Re: [gentoo-user] LVM and moving things around

[Dale]

Michael wrote:
> On Sunday, 27 March 2022 22:04:45 BST Dale wrote:
>>
>> That's sort of what I'm going to do.  I'm going to divide things into
>> sections with some encrypted and some not.
> I wonder if all you want to do is to encrypt some directories on your /home, 
> then a different level of encryption would be more appropriate?  Instead of 
> encrypting a whole block device, you could just encrypt a directory tree or 
> two, using ext4 encryption.  e4crypt has been kicking around for a few years 
> now and it is meant to be an improvement on eCryptfs.
>
> https://lwn.net/Articles/639427/
>
> https://wiki.gentoo.org/wiki/Ext4_encryption
>
> WARNING:  I'm not qualified to speak about this topic because my experience 
> is 
> limited, but I'm interested all the same in reading your approach and other 
> contributors advice.


That is the basic plan.  I'll have /home as a normal open mount point. 
That way I can login without a encryption password being needed.  After
that, I plan to have other mount point(s) that are encrypted.  It may be
/home/dale/Data or something to that effect.  I'm still doing some
checking but the normal non-encrypted stuff should easily fit on a 6TB
drive without encryption.  I can then rebuild the two 8TB drives as
encrypted mount points with a different volume group thingy.  When I
boot up, I can login in as usual then decrypt the other mount point and
access it as needed or close it and it be encrypted until needed. 

I've considered just encrypting /home completely but I don't have the
option of closing it while I'm logged into KDE.  KDE wouldn't be able to
access /home/dale/.kde or .config plus if I leave Seamonkey open, it
will want to store new emails to .mozilla as well.  So, some things need
to be available and I'm not to worried about them being encrypted
anyway.  So encrypting all of /home would be overkill plus would be a
problem for some things too, such as Seamonkey and KDE. 

I'm looking at a hard drive purchase just to see if I can afford it
money wise. 

Dale

:-)  :-) 

Re: [gentoo-user] LVM and moving things around

[Miles Rout]

On Sun, Mar 27, 2022 at 04:04:45PM -0500, Dale wrote:
> Based on the reply from Rich, thanks for the info, cryptsetup is just a
> upper level of dm-crypt.  Basically, cryptsetup just has some user
> friendly bits added on top of it.  Security wise, should be secure
> either way. 

To be clear, cryptsetup is just a userspace command line tool for
manipulating dm-crypt/LUKS stuff.  dm-crypt is the kernel part.  Lots of
tools are structured this way.  LVM is a thing in the kernel, and the
lvcreate/pvcreate/etc. command line tools are just the userspace user
interface.  I assume they probably use a bunch of complicated ioctl()
calls on the LVM block devices to do their magic.

dm-crypt wraps an existing block device.  What it wraps is typically a
physical disk partition, but it does not have to be.  It can wrap
basically any block device.

The 'device mapper' idea is a key part of what makes all these tools
composable: they use block devices to implement other block devices,
which can then be the 'inputs' to other such tools, etc.  dm-crypt takes
a block device and uses it to implement a new block device.  Its key
property is that (if you follow some basic rules) it is impossible
without the key to obtain the data inside it just by looking at the
underlying block device.

LVM is similar, but it has a different purpose.  It takes some set of
underlying block devices (physical volumes) and it presents a different
set of block devices (logical volumes) to you.  Its key property is that
it is a much more flexible way of arranging volumes (basically
"partitioning") than the underlying MBR/GPT disk partitioning system. 

You can compose these things in multiple ways.  You can use dm-crypt on
its own.  You can use LVM on its own.  You can use dm-crypt on top of
LVM (so you have physical disk partitions as physical volumes, then some
or all of your logical volumes act as the underlying block devices for
dm-crypt's purposes).  Or you can use LVM on top of dm-crypt (so your
LVM "physical" volumes are dm-crypt block devices).

And of course at some point as the final layer you put filesystems on
top of all of this.

My personal setup, to give an example, is that on each physical disk I
have a single partition.  I use dm-crypt (with LUKS, which is basically
'dm-crypt but sane', more on that later) on those partitions.  In other
words, each physical disk in my computer has a single dm-crypt "volume".  

Each dm-crypt block device is then used as a physical volume for LVM.
They are all in a volume group, and on top I have a number of logical
volumes.  Each logical volume then has ext4 on it.

Here is what that looks like:

  NAME   TYPE   FSTYPE   LABEL  SIZE  MOUNTPOINTS
  sdadisk   3.6T
  `-sda1 part   crypto_LUKS 3.6T
`-hddcrypt  LVM2_member 3.6T
  `-vg-videovol  lvmext4 VIDEO  100G  /mnt/videos
  nvme0n1disk   1.8T
  `-nvme0n1p1part   crypto_LUKS 1.8T
`-root   crypt  LVM2_member 1.8T
  |-vg-rootvol   lvmext4 ROOT   100G  /
  |-vg-swapvol   lvmswap SWAP64G  [SWAP]
  |-vg-homevol   lvmext4 HOME   100G  /home
  `-vg-audiovol  lvmext4 AUDIO  100G  /mnt/audio

> The biggest thing, can I encrypt a LVM group and then expand it.  It
> seems I can.  I've found where google results say the same but some
> results are dated.  Things change.  Sometimes for the good, sometimes not. 

You can, but there is more than one way to do it, and you should be sure
you're doing it in the best way for what you need.

If you only want some of your LVM logical volumes to be encrypted, it
would make most sense to use LUKS on top of LVM.  That's the opposite of
the way I show I have it set up above.  That means you'd have disk
partitions as LVM physical volumes and you'd put LUKS on top of the LVM
logical volumes.  The encryption (dm-crypt layer) would only be on some
of your volumes.  And it would be above the LVM layer.  However, I'm not
sure why you would want this.

There are a million and one ways of laying stuff out.  You could have a
set of disks that are for encrypted stuff and a set of disks that are
not.  Then you could put all the encrypted disks together into an LVM volume
group and put things you want encrypted in the logical volumes in your
'encrypted' volume group, while you put the things you don't want
encrypted in the logical volumes in your 'unencrypted' volume group.

I think you can even set things up so that logical volumes are fixed to
a particular physical volume.  Then you could have some of the physical
volumes in your (single) volume group be encrypted, and others not, and
assign logical volumes you want to be encrypted to the right physical
volumes.  But that seems very error-prone: I can definitely imagine you
accidentally moving a meant-to-be-secret logical volume to the 

Re: [gentoo-user] LVM and moving things around

[Michael]

On Sunday, 27 March 2022 22:04:45 BST Dale wrote:
> Wol wrote:
> > My three 3TB partitions are raided, and /dev/md/home is my PV. I've
> > only allocated the space to LVs that they need, so I could probably
> > shrink the PV and remove a drive without needing to mess about with my
> > LVs at all. I get the impression you may have allocated all your
> > space, not a good idea.
> 
> I did allocate all the space because at the time, I wasn't considering
> encrypting any of that data or dividing it up.  Things have changed and
> I want to move things around.  This is one of the good things about ext4
> and LVM.  They can shrink in size fairly easy.  Of course, backups are
> always a good idea. 
> 
> > My attitude is my data is backed up, expanding an LV/FS is low risk,
> > I'll just grow stuff as I need to ... my /home partition contains
> > proper home drives, things like videos may be in /home/videos, but
> > they're actually a separate partition, etc etc.
> 
> That's sort of what I'm going to do.  I'm going to divide things into
> sections with some encrypted and some not.

I wonder if all you want to do is to encrypt some directories on your /home, 
then a different level of encryption would be more appropriate?  Instead of 
encrypting a whole block device, you could just encrypt a directory tree or 
two, using ext4 encryption.  e4crypt has been kicking around for a few years 
now and it is meant to be an improvement on eCryptfs.

https://lwn.net/Articles/639427/

https://wiki.gentoo.org/wiki/Ext4_encryption

WARNING:  I'm not qualified to speak about this topic because my experience is 
limited, but I'm interested all the same in reading your approach and other 
contributors advice.

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] Firefox to LOCalc characterset translation

[tastytea]

On 2022-03-27 23:13+0100 Michael  wrote:

> On Sunday, 27 March 2022 23:04:21 BST tastytea wrote:
> > On 2022-03-27 22:35+0100 Michael  wrote:  
> > > I can't explain why the following cut 'n paste problem happens
> > > when I select some symbols within text in Firefox and then try to
> > > insert by middle-click in LibreOffice Calc.
> > > 
> > > If I select the symbols for £ (GBP), or € (Euro) and middle click
> > > upon a cell in LOCalc, a window pops up asking "Select the
> > > Language to Use for Import".  I leave it to "Automatic" which is
> > > the default setting and the symbol plus any text is pasted with
> > > the same format as the webpage.  The symbols are then displayed
> > > correctly in LOCalc.
> > > 
> > > However, if I enter a cell by double clicking on it, or by
> > > clicking in the edit bar, then middle click to enter the
> > > selection, both £ and € symbols are entered in some strange code
> > > - e.g. \u20ac  
> > 
> > I don't know why it is doing that or how to fix it, but the strange
> > code is a unicode code point. You can enter it in many terminal
> > emulators by pressing Control + Shift + u and then 20ac + Enter or
> > display it with echo "\u20ac".
> > 
> > Kind regards, tastytea  
> 
> Hmm ... I wonder if my setup is wrong?  This is what I get in UXterm
> and Konsole:
> 
> $ echo "\u20ac"
> \u20ac

Ah sorry, in bash that's echo -e "\u20ac". I was testing with zsh,
where -e is enabled by default.

> My locale.gen contains "en_GB.UTF-8 UTF-8" so I naively assumed
> applications would be able to translate code into characters.  Well,
> other applications do with LOCalc, but Firefox won't.  :-/

Re: [gentoo-user] Firefox to LOCalc characterset translation

[Michael]

On Sunday, 27 March 2022 23:04:21 BST tastytea wrote:
> On 2022-03-27 22:35+0100 Michael  wrote:
> > I can't explain why the following cut 'n paste problem happens when I
> > select some symbols within text in Firefox and then try to insert by
> > middle-click in LibreOffice Calc.
> > 
> > If I select the symbols for £ (GBP), or € (Euro) and middle click
> > upon a cell in LOCalc, a window pops up asking "Select the Language
> > to Use for Import".  I leave it to "Automatic" which is the default
> > setting and the symbol plus any text is pasted with the same format
> > as the webpage.  The symbols are then displayed correctly in LOCalc.
> > 
> > However, if I enter a cell by double clicking on it, or by clicking
> > in the edit bar, then middle click to enter the selection, both £ and
> > € symbols are entered in some strange code - e.g. \u20ac
> 
> I don't know why it is doing that or how to fix it, but the strange code
> is a unicode code point. You can enter it in many terminal emulators by
> pressing Control + Shift + u and then 20ac + Enter or display it with
> echo "\u20ac".
> 
> Kind regards, tastytea

Hmm ... I wonder if my setup is wrong?  This is what I get in UXterm and 
Konsole:

$ echo "\u20ac"
\u20ac


My locale.gen contains "en_GB.UTF-8 UTF-8" so I naively assumed applications 
would be able to translate code into characters.  Well, other applications do 
with LOCalc, but Firefox won't.  :-/

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] Firefox to LOCalc characterset translation

[tastytea]

On 2022-03-27 22:35+0100 Michael  wrote:

> I can't explain why the following cut 'n paste problem happens when I
> select some symbols within text in Firefox and then try to insert by
> middle-click in LibreOffice Calc.
> 
> If I select the symbols for £ (GBP), or € (Euro) and middle click
> upon a cell in LOCalc, a window pops up asking "Select the Language
> to Use for Import".  I leave it to "Automatic" which is the default
> setting and the symbol plus any text is pasted with the same format
> as the webpage.  The symbols are then displayed correctly in LOCalc.
> 
> However, if I enter a cell by double clicking on it, or by clicking
> in the edit bar, then middle click to enter the selection, both £ and
> € symbols are entered in some strange code - e.g. \u20ac

I don't know why it is doing that or how to fix it, but the strange code
is a unicode code point. You can enter it in many terminal emulators by
pressing Control + Shift + u and then 20ac + Enter or display it with
echo "\u20ac".

Kind regards, tastytea

[gentoo-user] Firefox to LOCalc characterset translation

[Michael]

I can't explain why the following cut 'n paste problem happens when I select 
some symbols within text in Firefox and then try to insert by middle-click in 
LibreOffice Calc.

If I select the symbols for £ (GBP), or € (Euro) and middle click upon a cell 
in LOCalc, a window pops up asking "Select the Language to Use for Import".  I 
leave it to "Automatic" which is the default setting and the symbol plus any 
text is pasted with the same format as the webpage.  The symbols are then 
displayed correctly in LOCalc.

However, if I enter a cell by double clicking on it, or by clicking in the 
edit bar, then middle click to enter the selection, both £ and € symbols are 
entered in some strange code - e.g. \u20ac

Other browsers do not exhibit this behaviour.  Firefox has been installed with 
these flags:

 Installed versions:  91.7.0(esr)(20:02:31 10/03/22)(clang dbus gmp-autoupdate 
openh264 system-av1 system-harfbuzz system-icu system-jpeg system-libevent 
system-libvpx system-webp wayland -debug -eme-free -geckodriver -hardened -
hwaccel -jack -lto -pgo -pulseaudio -screencast -selinux -sndio -system-png -
wifi CPU_FLAGS_ARM="-neon" L10N="en-GB -ach -af -an -ar -ast -az -be -bg -bn -
br -bs -ca -ca-valencia -cak -cs -cy -da -de -dsb -el -en-CA -eo -es-AR -es-CL 
-es-ES -es-MX -et -eu -fa -ff -fi -fr -fy -ga -gd -gl -gn -gu -he -hi -hr -hsb -
hu -hy -ia -id -is -it -ja -ka -kab -kk -km -kn -ko -lij -lt -lv -mk -mr -ms -
my -nb -ne -nl -nn -oc -pa -pl -pt-BR -pt-PT -rm -ro -ru -sco -si -sk -sl -son 
-sq -sr -sv -szl -ta -te -th -tl -tr -trs -uk -ur -uz -vi -xh -zh-CN -zh-TW")

and libreoffice with these:

 Installed versions:  7.2.5.2^s(08:42:14 03/02/22)(-offlinehelp L10N="en en-
GB -af -am -ar -as -ast -be -bg -bn -bn-IN -bo -br -brx -bs -ca -ca-valencia -
ckb -cs -cy -da -de -dgo -dsb -dz -el -en-ZA -eo -es -et -eu -fa -fi -fr -fur -
fy -ga -gd -gl -gu -gug -he -hi -hr -hsb -hu -id -is -it -ja -ka -kab -kk -km 
-kmr-Latn -kn -ko -kok -ks -lb -lo -lt -lv -mai -mk -ml -mn -mni -mr -my -nb -
ne -nl -nn -nr -nso -oc -om -or -pa -pl -pt -pt-BR -ro -ru -rw -sa -sat -sd -
si -sid -sk -sl -sq -sr -sr-Latn -ss -st -sv -sw-TZ -szl -ta -te -tg -th -tn -
tr -ts -tt -ug -uk -uz -ve -vec -vi -xh -zh-CN -zh-TW -zu")

Any idea why this is happening and how I could fix it?

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] LVM and moving things around

[Dale]

Wol wrote:
> On 27/03/2022 21:36, Wol wrote:
>> I don't know either. I'm just far more familiar with the dm/md layer
>> because I run md-raid over dm-integrity. Hence dm-crypt.
>>
>> Is cryptsetup a layer in its own right, or part of lvm? I prefer the
>> Unix "use several tools each of which does one thing well", other
>> people prefer a swiss army knife like ZFS or btrfs. I don't know
>> where cryptsetup lies on that spectrum, and I don't know your
>> preferences on that spectrum.
>
> Just seen Rich's message, so now I know :-)
>
> But it's just hit me - you have three PV's joined into one LV? Is that
> effectively raid-0? If so, you know you have just TREBLED your risk of
> losing your home drive? (Although I do know the risk is low to start
> with.)
>
> Don't know what really to suggest though, other than getting a new 8TB
> drive and converting it to a 3x8TB 16TB raid-5 ... and you said you
> didn't want to splash out on a new drive ...
>
> Cheers,
> Wol
>
>


I don't have RAID at all.  Just three drives being used as /home on
LVM.  I should use RAID but I have a backup that gets done each week.  I
wouldn't lose much even if it crashed and burned badly.  The biggest
loss might would be emails.  I think I have gmail set up to save them so
I think it would download whatever was missing from the last backup
restoration.  I need to check that. 

Dale

:-)  :-) 

Re: [gentoo-user] LVM and moving things around

[Wol]

On 27/03/2022 21:36, Wol wrote:
I don't know either. I'm just far more familiar with the dm/md layer 
because I run md-raid over dm-integrity. Hence dm-crypt.


Is cryptsetup a layer in its own right, or part of lvm? I prefer the 
Unix "use several tools each of which does one thing well", other people 
prefer a swiss army knife like ZFS or btrfs. I don't know where 
cryptsetup lies on that spectrum, and I don't know your preferences on 
that spectrum.


Just seen Rich's message, so now I know :-)

But it's just hit me - you have three PV's joined into one LV? Is that 
effectively raid-0? If so, you know you have just TREBLED your risk of 
losing your home drive? (Although I do know the risk is low to start with.)


Don't know what really to suggest though, other than getting a new 8TB 
drive and converting it to a 3x8TB 16TB raid-5 ... and you said you 
didn't want to splash out on a new drive ...


Cheers,
Wol

Re: [gentoo-user] LVM and moving things around

[Dale]

Wol wrote:
> On 27/03/2022 21:13, Dale wrote:
>> Wol wrote:
>>> On 27/03/2022 20:17, Dale wrote:
 Howdy,

 I sort of started this on another thread but wanted to nail a few
 things
 down first.  I'm wanting to encrypt some parts of my data on /home.
 This is what I got hard drive wise.


 root@fireball / # pvs
     PV VG Fmt  Attr PSize    PFree
     /dev/sda7  OS lvm2 a--  <124.46g 21.39g
     /dev/sdb1  Home2  lvm2 a--    <5.46t 0
     /dev/sdc1  Home2  lvm2 a--    <7.28t 0
     /dev/sdd1  Home2  lvm2 a--    <7.28t 0
     /dev/sde1  backup lvm2 a--   698.63g 0
 root@fireball / #

>>> One big piece of missing information. What does fdisk say about
>>> sd[b,c,d]1? And can you add sdf1?
>>
>> I have the entire drive as one large partition for each drive.  I could
>> have done it as a whole device but I wanted partitions to give a hint
>> that the drive is in use, if booted from other medium for example.
>>
>> I have enough extra space that I can remove either a 6TB or a 8TB
>> drive.  Once that is done, I can start to encrypt and move data around.
>> This is some additional info from df for /home:
>>
>>
>> /dev/mapper/Home2-Home2 20T  8.7T   12T  45% /home
>>
>>
>> If I remove a 8TB drive, I'd still have enough room for my data.  I
>> could then rebuild /home starting with the 8TB drive just freed up.
>> Then as I move data, I could expand them one at a time encrypting as I
>> go.  I'd rather not have to buy a hard drive right now.  Tight budget
>> given other things I got going on.  I do have backups, more than one in
>> a couple important data spots.
>>
> Do you need to shrink your fs first though?

>From my understanding of my google results, I need to unmount /home,
shrink the file system, then I can remount /home, use pvmove to move
data off whichever drive I want to take LVM off of, then pvremove the
drive to make the drive available just like a new drive.  I can then use
it to start building the LVM and it be encrypted.  As I remove other
drives with the same method above, I can expand the encrypted drives. 
I'm still trying to figure out whether to use the 6TB or 8TB drive in
normal mode.  I think the 6TB would be large enough for the normal /home
and let the encrypted be on the other drives. 

>
> My three 3TB partitions are raided, and /dev/md/home is my PV. I've
> only allocated the space to LVs that they need, so I could probably
> shrink the PV and remove a drive without needing to mess about with my
> LVs at all. I get the impression you may have allocated all your
> space, not a good idea.

I did allocate all the space because at the time, I wasn't considering
encrypting any of that data or dividing it up.  Things have changed and
I want to move things around.  This is one of the good things about ext4
and LVM.  They can shrink in size fairly easy.  Of course, backups are
always a good idea. 

>
> My attitude is my data is backed up, expanding an LV/FS is low risk,
> I'll just grow stuff as I need to ... my /home partition contains
> proper home drives, things like videos may be in /home/videos, but
> they're actually a separate partition, etc etc.

That's sort of what I'm going to do.  I'm going to divide things into
sections with some encrypted and some not.


>>
>>>
>>> I'm guessing you've got three 8TB drives? Or is it two 8s and a 6? Can
>>> you get a third 8TB? And if you're encrypting *parts* of /home ...
>>> what parts?

 I've done some checking on sizes of things I want to encrypt and am
 weighing options.  I use LVM which should help make things easier. 
 I've
 downloaded and printed some howtos regarding shrinking the file system
 and LVM thingys.  It seems I need to shrink the file system while my
 /home partition is unmounted.  Then move the data off whichever
 drive I
 want to remove and then remove the drive itself.  After that I can
 encrypt the just removed drive and start moving files over, using
 rsync
 is my plan.  I think that is the basic steps.
>>>
>>> Not necessarily.

 My question now comes to this.  When I encrypt one of the drives,
 can I
 then expand that drive with it being encrypted or is that not a
 option?
 I plan to encrypt two of the drives as one volume group and leave one
 other volume group as normal.  I just want to be sure whether or not I
 can expand a encrypted LVM drive the same as a normal LVM since both
 uses LVM.  I use cryptsetup commands to accomplish the encryption if
 that matters.  So as a example, I start with one 7TB drive encrypted,
 move some data to it, then want to add either the 5TB or 7TB
 drive.  Can
 I just expand it like a normal LVM or does it being encrypted change
 things?

 Thoughts?  My remove steps look sensible?  Expanding encrypted LVM
 possible?
>>>
>>> If you are using LVM to do the encryption, then I 

Re: [gentoo-user] LVM and moving things around

[Wol]

On 27/03/2022 21:13, Dale wrote:

Wol wrote:

On 27/03/2022 20:17, Dale wrote:

Howdy,

I sort of started this on another thread but wanted to nail a few things
down first.  I'm wanting to encrypt some parts of my data on /home.
This is what I got hard drive wise.


root@fireball / # pvs
    PV VG Fmt  Attr PSize    PFree
    /dev/sda7  OS lvm2 a--  <124.46g 21.39g
    /dev/sdb1  Home2  lvm2 a--    <5.46t 0
    /dev/sdc1  Home2  lvm2 a--    <7.28t 0
    /dev/sdd1  Home2  lvm2 a--    <7.28t 0
    /dev/sde1  backup lvm2 a--   698.63g 0
root@fireball / #


One big piece of missing information. What does fdisk say about
sd[b,c,d]1? And can you add sdf1?


I have the entire drive as one large partition for each drive.  I could
have done it as a whole device but I wanted partitions to give a hint
that the drive is in use, if booted from other medium for example.

I have enough extra space that I can remove either a 6TB or a 8TB
drive.  Once that is done, I can start to encrypt and move data around.
This is some additional info from df for /home:


/dev/mapper/Home2-Home2 20T  8.7T   12T  45% /home


If I remove a 8TB drive, I'd still have enough room for my data.  I
could then rebuild /home starting with the 8TB drive just freed up.
Then as I move data, I could expand them one at a time encrypting as I
go.  I'd rather not have to buy a hard drive right now.  Tight budget
given other things I got going on.  I do have backups, more than one in
a couple important data spots.


Do you need to shrink your fs first though?

My three 3TB partitions are raided, and /dev/md/home is my PV. I've only 
allocated the space to LVs that they need, so I could probably shrink 
the PV and remove a drive without needing to mess about with my LVs at 
all. I get the impression you may have allocated all your space, not a 
good idea.


My attitude is my data is backed up, expanding an LV/FS is low risk, 
I'll just grow stuff as I need to ... my /home partition contains proper 
home drives, things like videos may be in /home/videos, but they're 
actually a separate partition, etc etc.




I'm guessing you've got three 8TB drives? Or is it two 8s and a 6? Can
you get a third 8TB? And if you're encrypting *parts* of /home ...
what parts?


I've done some checking on sizes of things I want to encrypt and am
weighing options.  I use LVM which should help make things easier.  I've
downloaded and printed some howtos regarding shrinking the file system
and LVM thingys.  It seems I need to shrink the file system while my
/home partition is unmounted.  Then move the data off whichever drive I
want to remove and then remove the drive itself.  After that I can
encrypt the just removed drive and start moving files over, using rsync
is my plan.  I think that is the basic steps.


Not necessarily.


My question now comes to this.  When I encrypt one of the drives, can I
then expand that drive with it being encrypted or is that not a option?
I plan to encrypt two of the drives as one volume group and leave one
other volume group as normal.  I just want to be sure whether or not I
can expand a encrypted LVM drive the same as a normal LVM since both
uses LVM.  I use cryptsetup commands to accomplish the encryption if
that matters.  So as a example, I start with one 7TB drive encrypted,
move some data to it, then want to add either the 5TB or 7TB drive.  Can
I just expand it like a normal LVM or does it being encrypted change
things?

Thoughts?  My remove steps look sensible?  Expanding encrypted LVM
possible?


If you are using LVM to do the encryption, then I can't see any
problems adding a new PV to an encrypted VG.


Dale


Personally, I'd use dm-crypt to encrypt the drive, and then the whole
lot is encrypted, and put plain LVM over that. I've got dedicated
layers for everything.

It looks like your home2 is 6TB+8TB+8TB. I'd get a new 8TB, put
dm-crypt on it, and add it. Now I can remove the first 8TB, dm-crypt
it and re-add it. Same with the second 8TB. Now remove the 6TB and
there you are ...

My layout's rather different from yours, so I don't think I ought to
say too much :-)

Cheers,
Wol





What is the advantage of dm-crypt over cryptsetup?  I've learned how to
use cryptsetup with my external drive so was hoping to stick with what I
already know.  Unless there is a advantage to dm-crypt.

I don't know either. I'm just far more familiar with the dm/md layer 
because I run md-raid over dm-integrity. Hence dm-crypt.


Is cryptsetup a layer in its own right, or part of lvm? I prefer the 
Unix "use several tools each of which does one thing well", other people 
prefer a swiss army knife like ZFS or btrfs. I don't know where 
cryptsetup lies on that spectrum, and I don't know your preferences on 
that spectrum.


Cheers,
Wol

Re: [gentoo-user] LVM and moving things around

[Rich Freeman]

On Sun, Mar 27, 2022 at 4:13 PM Dale  wrote:
>
> What is the advantage of dm-crypt over cryptsetup?  I've learned how to
> use cryptsetup with my external drive so was hoping to stick with what I
> already know.  Unless there is a advantage to dm-crypt.

So, I suspect that terms are being used loosely here, but dm-crypt is
a kernel block device encryption layer, and cryptsetup is just a
userspace wrapper that sets up dm-crypt.  I don't think cryptsetup
works without dm-crypt, but you could of course use dm-crypt without
cryptsetup.

There is an on-disk standard called LUKS that cryptsetup typically
uses.  This stores metadata about the layout, fields to store session
keys encrypted with a passphrase, space to store info like rekeying
progress, and so on.  The kernel dm-crypt will just want a cipher/key
to use and a range of disk blocks to apply it to.  With LUKS /
cryptsetup you can do handy things like have a passphrase that goes
through many rounds to yield the session key, or the ability to have
multiple passphrases that work, or the ability to change the session
key, or temporarily store the session key in the clear so that the
drive can be used without a passphrase, and so on.

99% of the time linux distros are using cryptsetup/LUKS to manage
encryption.  If you wanted to use dm-crypt directly you'd basically
have to either re-implement your own version of LUKS, or memorize a
128 bit AES key.  Even if you intend to use a key file I'd still
consider using LUKS just for the standardization and options.

I'm guessing that 99% of the time if somebody is talking about
dm-crypt, they really mean cryptsetup/LUKS+dm-crypt.  (I think LUKS is
the on-disk standard, and cryptsetup is an implementation of it all.)

-- 
Rich

Re: [gentoo-user] LVM and moving things around

[Dale]

Wol wrote:
> On 27/03/2022 20:17, Dale wrote:
>> Howdy,
>>
>> I sort of started this on another thread but wanted to nail a few things
>> down first.  I'm wanting to encrypt some parts of my data on /home.
>> This is what I got hard drive wise.
>>
>>
>> root@fireball / # pvs
>>    PV VG Fmt  Attr PSize    PFree
>>    /dev/sda7  OS lvm2 a--  <124.46g 21.39g
>>    /dev/sdb1  Home2  lvm2 a--    <5.46t 0
>>    /dev/sdc1  Home2  lvm2 a--    <7.28t 0
>>    /dev/sdd1  Home2  lvm2 a--    <7.28t 0
>>    /dev/sde1  backup lvm2 a--   698.63g 0
>> root@fireball / #
>>
> One big piece of missing information. What does fdisk say about
> sd[b,c,d]1? And can you add sdf1?

I have the entire drive as one large partition for each drive.  I could
have done it as a whole device but I wanted partitions to give a hint
that the drive is in use, if booted from other medium for example. 

I have enough extra space that I can remove either a 6TB or a 8TB
drive.  Once that is done, I can start to encrypt and move data around. 
This is some additional info from df for /home:


/dev/mapper/Home2-Home2 20T  8.7T   12T  45% /home


If I remove a 8TB drive, I'd still have enough room for my data.  I
could then rebuild /home starting with the 8TB drive just freed up. 
Then as I move data, I could expand them one at a time encrypting as I
go.  I'd rather not have to buy a hard drive right now.  Tight budget
given other things I got going on.  I do have backups, more than one in
a couple important data spots. 


>
> I'm guessing you've got three 8TB drives? Or is it two 8s and a 6? Can
> you get a third 8TB? And if you're encrypting *parts* of /home ...
> what parts?
>>
>> I've done some checking on sizes of things I want to encrypt and am
>> weighing options.  I use LVM which should help make things easier.  I've
>> downloaded and printed some howtos regarding shrinking the file system
>> and LVM thingys.  It seems I need to shrink the file system while my
>> /home partition is unmounted.  Then move the data off whichever drive I
>> want to remove and then remove the drive itself.  After that I can
>> encrypt the just removed drive and start moving files over, using rsync
>> is my plan.  I think that is the basic steps.
>
> Not necessarily.
>>
>> My question now comes to this.  When I encrypt one of the drives, can I
>> then expand that drive with it being encrypted or is that not a option?
>> I plan to encrypt two of the drives as one volume group and leave one
>> other volume group as normal.  I just want to be sure whether or not I
>> can expand a encrypted LVM drive the same as a normal LVM since both
>> uses LVM.  I use cryptsetup commands to accomplish the encryption if
>> that matters.  So as a example, I start with one 7TB drive encrypted,
>> move some data to it, then want to add either the 5TB or 7TB drive.  Can
>> I just expand it like a normal LVM or does it being encrypted change
>> things?
>>
>> Thoughts?  My remove steps look sensible?  Expanding encrypted LVM
>> possible?
>
> If you are using LVM to do the encryption, then I can't see any
> problems adding a new PV to an encrypted VG.
>>
>> Dale
>>
> Personally, I'd use dm-crypt to encrypt the drive, and then the whole
> lot is encrypted, and put plain LVM over that. I've got dedicated
> layers for everything.
>
> It looks like your home2 is 6TB+8TB+8TB. I'd get a new 8TB, put
> dm-crypt on it, and add it. Now I can remove the first 8TB, dm-crypt
> it and re-add it. Same with the second 8TB. Now remove the 6TB and
> there you are ...
>
> My layout's rather different from yours, so I don't think I ought to
> say too much :-)
>
> Cheers,
> Wol
>
>


What is the advantage of dm-crypt over cryptsetup?  I've learned how to
use cryptsetup with my external drive so was hoping to stick with what I
already know.  Unless there is a advantage to dm-crypt. 

Thanks.

Dale

:-)  :-) 

Re: [gentoo-user] LVM and moving things around

[Wol]

On 27/03/2022 20:17, Dale wrote:

Howdy,

I sort of started this on another thread but wanted to nail a few things
down first.  I'm wanting to encrypt some parts of my data on /home.
This is what I got hard drive wise.


root@fireball / # pvs
   PV VG Fmt  Attr PSize    PFree
   /dev/sda7  OS lvm2 a--  <124.46g 21.39g
   /dev/sdb1  Home2  lvm2 a--    <5.46t 0
   /dev/sdc1  Home2  lvm2 a--    <7.28t 0
   /dev/sdd1  Home2  lvm2 a--    <7.28t 0
   /dev/sde1  backup lvm2 a--   698.63g 0
root@fireball / #

One big piece of missing information. What does fdisk say about 
sd[b,c,d]1? And can you add sdf1?


I'm guessing you've got three 8TB drives? Or is it two 8s and a 6? Can 
you get a third 8TB? And if you're encrypting *parts* of /home ... what 
parts?


I've done some checking on sizes of things I want to encrypt and am
weighing options.  I use LVM which should help make things easier.  I've
downloaded and printed some howtos regarding shrinking the file system
and LVM thingys.  It seems I need to shrink the file system while my
/home partition is unmounted.  Then move the data off whichever drive I
want to remove and then remove the drive itself.  After that I can
encrypt the just removed drive and start moving files over, using rsync
is my plan.  I think that is the basic steps.


Not necessarily.


My question now comes to this.  When I encrypt one of the drives, can I
then expand that drive with it being encrypted or is that not a option?
I plan to encrypt two of the drives as one volume group and leave one
other volume group as normal.  I just want to be sure whether or not I
can expand a encrypted LVM drive the same as a normal LVM since both
uses LVM.  I use cryptsetup commands to accomplish the encryption if
that matters.  So as a example, I start with one 7TB drive encrypted,
move some data to it, then want to add either the 5TB or 7TB drive.  Can
I just expand it like a normal LVM or does it being encrypted change
things?

Thoughts?  My remove steps look sensible?  Expanding encrypted LVM
possible?


If you are using LVM to do the encryption, then I can't see any problems 
adding a new PV to an encrypted VG.


Dale

Personally, I'd use dm-crypt to encrypt the drive, and then the whole 
lot is encrypted, and put plain LVM over that. I've got dedicated layers 
for everything.


It looks like your home2 is 6TB+8TB+8TB. I'd get a new 8TB, put dm-crypt 
on it, and add it. Now I can remove the first 8TB, dm-crypt it and 
re-add it. Same with the second 8TB. Now remove the 6TB and there you 
are ...


My layout's rather different from yours, so I don't think I ought to say 
too much :-)


Cheers,
Wol

[gentoo-user] LVM and moving things around

[Dale]

Howdy,

I sort of started this on another thread but wanted to nail a few things
down first.  I'm wanting to encrypt some parts of my data on /home. 
This is what I got hard drive wise.


root@fireball / # pvs
  PV VG Fmt  Attr PSize    PFree
  /dev/sda7  OS lvm2 a--  <124.46g 21.39g
  /dev/sdb1  Home2  lvm2 a--    <5.46t 0
  /dev/sdc1  Home2  lvm2 a--    <7.28t 0
  /dev/sdd1  Home2  lvm2 a--    <7.28t 0
  /dev/sde1  backup lvm2 a--   698.63g 0
root@fireball / #


I've done some checking on sizes of things I want to encrypt and am
weighing options.  I use LVM which should help make things easier.  I've
downloaded and printed some howtos regarding shrinking the file system
and LVM thingys.  It seems I need to shrink the file system while my
/home partition is unmounted.  Then move the data off whichever drive I
want to remove and then remove the drive itself.  After that I can
encrypt the just removed drive and start moving files over, using rsync
is my plan.  I think that is the basic steps.

My question now comes to this.  When I encrypt one of the drives, can I
then expand that drive with it being encrypted or is that not a option? 
I plan to encrypt two of the drives as one volume group and leave one
other volume group as normal.  I just want to be sure whether or not I
can expand a encrypted LVM drive the same as a normal LVM since both
uses LVM.  I use cryptsetup commands to accomplish the encryption if
that matters.  So as a example, I start with one 7TB drive encrypted,
move some data to it, then want to add either the 5TB or 7TB drive.  Can
I just expand it like a normal LVM or does it being encrypted change
things? 

Thoughts?  My remove steps look sensible?  Expanding encrypted LVM
possible?

Dale

:-)  :-)