:: Re: [DNG] UEFI, software RAID1, LVM…
Góra strony
Delete this message
Reply to this message
Autor: Gregory Nowak
Data:  
Dla: dng
Temat: Re: [DNG] UEFI, software RAID1, LVM and encryption
On Wed, Jul 27, 2022 at 07:54:24PM +0900, Olaf Meeuwissen wrote:
> Hi Gregory,
>
> Gregory Nowak via Dng writes:
>
> > On Mon, Jul 25, 2022 at 08:54:00PM +0900, Olaf Meeuwissen via Dng wrote:
> >> OK but if / and /boot are encrypted, something has to be able to decrypt
> >> that before GRUB can read /boot/grub/grub.cfg. It might be that GRUB is
> >> able to do that itself these days (haven't checked) but on my LibreBoot
> >> laptop it's the LibreBoot BIOS that does the decrypting, AFAIK.
> >> Hence, my comment.
> >
> > I can confirm that grub2 in at least Beowulf and now Chimaera can deal
> > with decrypting the boot partition if you use LUKS for the encryption:
> >
> > <https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html>
> >
> > The archwiki has even more scenarios:
> >
> > <https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system>
>
> Thanks for the pointers.
>
> >> I was thinking/hoping I could make an encrypted LV, without encrypting
> >> all PVs in the VG. I use a fair number containers and VMs and don't see
> >> a need to encrypt those. Actually, I don't see much need for putting
> >> these on RAID1 either :-/
> >
> > You can in fact do what you describe. Make your LV, but instead of
> > creating a file system on it, format it as LUKS, unlock it, and create
> > your file system on /dev/mapper/unlocked_volume.
>
> I know that but my concern was with increasing LV size.
>
> For encrypted "partitions", the recommendation is to randomize their
> content before use to make cracking the decryption harder. If I were to
> randomize the content after initial creation of a LUKS formatted LV, any
> space added afterwards would *not* be randomized. Hence my idea of
> "just" randomizing content of the *whole* disk (all 256GB of it!) before
> use.


If filling the free space on the disk with random data is important to
you, then just filling the entire disk with random data before use is
probably the best way to go. You can then resize volumes in the future
without having to worry that the free space is being filled with non
random data. Do note that you don't want to enable discards in
lvm.conf (this is the default) if you want to be sure unencrypted data doesn't end up on the
disk. By not enabling discards, you are decreasing the life of your
flash, by how much, I'm not sure. I suspect that would depend on how
frequently the disk is written to. I keep my encrypted volumes on
RAID10 spinning disks, so this isn't a trade off I've had to deal with.

Greg


> --
> Olaf Meeuwissen
>


--
web site: http://www.gregn.net
gpg public key: http://www.gregn.net/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)
If we haven't been in touch before, e-mail me before adding me to your contacts.

--
Free domains: http://www.eu.org/ or mail dns-manager@???