Re: Can I combine LUKS and LVM to achieve encryption and snapshots?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

On Tue, Sep 26, 2023 at 10:00 PM Zdenek Kabelac
<zdenek.kabelac@xxxxxxxxx> wrote:
> Yep typical usage is to encrypt underlying PV - and then create LVs and its
> snapshots on encrypted device.

Sure, I'd do that in other circumstances.

But in my case it would just be a waste: I am replacing several disks
on a desktop computer with a single 2TB NVME SSD for everything. Only
/home needs to be encrypted, and it's tiny, like 100-200GB. Going
through encryption for most application I/Os would use CPU time and
increase latency with no benefit.

So I prefer to manage available raw (un-encrypted) space with LVM.

Now, I also need to do backups of /home, and that's why I want
snapshots. But that first layer of LVM would only show a snapshot of
an encrypted volume, and the backup job shouldn't have the passphrase
to decrypt the volume.

Which is why I'm trying to find a way of doing snaphots of an "opened"
LUKS volume: this way, the backup job can do its job without requiring
a passphrase.

In simple tests, I could make it work, with dmsetup on LUKS on LVM,
and also (after I sent my original email) with LVM on LUKS on LVM.

But my tests don't tell me if there are other people doing similar
things on production systems, or if they are happy with the results.
Unusual setups tend to exhibit unusual bugs, and I am not super fond
of bugs in my storage systems. :-)

So that's really the core of my question: do other people run either
"raw" dmsetup or LVM on top of LUKS/LVM, and with success?

> Encrypting 'individual' LVs - while certainly 'doable' would i.e. create a
> considerable larger amount of volumes that would need individual 'unlocking'
> with each activation.

Just the one /home in my case, so no worse than prompting for the
passphrase for an entire disk.

> Speaking about snapshots - you should consider switching to 'thin-pools'  for
> far better performance...

I only need snapshots for backups: once a day, create a snapshot,
mount it, do a file-level incremental backup, unmount it, delete it.

Would the thin-pools make a difference in this case?


Cheers,
JM

_______________________________________________
linux-lvm mailing list
linux-lvm@xxxxxxxxxx
https://listman.redhat.com/mailman/listinfo/linux-lvm
read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
[Index of Archives]     [Gluster Users]     [Kernel Development]     [Linux Clusters]     [Device Mapper]     [Security]     [Bugtraq]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]

  Powered by Linux