On 18.06.2017 09:25, Michael Kjörling wrote: > On 18 Jun 2017 08:49 +0200, from julio.gago@xxxxxxxxxxxx (Julio Gago): >> cryptsetup luksFormat --cipher aes-xts /dev/sdc >> cryptsetup luksOpen /dev/sdc sdc >> fdisk /dev/mapper/sdc >> (created partitions manually) >> mkfs.ext4 /dev/mapper/sdc1 >> mkfs.ext4 /dev/mapper/sdc2 >> mount /dev/mapper/sdc1 /part1_dmcrypt >> mount /dev/mapper/sdc2 /part2_dmcrypt > What you have done here is to sub-partition a LUKS container using MBR > partitions. > [...] > A typical setup would more likely be to partition the disk, then set > up a separate LUKS container (possibly with derived keys, which would > allow you to open all LUKS containers by opening just one) on each > partition. An alternative typical setup would be to create a LUKS > container over the whole disk and use that container as a single file > system, with no partitioning (in the sense of MBR or GPT) involved. > > If you have your heart set on sub-partitioning the LUKS container (in > order to conceal the fact that the LUKS container is divided into > distinct portions), I suppose you could create a LVM container within > the LUKS container, then create logical volumes within the LVM > container, then file systems on those, for an end result of something > like: > > Physical storage > LUKS > LVM > LV > FS > LV > FS > LV > FS > ... > > That would probably have better chances of working reliably than what > you have now. You'd open the LUKS container, then import the LVM > container, which will import the LVs within it and make the file > systems within those available for mounting. The LVM metadata would be > encrypted on disk by virtue of the LVM container existing fully within > the LUKS container, so the data security properties should be very > similar to those you'd get with your proposed partitions-within-LUKS > scheme. That (LVM inside a LUKS container) is the standard scheme proposed by Ubuntu for an encrypted installation. It works out of the box (needs just a single click in the Ubuntu installer), is well-tested and supports resizing the encrypted logical volumes at a later date. If you don't need an unencrypted boot partition on that disk and if you want to do all of this manually instead of trusting the installer, you can try these commands which pretty much exactly replicate what Ubuntu does by default. cfdisk /dev/sdc (create a single partition spanning the whole disk) cryptsetup luksFormat --cipher aes-xts /dev/sdc1 cryptsetup luksOpen /dev/sdc1 sdc1_crypt pvcreate /dev/mapper/sdc1_crypt vgcreate encryptedvolumegroup /dev/mapper/sdc1_crypt lvcreate --size 500G --name backups encryptedvolumegroup lvcreate --size 100G --name documents encryptedvolumegroup lvcreate --size 50G --name email encryptedvolumegroup mkfs.xfs /dev/mapper/encryptedvolumegroup-backups mkfs.ext3 /dev/mapper/encryptedvolumegroup-documents mkfs.reiserfs /dev/mapper/encryptedvolumegroup-email mount /dev/mapper/encryptedvolumegroup-backups /backups mount /dev/mapper/encryptedvolumegroup-documents /documents mount /dev/mapper/encryptedvolumegroup-email /email Regards, Carl-Daniel _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
