:: Re: [DNG] UEFI, software RAID1, LVM…
Góra strony
Delete this message
Reply to this message
Autor: Gregory Nowak
Data:  
Dla: Olaf Meeuwissen via Dng
Temat: Re: [DNG] UEFI, software RAID1, LVM and encryption
On Mon, Jul 25, 2022 at 08:54:00PM +0900, Olaf Meeuwissen via Dng wrote:
> OK but if / and /boot are encrypted, something has to be able to decrypt
> that before GRUB can read /boot/grub/grub.cfg. It might be that GRUB is
> able to do that itself these days (haven't checked) but on my LibreBoot
> laptop it's the LibreBoot BIOS that does the decrypting, AFAIK.
> Hence, my comment.


I can confirm that grub2 in at least Beowulf and now Chimaera can deal
with decrypting the boot partition if you use LUKS for the encryption:

<https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html>

The archwiki has even more scenarios:

<https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system>

> I was thinking/hoping I could make an encrypted LV, without encrypting
> all PVs in the VG. I use a fair number containers and VMs and don't see
> a need to encrypt those. Actually, I don't see much need for putting
> these on RAID1 either :-/


You can in fact do what you describe. Make your LV, but instead of
creating a file system on it, format it as LUKS, unlock it, and create
your file system on /dev/mapper/unlocked_volume.

Greg


--
web site: http://www.gregn.net
gpg public key: http://www.gregn.net/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)
If we haven't been in touch before, e-mail me before adding me to your contacts.

--
Free domains: http://www.eu.org/ or mail dns-manager@???