On Sun, Mar 27, 2022 at 04:04:45PM -0500, Dale wrote:
> Based on the reply from Rich, thanks for the info, cryptsetup is just a
> upper level of dm-crypt. Basically, cryptsetup just has some user
> friendly bits added on top of it. Security wise, should be secure
> either way.
To be clear, cryptsetup is just a userspace command line tool for
manipulating dm-crypt/LUKS stuff. dm-crypt is the kernel part. Lots of
tools are structured this way. LVM is a thing in the kernel, and the
lvcreate/pvcreate/etc. command line tools are just the userspace user
interface. I assume they probably use a bunch of complicated ioctl()
calls on the LVM block devices to do their magic.
dm-crypt wraps an existing block device. What it wraps is typically a
physical disk partition, but it does not have to be. It can wrap
basically any block device.
The 'device mapper' idea is a key part of what makes all these tools
composable: they use block devices to implement other block devices,
which can then be the 'inputs' to other such tools, etc. dm-crypt takes
a block device and uses it to implement a new block device. Its key
property is that (if you follow some basic rules) it is impossible
without the key to obtain the data inside it just by looking at the
underlying block device.
LVM is similar, but it has a different purpose. It takes some set of
underlying block devices (physical volumes) and it presents a different
set of block devices (logical volumes) to you. Its key property is that
it is a much more flexible way of arranging volumes (basically
"partitioning") than the underlying MBR/GPT disk partitioning system.
You can compose these things in multiple ways. You can use dm-crypt on
its own. You can use LVM on its own. You can use dm-crypt on top of
LVM (so you have physical disk partitions as physical volumes, then some
or all of your logical volumes act as the underlying block devices for
dm-crypt's purposes). Or you can use LVM on top of dm-crypt (so your
LVM "physical" volumes are dm-crypt block devices).
And of course at some point as the final layer you put filesystems on
top of all of this.
My personal setup, to give an example, is that on each physical disk I
have a single partition. I use dm-crypt (with LUKS, which is basically
'dm-crypt but sane', more on that later) on those partitions. In other
words, each physical disk in my computer has a single dm-crypt "volume".
Each dm-crypt block device is then used as a physical volume for LVM.
They are all in a volume group, and on top I have a number of logical
volumes. Each logical volume then has ext4 on it.
Here is what that looks like:
NAME TYPE FSTYPE LABEL SIZE MOUNTPOINTS
sda disk 3.6T
`-sda1 part crypto_LUKS 3.6T
`-hdd crypt LVM2_member 3.6T
`-vg-videovol lvm ext4 VIDEO 100G /mnt/videos
nvme0n1 disk 1.8T
`-nvme0n1p1 part crypto_LUKS 1.8T
`-root crypt LVM2_member 1.8T
|-vg-rootvol lvm ext4 ROOT 100G /
|-vg-swapvol lvm swap SWAP 64G [SWAP]
|-vg-homevol lvm ext4 HOME 100G /home
`-vg-audiovol lvm ext4 AUDIO 100G /mnt/audio
> The biggest thing, can I encrypt a LVM group and then expand it. It
> seems I can. I've found where google results say the same but some
> results are dated. Things change. Sometimes for the good, sometimes not.
You can, but there is more than one way to do it, and you should be sure
you're doing it in the best way for what you need.
If you only want some of your LVM logical volumes to be encrypted, it
would make most sense to use LUKS on top of LVM. That's the opposite of
the way I show I have it set up above. That means you'd have disk
partitions as LVM physical volumes and you'd put LUKS on top of the LVM
logical volumes. The encryption (dm-crypt layer) would only be on some
of your volumes. And it would be above the LVM layer. However, I'm not
sure why you would want this.
There are a million and one ways of laying stuff out. You could have a
set of disks that are for encrypted stuff and a set of disks that are
not. Then you could put all the encrypted disks together into an LVM volume
group and put things you want encrypted in the logical volumes in your
'encrypted' volume group, while you put the things you don't want
encrypted in the logical volumes in your 'unencrypted' volume group.
I think you can even set things up so that logical volumes are fixed to
a particular physical volume. Then you could have some of the physical
volumes in your (single) volume group be encrypted, and others not, and
assign logical volumes you want to be encrypted to the right physical
volumes. But that seems very error-prone: I can definitely imagine you
accidentally moving a meant-to-be-secret logical volume to the wrong pv
and wham suddenly it's all being written out to disk in plaintext.
Talking of plaintext, if you want to encrypt data you have on disks you
should make sure that you _wipe the disks_ once you've moved that data
off them. There's little value in the encryption if the original copies
of the data are all still there on the drives in plaintext. You can use
hdparm to securely wipe the drives. If it's a modern SSD it can
probably do it instantly, because it actually stores the data on disk
encrypted, and all it needs to do is wipe the key. If you have a hard
drive then sadly you probably need to wait a long time for it to be
wiped. It's going to take a hell of a long time for your system to
overwrite every sector of an 8 TiB hard drive. This is another good
reason for just encrypting everything yourself too: it makes it very
easy to wipe your drives later: if you delete the key then it's all
unrecoverable.
The Arch linux wiki has a good overview of different ways of organising
all of this, including the difference between plain dm-crypt and LUKS
(just use LUKS), LVM on LUKS vs LUKS on LVM, encrypted boot, encrypted
swap, etc. Most of what they say is pretty much directly applicable to
Gentoo. The main difference is that they have their own very different
way of doing initramfs setup, so you'll need to look at Gentoo-specific
resources for that or work it out yourself.
https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Overview
https://wiki.gentoo.org/wiki/Dm-crypt_full_disk_encryption
