in that container is decrypted.
Whether the encryption is on top or under the LV devices, will have little
> I could not infer what you meant by "this won't affect that .."
affect on how much is decrypted during boot. The blocks that are needed
for booting will get decrypted as needed and those that aren't, won't.
All you save decrypting is some of the LVM metadata which won't be
decrypted in the case where only the LV contents are encrypted.
It might be a significant savings if you are doing snapshots or the like
when LVM is manipulating the data opaquely. The encrypted data can be
copied around without having to decrypt it.
I guess you mean LV's can be moved around not the data per se.
If you delay using the encrypted devices until after boot then you
> > I would like to know if there is a way to decrypt all the encrypted LVs
> > > with one pass phrase.
> >
> > If you use the same passphrase for the different encrypted devices you
> > will only need to enter it once (well, twice for now because of a bug
> > with handing off the passphrase to plymouth).
> >
>
> Cool, I did not know this. Thanks you.
will need to enter a passphrase when you open them.
I prefer to have the data locked up until I need it. I am certain I will not encrypt all my data only the stuff that matters. I will have lot of unassigned space in the VG. I can either increase the size of the containers or create new containers if need be.
I was playing with Debian and tried this method with even the /boot in the LVM as GRUB2 can handle booting straight from the LVM but it fails when I try to have encryption on top of the LVM. Without encryption it works just fine.
--
Kind regards,
Yudi
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
