Dirk Heinrichs schrieb: > Am Freitag, 2. Januar 2009 19:36:28 schrieb Jens Müller: >> Dirk Heinrichs schrieb: >>> Just to make sure I understand what you want to do: You have encrypted >>> physical volumes which you want to combine into an LVM volume group and >>> then put logical volumes into this VG? >> Raid part 1 \ >> Raid part 2 >- Raid5 -> /dev/md127 = PV1 >> Raid part 3 / >> >> ...(possibly others)... >> PV1 --LVM--> VG1 ---> LV1: \dev\mapper\vg1-crypt >> >> LV1: \dev\mapper\vg1-crypt --cryptsetup--> \dev\mapper\crypt_pv >> >> \dev\mapper\crypt_pv = PV2 --LVM--> VG1 ---> (all the partitions) >> >> Basically, I have one encrypted "physical" volume, but I want to be >> flexible ... > > If you have one encrypted PV from which you build a VG, then every LV inside > it will automatically be encrypted. So where's the flexibility?
I meant it's more flexible than encrypting /dev/md127 itself. E.g., I can create a snapshot of an LV which is still encrypted. > Means: > > PV1 --cryptsetup--> PV1_crypt --vgcreate--> VG1 --lvcreate--> LVx > > To be able to choose wether to encrypt each LV or not, you need to encrypt at > LV level, like: > > PV1 --vgcreate--> VG1 --lvcreate--> LVx --cryptsetup--> LVx_crypt > > For the latter I have some scripts ready to create an initramfs which can be > combined with the kernel (It's for EVMS, but it should be easy to adapt to > LVM. Well, the genkernel default script can be given a "crypt_root", can load the key from a USB device, etc. ...

