Re: Can I combine LUKS and LVM to achieve encryption and snapshots?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Sep 27, 2023 at 5:41 PM Zdenek Kabelac <zdenek.kabelac@xxxxxxxxx> wrote:
>
> > What is the role of "dmsetup suspend"? I am having trouble finding
> > decent documentation about its purpose and how it's related to
> > snapshots. I did not need it in my experiments, so I am curious.
> >
>
>
> Suspend is freezing device's i/o queue  (together with freezing FS layer - so
> the snapshot should be easily mountable without requiring extensive fsck
> operation as it would be missing some important metadata to be written on disk)
> So the goal of a suspend is to take a 'good point in time' where the content
> of snapshot is having all 'committed' transaction on disk in valid state.

Is this still required or useful with a journaling FS like ext4? It is
robust to pulling the plug at any time, so any point in time should be
good, no?

> Clearly that needs a 'top-level device - which would be a crypto DM in your
> case - and goes via 'tree' down to PV level.
>
> Clearly lvm2 does this while taking snapshot  - and you can easily observe
> that 'magic' if you read carefully  -vvvv  trace of a command.
>
> Then your script needs to replicate this at script level.
> Fun would begin once you would start to resolve all the possible error paths...

Clearly I have no plan to reimplement LVM with homegrown scripts. :-)

That said, I am curious about what can be achieved with dmsetup
commands. By any chance, do you have pointers to documentation besides
what's in the kernel (Documentation/admin-guide/device-mapper/)?

> > If I were okay with giving the passphrase to my backup script, then I
> > could simply have the backup script create its snapshot from the
> > encrypted LV, and I wouldn't have started this thread in this case.
> > :-)
>
> Maybe you could drop your whole disk encryption idea then and just use some
> encrypted tarballs - since if you tend to place passwords into scripts - it's
> kind of big security hole....

So I think I've found a decent alternative to putting passwords into
scripts or files: kernel key rings.

It turns out crypttab (at least on Debian) can leverage keyctl to
enable reusing some secrets without exposing them too much.

I half-tested a crypttab file like this:

# <target name> <source device>         <key file>      <options>
home    /dev/vg1/crypthome      home
luks,noearly,keyscript=/root/decrypt_keyctl
snap    /dev/vg1/snap           home
luks,noauto,keyscript=/root/decrypt_keyctl

The referenced script above is merely a copy Debian's decrypt_keyctl
with the "keyctl timeout" lines commented.

In this way, each re-creation of the snapshot should reuse the secret
stored in root's "user" keyring with the "cryptsetup:home"
description, and this secret should be first stored in the keyring
when prompting the user at boot time.

The backup job can later do something like this:

> + lvcreate -n snap --snapshot -L 1G /dev/vg1/crypthome
>   Logical volume "snap" created.
> + cryptdisks_start snap
> Starting crypto disk...snap (starting)...Using cached passphrase for snap.
> snap (started)...done.
> + mount /dev/mapper/snap /mnt/snap
... perform the actual file backup...
> + umount /mnt/snap
> + cryptdisks_stop snap
> Stopping crypto disk...snap (stopping)...done.
> + lvremove -y /dev/vg1/snap
>   Logical volume "snap" successfully removed.

And so in this case, LUKS on LVM can do the job and meet all my requirements.

The minor drawback is that the passphrase can still be seen by root
with a command like:
  keyctl print $(keyctl search @u user cryptsetup:home)

But that's good enough for me.

Cheers,
JM

_______________________________________________
linux-lvm mailing list
linux-lvm@xxxxxxxxxx
https://listman.redhat.com/mailman/listinfo/linux-lvm
read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/




[Index of Archives]     [Gluster Users]     [Kernel Development]     [Linux Clusters]     [Device Mapper]     [Security]     [Bugtraq]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]

  Powered by Linux