Hello LVM experts,
I am trying to create a volume with the following properties:
- the volume can be resized
- the volume is encrypted
- the volume can be snapshotted (for online backups)
So I thought I'd create the volume with LVM, encrypt it with LUKS, and snapshot it with LVM. However, LVM doesn't want to snapshot the unencrypted LUKS volume, as it is not an actual logical volume known to LVM (and I am not keen on snapshotting the encrypted volume, as that means the backup process would need the passphrase to mount the encrypted snapshot).
Is there a good way to achieve this with LUKS and LVM, or should I look elsewhere?
I have two ideas but I don't know if they are safe or practical:
- I could try running LVM (snapshots) on top of LUKS (encryption) itself on top of LVM (resize)
- or I could try working with dmsetup to fill the gap between LUKS and LVM
I did simple tests with dmsetup, and that *seems* to work, however I am not sure at all if that would be robust. An outline of my test:
- create an LVM volume (lvcreate) from a larger volume group
- make it a LUKS volume (cryptsetup lukfsFormat)
- "open" the LUKS volume (cryptsetup open)
- create a snapshot-origin volume from the open LUKS volume (dmsetup create)
- mount that as my active volume
- every time I want to do a backup:
create a temporary snapshot volume from the origin, mount it, run the backup, unmount it, delete it
Thoughts?
Cheers,
JM
I am trying to create a volume with the following properties:
- the volume can be resized
- the volume is encrypted
- the volume can be snapshotted (for online backups)
So I thought I'd create the volume with LVM, encrypt it with LUKS, and snapshot it with LVM. However, LVM doesn't want to snapshot the unencrypted LUKS volume, as it is not an actual logical volume known to LVM (and I am not keen on snapshotting the encrypted volume, as that means the backup process would need the passphrase to mount the encrypted snapshot).
Is there a good way to achieve this with LUKS and LVM, or should I look elsewhere?
I have two ideas but I don't know if they are safe or practical:
- I could try running LVM (snapshots) on top of LUKS (encryption) itself on top of LVM (resize)
- or I could try working with dmsetup to fill the gap between LUKS and LVM
I did simple tests with dmsetup, and that *seems* to work, however I am not sure at all if that would be robust. An outline of my test:
- create an LVM volume (lvcreate) from a larger volume group
- make it a LUKS volume (cryptsetup lukfsFormat)
- "open" the LUKS volume (cryptsetup open)
- create a snapshot-origin volume from the open LUKS volume (dmsetup create)
- mount that as my active volume
- every time I want to do a backup:
create a temporary snapshot volume from the origin, mount it, run the backup, unmount it, delete it
Thoughts?
Cheers,
JM
_______________________________________________ linux-lvm mailing list linux-lvm@xxxxxxxxxx https://listman.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
