Dirk Heinrichs schrieb:
> Am Freitag, 2. Januar 2009 19:36:28 schrieb Jens Müller:
>> Dirk Heinrichs schrieb:
>>> Just to make sure I understand what you want to do: You have encrypted
>>> physical volumes which you want to combine into an LVM volume group and
>>> then put logical volumes into this VG?
>> Raid part 1 \
>> Raid part 2 >- Raid5 -> /dev/md127 = PV1
>> Raid part 3 /
>>
>>                       ...(possibly others)...
>> PV1 --LVM--> VG1 --->    LV1: \dev\mapper\vg1-crypt
>>
>> LV1: \dev\mapper\vg1-crypt --cryptsetup--> \dev\mapper\crypt_pv
>>
>> \dev\mapper\crypt_pv = PV2  --LVM--> VG1 ---> (all the partitions)
>>
>> Basically, I have one encrypted "physical" volume, but I want to be
>> flexible ...
> 
> If you have one encrypted PV from which you build a VG, then every LV inside 
> it will automatically be encrypted. So where's the flexibility?

I meant it's more flexible than encrypting /dev/md127 itself.

E.g., I can create a snapshot of an LV which is still encrypted.

> Means:
> 
> PV1 --cryptsetup--> PV1_crypt --vgcreate--> VG1 --lvcreate--> LVx
> 
> To be able to choose wether to encrypt each LV or not, you need to encrypt at 
> LV level, like:
> 
> PV1 --vgcreate--> VG1 --lvcreate--> LVx --cryptsetup--> LVx_crypt
> 
> For the latter I have some scripts ready to create an initramfs which can be 
> combined with the kernel (It's for EVMS, but it should be easy to adapt to 
> LVM.

Well, the genkernel default script can be given a "crypt_root", can load
the key from a USB device, etc. ...


Reply via email to