Wol wrote: > On 27/03/2022 21:13, Dale wrote: >> Wol wrote: >>> On 27/03/2022 20:17, Dale wrote: >>>> Howdy, >>>> >>>> I sort of started this on another thread but wanted to nail a few >>>> things >>>> down first. I'm wanting to encrypt some parts of my data on /home. >>>> This is what I got hard drive wise. >>>> >>>> >>>> root@fireball / # pvs >>>> PV VG Fmt Attr PSize PFree >>>> /dev/sda7 OS lvm2 a-- <124.46g 21.39g >>>> /dev/sdb1 Home2 lvm2 a-- <5.46t 0 >>>> /dev/sdc1 Home2 lvm2 a-- <7.28t 0 >>>> /dev/sdd1 Home2 lvm2 a-- <7.28t 0 >>>> /dev/sde1 backup lvm2 a-- 698.63g 0 >>>> root@fireball / # >>>> >>> One big piece of missing information. What does fdisk say about >>> sd[b,c,d]1? And can you add sdf1? >> >> I have the entire drive as one large partition for each drive. I could >> have done it as a whole device but I wanted partitions to give a hint >> that the drive is in use, if booted from other medium for example. >> >> I have enough extra space that I can remove either a 6TB or a 8TB >> drive. Once that is done, I can start to encrypt and move data around. >> This is some additional info from df for /home: >> >> >> /dev/mapper/Home2-Home2 20T 8.7T 12T 45% /home >> >> >> If I remove a 8TB drive, I'd still have enough room for my data. I >> could then rebuild /home starting with the 8TB drive just freed up. >> Then as I move data, I could expand them one at a time encrypting as I >> go. I'd rather not have to buy a hard drive right now. Tight budget >> given other things I got going on. I do have backups, more than one in >> a couple important data spots. >> > Do you need to shrink your fs first though?
>From my understanding of my google results, I need to unmount /home, shrink the file system, then I can remount /home, use pvmove to move data off whichever drive I want to take LVM off of, then pvremove the drive to make the drive available just like a new drive. I can then use it to start building the LVM and it be encrypted. As I remove other drives with the same method above, I can expand the encrypted drives. I'm still trying to figure out whether to use the 6TB or 8TB drive in normal mode. I think the 6TB would be large enough for the normal /home and let the encrypted be on the other drives. > > My three 3TB partitions are raided, and /dev/md/home is my PV. I've > only allocated the space to LVs that they need, so I could probably > shrink the PV and remove a drive without needing to mess about with my > LVs at all. I get the impression you may have allocated all your > space, not a good idea. I did allocate all the space because at the time, I wasn't considering encrypting any of that data or dividing it up. Things have changed and I want to move things around. This is one of the good things about ext4 and LVM. They can shrink in size fairly easy. Of course, backups are always a good idea. > > My attitude is my data is backed up, expanding an LV/FS is low risk, > I'll just grow stuff as I need to ... my /home partition contains > proper home drives, things like videos may be in /home/videos, but > they're actually a separate partition, etc etc. That's sort of what I'm going to do. I'm going to divide things into sections with some encrypted and some not. >> >>> >>> I'm guessing you've got three 8TB drives? Or is it two 8s and a 6? Can >>> you get a third 8TB? And if you're encrypting *parts* of /home ... >>> what parts? >>>> >>>> I've done some checking on sizes of things I want to encrypt and am >>>> weighing options. I use LVM which should help make things easier. >>>> I've >>>> downloaded and printed some howtos regarding shrinking the file system >>>> and LVM thingys. It seems I need to shrink the file system while my >>>> /home partition is unmounted. Then move the data off whichever >>>> drive I >>>> want to remove and then remove the drive itself. After that I can >>>> encrypt the just removed drive and start moving files over, using >>>> rsync >>>> is my plan. I think that is the basic steps. >>> >>> Not necessarily. >>>> >>>> My question now comes to this. When I encrypt one of the drives, >>>> can I >>>> then expand that drive with it being encrypted or is that not a >>>> option? >>>> I plan to encrypt two of the drives as one volume group and leave one >>>> other volume group as normal. I just want to be sure whether or not I >>>> can expand a encrypted LVM drive the same as a normal LVM since both >>>> uses LVM. I use cryptsetup commands to accomplish the encryption if >>>> that matters. So as a example, I start with one 7TB drive encrypted, >>>> move some data to it, then want to add either the 5TB or 7TB >>>> drive. Can >>>> I just expand it like a normal LVM or does it being encrypted change >>>> things? >>>> >>>> Thoughts? My remove steps look sensible? Expanding encrypted LVM >>>> possible? >>> >>> If you are using LVM to do the encryption, then I can't see any >>> problems adding a new PV to an encrypted VG. >>>> >>>> Dale >>>> >>> Personally, I'd use dm-crypt to encrypt the drive, and then the whole >>> lot is encrypted, and put plain LVM over that. I've got dedicated >>> layers for everything. >>> >>> It looks like your home2 is 6TB+8TB+8TB. I'd get a new 8TB, put >>> dm-crypt on it, and add it. Now I can remove the first 8TB, dm-crypt >>> it and re-add it. Same with the second 8TB. Now remove the 6TB and >>> there you are ... >>> >>> My layout's rather different from yours, so I don't think I ought to >>> say too much :-) >>> >>> Cheers, >>> Wol >>> >>> >> >> >> What is the advantage of dm-crypt over cryptsetup? I've learned how to >> use cryptsetup with my external drive so was hoping to stick with what I >> already know. Unless there is a advantage to dm-crypt. >> > I don't know either. I'm just far more familiar with the dm/md layer > because I run md-raid over dm-integrity. Hence dm-crypt. > > Is cryptsetup a layer in its own right, or part of lvm? I prefer the > Unix "use several tools each of which does one thing well", other > people prefer a swiss army knife like ZFS or btrfs. I don't know where > cryptsetup lies on that spectrum, and I don't know your preferences on > that spectrum. > > Cheers, > Wol > > Based on the reply from Rich, thanks for the info, cryptsetup is just a upper level of dm-crypt. Basically, cryptsetup just has some user friendly bits added on top of it. Security wise, should be secure either way. The biggest thing, can I encrypt a LVM group and then expand it. It seems I can. I've found where google results say the same but some results are dated. Things change. Sometimes for the good, sometimes not. Dale :-) :-)
