Re: [gentoo-user] LVM and moving things around
Michael wrote: > On Sunday, 27 March 2022 22:04:45 BST Dale wrote: >> >> That's sort of what I'm going to do. I'm going to divide things into >> sections with some encrypted and some not. > I wonder if all you want to do is to encrypt some directories on your /home, > then a different level of encryption would be more appropriate? Instead of > encrypting a whole block device, you could just encrypt a directory tree or > two, using ext4 encryption. e4crypt has been kicking around for a few years > now and it is meant to be an improvement on eCryptfs. > > https://lwn.net/Articles/639427/ > > https://wiki.gentoo.org/wiki/Ext4_encryption > > WARNING: I'm not qualified to speak about this topic because my experience > is > limited, but I'm interested all the same in reading your approach and other > contributors advice. That is the basic plan. I'll have /home as a normal open mount point. That way I can login without a encryption password being needed. After that, I plan to have other mount point(s) that are encrypted. It may be /home/dale/Data or something to that effect. I'm still doing some checking but the normal non-encrypted stuff should easily fit on a 6TB drive without encryption. I can then rebuild the two 8TB drives as encrypted mount points with a different volume group thingy. When I boot up, I can login in as usual then decrypt the other mount point and access it as needed or close it and it be encrypted until needed. I've considered just encrypting /home completely but I don't have the option of closing it while I'm logged into KDE. KDE wouldn't be able to access /home/dale/.kde or .config plus if I leave Seamonkey open, it will want to store new emails to .mozilla as well. So, some things need to be available and I'm not to worried about them being encrypted anyway. So encrypting all of /home would be overkill plus would be a problem for some things too, such as Seamonkey and KDE. I'm looking at a hard drive purchase just to see if I can afford it money wise. Dale :-) :-)
Re: [gentoo-user] LVM and moving things around
On Sun, Mar 27, 2022 at 04:04:45PM -0500, Dale wrote: > Based on the reply from Rich, thanks for the info, cryptsetup is just a > upper level of dm-crypt. Basically, cryptsetup just has some user > friendly bits added on top of it. Security wise, should be secure > either way. To be clear, cryptsetup is just a userspace command line tool for manipulating dm-crypt/LUKS stuff. dm-crypt is the kernel part. Lots of tools are structured this way. LVM is a thing in the kernel, and the lvcreate/pvcreate/etc. command line tools are just the userspace user interface. I assume they probably use a bunch of complicated ioctl() calls on the LVM block devices to do their magic. dm-crypt wraps an existing block device. What it wraps is typically a physical disk partition, but it does not have to be. It can wrap basically any block device. The 'device mapper' idea is a key part of what makes all these tools composable: they use block devices to implement other block devices, which can then be the 'inputs' to other such tools, etc. dm-crypt takes a block device and uses it to implement a new block device. Its key property is that (if you follow some basic rules) it is impossible without the key to obtain the data inside it just by looking at the underlying block device. LVM is similar, but it has a different purpose. It takes some set of underlying block devices (physical volumes) and it presents a different set of block devices (logical volumes) to you. Its key property is that it is a much more flexible way of arranging volumes (basically "partitioning") than the underlying MBR/GPT disk partitioning system. You can compose these things in multiple ways. You can use dm-crypt on its own. You can use LVM on its own. You can use dm-crypt on top of LVM (so you have physical disk partitions as physical volumes, then some or all of your logical volumes act as the underlying block devices for dm-crypt's purposes). Or you can use LVM on top of dm-crypt (so your LVM "physical" volumes are dm-crypt block devices). And of course at some point as the final layer you put filesystems on top of all of this. My personal setup, to give an example, is that on each physical disk I have a single partition. I use dm-crypt (with LUKS, which is basically 'dm-crypt but sane', more on that later) on those partitions. In other words, each physical disk in my computer has a single dm-crypt "volume". Each dm-crypt block device is then used as a physical volume for LVM. They are all in a volume group, and on top I have a number of logical volumes. Each logical volume then has ext4 on it. Here is what that looks like: NAME TYPE FSTYPE LABEL SIZE MOUNTPOINTS sdadisk 3.6T `-sda1 part crypto_LUKS 3.6T `-hddcrypt LVM2_member 3.6T `-vg-videovol lvmext4 VIDEO 100G /mnt/videos nvme0n1disk 1.8T `-nvme0n1p1part crypto_LUKS 1.8T `-root crypt LVM2_member 1.8T |-vg-rootvol lvmext4 ROOT 100G / |-vg-swapvol lvmswap SWAP64G [SWAP] |-vg-homevol lvmext4 HOME 100G /home `-vg-audiovol lvmext4 AUDIO 100G /mnt/audio > The biggest thing, can I encrypt a LVM group and then expand it. It > seems I can. I've found where google results say the same but some > results are dated. Things change. Sometimes for the good, sometimes not. You can, but there is more than one way to do it, and you should be sure you're doing it in the best way for what you need. If you only want some of your LVM logical volumes to be encrypted, it would make most sense to use LUKS on top of LVM. That's the opposite of the way I show I have it set up above. That means you'd have disk partitions as LVM physical volumes and you'd put LUKS on top of the LVM logical volumes. The encryption (dm-crypt layer) would only be on some of your volumes. And it would be above the LVM layer. However, I'm not sure why you would want this. There are a million and one ways of laying stuff out. You could have a set of disks that are for encrypted stuff and a set of disks that are not. Then you could put all the encrypted disks together into an LVM volume group and put things you want encrypted in the logical volumes in your 'encrypted' volume group, while you put the things you don't want encrypted in the logical volumes in your 'unencrypted' volume group. I think you can even set things up so that logical volumes are fixed to a particular physical volume. Then you could have some of the physical volumes in your (single) volume group be encrypted, and others not, and assign logical volumes you want to be encrypted to the right physical volumes. But that seems very error-prone: I can definitely imagine you accidentally moving a meant-to-be-secret logical volume to the
Re: [gentoo-user] LVM and moving things around
On Sunday, 27 March 2022 22:04:45 BST Dale wrote: > Wol wrote: > > My three 3TB partitions are raided, and /dev/md/home is my PV. I've > > only allocated the space to LVs that they need, so I could probably > > shrink the PV and remove a drive without needing to mess about with my > > LVs at all. I get the impression you may have allocated all your > > space, not a good idea. > > I did allocate all the space because at the time, I wasn't considering > encrypting any of that data or dividing it up. Things have changed and > I want to move things around. This is one of the good things about ext4 > and LVM. They can shrink in size fairly easy. Of course, backups are > always a good idea. > > > My attitude is my data is backed up, expanding an LV/FS is low risk, > > I'll just grow stuff as I need to ... my /home partition contains > > proper home drives, things like videos may be in /home/videos, but > > they're actually a separate partition, etc etc. > > That's sort of what I'm going to do. I'm going to divide things into > sections with some encrypted and some not. I wonder if all you want to do is to encrypt some directories on your /home, then a different level of encryption would be more appropriate? Instead of encrypting a whole block device, you could just encrypt a directory tree or two, using ext4 encryption. e4crypt has been kicking around for a few years now and it is meant to be an improvement on eCryptfs. https://lwn.net/Articles/639427/ https://wiki.gentoo.org/wiki/Ext4_encryption WARNING: I'm not qualified to speak about this topic because my experience is limited, but I'm interested all the same in reading your approach and other contributors advice. signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Firefox to LOCalc characterset translation
On 2022-03-27 23:13+0100 Michael wrote: > On Sunday, 27 March 2022 23:04:21 BST tastytea wrote: > > On 2022-03-27 22:35+0100 Michael wrote: > > > I can't explain why the following cut 'n paste problem happens > > > when I select some symbols within text in Firefox and then try to > > > insert by middle-click in LibreOffice Calc. > > > > > > If I select the symbols for £ (GBP), or € (Euro) and middle click > > > upon a cell in LOCalc, a window pops up asking "Select the > > > Language to Use for Import". I leave it to "Automatic" which is > > > the default setting and the symbol plus any text is pasted with > > > the same format as the webpage. The symbols are then displayed > > > correctly in LOCalc. > > > > > > However, if I enter a cell by double clicking on it, or by > > > clicking in the edit bar, then middle click to enter the > > > selection, both £ and € symbols are entered in some strange code > > > - e.g. \u20ac > > > > I don't know why it is doing that or how to fix it, but the strange > > code is a unicode code point. You can enter it in many terminal > > emulators by pressing Control + Shift + u and then 20ac + Enter or > > display it with echo "\u20ac". > > > > Kind regards, tastytea > > Hmm ... I wonder if my setup is wrong? This is what I get in UXterm > and Konsole: > > $ echo "\u20ac" > \u20ac Ah sorry, in bash that's echo -e "\u20ac". I was testing with zsh, where -e is enabled by default. > My locale.gen contains "en_GB.UTF-8 UTF-8" so I naively assumed > applications would be able to translate code into characters. Well, > other applications do with LOCalc, but Firefox won't. :-/
Re: [gentoo-user] Firefox to LOCalc characterset translation
On Sunday, 27 March 2022 23:04:21 BST tastytea wrote: > On 2022-03-27 22:35+0100 Michael wrote: > > I can't explain why the following cut 'n paste problem happens when I > > select some symbols within text in Firefox and then try to insert by > > middle-click in LibreOffice Calc. > > > > If I select the symbols for £ (GBP), or € (Euro) and middle click > > upon a cell in LOCalc, a window pops up asking "Select the Language > > to Use for Import". I leave it to "Automatic" which is the default > > setting and the symbol plus any text is pasted with the same format > > as the webpage. The symbols are then displayed correctly in LOCalc. > > > > However, if I enter a cell by double clicking on it, or by clicking > > in the edit bar, then middle click to enter the selection, both £ and > > € symbols are entered in some strange code - e.g. \u20ac > > I don't know why it is doing that or how to fix it, but the strange code > is a unicode code point. You can enter it in many terminal emulators by > pressing Control + Shift + u and then 20ac + Enter or display it with > echo "\u20ac". > > Kind regards, tastytea Hmm ... I wonder if my setup is wrong? This is what I get in UXterm and Konsole: $ echo "\u20ac" \u20ac My locale.gen contains "en_GB.UTF-8 UTF-8" so I naively assumed applications would be able to translate code into characters. Well, other applications do with LOCalc, but Firefox won't. :-/ signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Firefox to LOCalc characterset translation
On 2022-03-27 22:35+0100 Michael wrote: > I can't explain why the following cut 'n paste problem happens when I > select some symbols within text in Firefox and then try to insert by > middle-click in LibreOffice Calc. > > If I select the symbols for £ (GBP), or € (Euro) and middle click > upon a cell in LOCalc, a window pops up asking "Select the Language > to Use for Import". I leave it to "Automatic" which is the default > setting and the symbol plus any text is pasted with the same format > as the webpage. The symbols are then displayed correctly in LOCalc. > > However, if I enter a cell by double clicking on it, or by clicking > in the edit bar, then middle click to enter the selection, both £ and > € symbols are entered in some strange code - e.g. \u20ac I don't know why it is doing that or how to fix it, but the strange code is a unicode code point. You can enter it in many terminal emulators by pressing Control + Shift + u and then 20ac + Enter or display it with echo "\u20ac". Kind regards, tastytea
[gentoo-user] Firefox to LOCalc characterset translation
I can't explain why the following cut 'n paste problem happens when I select some symbols within text in Firefox and then try to insert by middle-click in LibreOffice Calc. If I select the symbols for £ (GBP), or € (Euro) and middle click upon a cell in LOCalc, a window pops up asking "Select the Language to Use for Import". I leave it to "Automatic" which is the default setting and the symbol plus any text is pasted with the same format as the webpage. The symbols are then displayed correctly in LOCalc. However, if I enter a cell by double clicking on it, or by clicking in the edit bar, then middle click to enter the selection, both £ and € symbols are entered in some strange code - e.g. \u20ac Other browsers do not exhibit this behaviour. Firefox has been installed with these flags: Installed versions: 91.7.0(esr)(20:02:31 10/03/22)(clang dbus gmp-autoupdate openh264 system-av1 system-harfbuzz system-icu system-jpeg system-libevent system-libvpx system-webp wayland -debug -eme-free -geckodriver -hardened - hwaccel -jack -lto -pgo -pulseaudio -screencast -selinux -sndio -system-png - wifi CPU_FLAGS_ARM="-neon" L10N="en-GB -ach -af -an -ar -ast -az -be -bg -bn - br -bs -ca -ca-valencia -cak -cs -cy -da -de -dsb -el -en-CA -eo -es-AR -es-CL -es-ES -es-MX -et -eu -fa -ff -fi -fr -fy -ga -gd -gl -gn -gu -he -hi -hr -hsb - hu -hy -ia -id -is -it -ja -ka -kab -kk -km -kn -ko -lij -lt -lv -mk -mr -ms - my -nb -ne -nl -nn -oc -pa -pl -pt-BR -pt-PT -rm -ro -ru -sco -si -sk -sl -son -sq -sr -sv -szl -ta -te -th -tl -tr -trs -uk -ur -uz -vi -xh -zh-CN -zh-TW") and libreoffice with these: Installed versions: 7.2.5.2^s(08:42:14 03/02/22)(-offlinehelp L10N="en en- GB -af -am -ar -as -ast -be -bg -bn -bn-IN -bo -br -brx -bs -ca -ca-valencia - ckb -cs -cy -da -de -dgo -dsb -dz -el -en-ZA -eo -es -et -eu -fa -fi -fr -fur - fy -ga -gd -gl -gu -gug -he -hi -hr -hsb -hu -id -is -it -ja -ka -kab -kk -km -kmr-Latn -kn -ko -kok -ks -lb -lo -lt -lv -mai -mk -ml -mn -mni -mr -my -nb - ne -nl -nn -nr -nso -oc -om -or -pa -pl -pt -pt-BR -ro -ru -rw -sa -sat -sd - si -sid -sk -sl -sq -sr -sr-Latn -ss -st -sv -sw-TZ -szl -ta -te -tg -th -tn - tr -ts -tt -ug -uk -uz -ve -vec -vi -xh -zh-CN -zh-TW -zu") Any idea why this is happening and how I could fix it? signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] LVM and moving things around
Wol wrote: > On 27/03/2022 21:36, Wol wrote: >> I don't know either. I'm just far more familiar with the dm/md layer >> because I run md-raid over dm-integrity. Hence dm-crypt. >> >> Is cryptsetup a layer in its own right, or part of lvm? I prefer the >> Unix "use several tools each of which does one thing well", other >> people prefer a swiss army knife like ZFS or btrfs. I don't know >> where cryptsetup lies on that spectrum, and I don't know your >> preferences on that spectrum. > > Just seen Rich's message, so now I know :-) > > But it's just hit me - you have three PV's joined into one LV? Is that > effectively raid-0? If so, you know you have just TREBLED your risk of > losing your home drive? (Although I do know the risk is low to start > with.) > > Don't know what really to suggest though, other than getting a new 8TB > drive and converting it to a 3x8TB 16TB raid-5 ... and you said you > didn't want to splash out on a new drive ... > > Cheers, > Wol > > I don't have RAID at all. Just three drives being used as /home on LVM. I should use RAID but I have a backup that gets done each week. I wouldn't lose much even if it crashed and burned badly. The biggest loss might would be emails. I think I have gmail set up to save them so I think it would download whatever was missing from the last backup restoration. I need to check that. Dale :-) :-)
Re: [gentoo-user] LVM and moving things around
On 27/03/2022 21:36, Wol wrote: I don't know either. I'm just far more familiar with the dm/md layer because I run md-raid over dm-integrity. Hence dm-crypt. Is cryptsetup a layer in its own right, or part of lvm? I prefer the Unix "use several tools each of which does one thing well", other people prefer a swiss army knife like ZFS or btrfs. I don't know where cryptsetup lies on that spectrum, and I don't know your preferences on that spectrum. Just seen Rich's message, so now I know :-) But it's just hit me - you have three PV's joined into one LV? Is that effectively raid-0? If so, you know you have just TREBLED your risk of losing your home drive? (Although I do know the risk is low to start with.) Don't know what really to suggest though, other than getting a new 8TB drive and converting it to a 3x8TB 16TB raid-5 ... and you said you didn't want to splash out on a new drive ... Cheers, Wol
Re: [gentoo-user] LVM and moving things around
Wol wrote: > On 27/03/2022 21:13, Dale wrote: >> Wol wrote: >>> On 27/03/2022 20:17, Dale wrote: Howdy, I sort of started this on another thread but wanted to nail a few things down first. I'm wanting to encrypt some parts of my data on /home. This is what I got hard drive wise. root@fireball / # pvs PV VG Fmt Attr PSize PFree /dev/sda7 OS lvm2 a-- <124.46g 21.39g /dev/sdb1 Home2 lvm2 a-- <5.46t 0 /dev/sdc1 Home2 lvm2 a-- <7.28t 0 /dev/sdd1 Home2 lvm2 a-- <7.28t 0 /dev/sde1 backup lvm2 a-- 698.63g 0 root@fireball / # >>> One big piece of missing information. What does fdisk say about >>> sd[b,c,d]1? And can you add sdf1? >> >> I have the entire drive as one large partition for each drive. I could >> have done it as a whole device but I wanted partitions to give a hint >> that the drive is in use, if booted from other medium for example. >> >> I have enough extra space that I can remove either a 6TB or a 8TB >> drive. Once that is done, I can start to encrypt and move data around. >> This is some additional info from df for /home: >> >> >> /dev/mapper/Home2-Home2 20T 8.7T 12T 45% /home >> >> >> If I remove a 8TB drive, I'd still have enough room for my data. I >> could then rebuild /home starting with the 8TB drive just freed up. >> Then as I move data, I could expand them one at a time encrypting as I >> go. I'd rather not have to buy a hard drive right now. Tight budget >> given other things I got going on. I do have backups, more than one in >> a couple important data spots. >> > Do you need to shrink your fs first though? >From my understanding of my google results, I need to unmount /home, shrink the file system, then I can remount /home, use pvmove to move data off whichever drive I want to take LVM off of, then pvremove the drive to make the drive available just like a new drive. I can then use it to start building the LVM and it be encrypted. As I remove other drives with the same method above, I can expand the encrypted drives. I'm still trying to figure out whether to use the 6TB or 8TB drive in normal mode. I think the 6TB would be large enough for the normal /home and let the encrypted be on the other drives. > > My three 3TB partitions are raided, and /dev/md/home is my PV. I've > only allocated the space to LVs that they need, so I could probably > shrink the PV and remove a drive without needing to mess about with my > LVs at all. I get the impression you may have allocated all your > space, not a good idea. I did allocate all the space because at the time, I wasn't considering encrypting any of that data or dividing it up. Things have changed and I want to move things around. This is one of the good things about ext4 and LVM. They can shrink in size fairly easy. Of course, backups are always a good idea. > > My attitude is my data is backed up, expanding an LV/FS is low risk, > I'll just grow stuff as I need to ... my /home partition contains > proper home drives, things like videos may be in /home/videos, but > they're actually a separate partition, etc etc. That's sort of what I'm going to do. I'm going to divide things into sections with some encrypted and some not. >> >>> >>> I'm guessing you've got three 8TB drives? Or is it two 8s and a 6? Can >>> you get a third 8TB? And if you're encrypting *parts* of /home ... >>> what parts? I've done some checking on sizes of things I want to encrypt and am weighing options. I use LVM which should help make things easier. I've downloaded and printed some howtos regarding shrinking the file system and LVM thingys. It seems I need to shrink the file system while my /home partition is unmounted. Then move the data off whichever drive I want to remove and then remove the drive itself. After that I can encrypt the just removed drive and start moving files over, using rsync is my plan. I think that is the basic steps. >>> >>> Not necessarily. My question now comes to this. When I encrypt one of the drives, can I then expand that drive with it being encrypted or is that not a option? I plan to encrypt two of the drives as one volume group and leave one other volume group as normal. I just want to be sure whether or not I can expand a encrypted LVM drive the same as a normal LVM since both uses LVM. I use cryptsetup commands to accomplish the encryption if that matters. So as a example, I start with one 7TB drive encrypted, move some data to it, then want to add either the 5TB or 7TB drive. Can I just expand it like a normal LVM or does it being encrypted change things? Thoughts? My remove steps look sensible? Expanding encrypted LVM possible? >>> >>> If you are using LVM to do the encryption, then I
Re: [gentoo-user] LVM and moving things around
On 27/03/2022 21:13, Dale wrote: Wol wrote: On 27/03/2022 20:17, Dale wrote: Howdy, I sort of started this on another thread but wanted to nail a few things down first. I'm wanting to encrypt some parts of my data on /home. This is what I got hard drive wise. root@fireball / # pvs PV VG Fmt Attr PSize PFree /dev/sda7 OS lvm2 a-- <124.46g 21.39g /dev/sdb1 Home2 lvm2 a-- <5.46t 0 /dev/sdc1 Home2 lvm2 a-- <7.28t 0 /dev/sdd1 Home2 lvm2 a-- <7.28t 0 /dev/sde1 backup lvm2 a-- 698.63g 0 root@fireball / # One big piece of missing information. What does fdisk say about sd[b,c,d]1? And can you add sdf1? I have the entire drive as one large partition for each drive. I could have done it as a whole device but I wanted partitions to give a hint that the drive is in use, if booted from other medium for example. I have enough extra space that I can remove either a 6TB or a 8TB drive. Once that is done, I can start to encrypt and move data around. This is some additional info from df for /home: /dev/mapper/Home2-Home2 20T 8.7T 12T 45% /home If I remove a 8TB drive, I'd still have enough room for my data. I could then rebuild /home starting with the 8TB drive just freed up. Then as I move data, I could expand them one at a time encrypting as I go. I'd rather not have to buy a hard drive right now. Tight budget given other things I got going on. I do have backups, more than one in a couple important data spots. Do you need to shrink your fs first though? My three 3TB partitions are raided, and /dev/md/home is my PV. I've only allocated the space to LVs that they need, so I could probably shrink the PV and remove a drive without needing to mess about with my LVs at all. I get the impression you may have allocated all your space, not a good idea. My attitude is my data is backed up, expanding an LV/FS is low risk, I'll just grow stuff as I need to ... my /home partition contains proper home drives, things like videos may be in /home/videos, but they're actually a separate partition, etc etc. I'm guessing you've got three 8TB drives? Or is it two 8s and a 6? Can you get a third 8TB? And if you're encrypting *parts* of /home ... what parts? I've done some checking on sizes of things I want to encrypt and am weighing options. I use LVM which should help make things easier. I've downloaded and printed some howtos regarding shrinking the file system and LVM thingys. It seems I need to shrink the file system while my /home partition is unmounted. Then move the data off whichever drive I want to remove and then remove the drive itself. After that I can encrypt the just removed drive and start moving files over, using rsync is my plan. I think that is the basic steps. Not necessarily. My question now comes to this. When I encrypt one of the drives, can I then expand that drive with it being encrypted or is that not a option? I plan to encrypt two of the drives as one volume group and leave one other volume group as normal. I just want to be sure whether or not I can expand a encrypted LVM drive the same as a normal LVM since both uses LVM. I use cryptsetup commands to accomplish the encryption if that matters. So as a example, I start with one 7TB drive encrypted, move some data to it, then want to add either the 5TB or 7TB drive. Can I just expand it like a normal LVM or does it being encrypted change things? Thoughts? My remove steps look sensible? Expanding encrypted LVM possible? If you are using LVM to do the encryption, then I can't see any problems adding a new PV to an encrypted VG. Dale Personally, I'd use dm-crypt to encrypt the drive, and then the whole lot is encrypted, and put plain LVM over that. I've got dedicated layers for everything. It looks like your home2 is 6TB+8TB+8TB. I'd get a new 8TB, put dm-crypt on it, and add it. Now I can remove the first 8TB, dm-crypt it and re-add it. Same with the second 8TB. Now remove the 6TB and there you are ... My layout's rather different from yours, so I don't think I ought to say too much :-) Cheers, Wol What is the advantage of dm-crypt over cryptsetup? I've learned how to use cryptsetup with my external drive so was hoping to stick with what I already know. Unless there is a advantage to dm-crypt. I don't know either. I'm just far more familiar with the dm/md layer because I run md-raid over dm-integrity. Hence dm-crypt. Is cryptsetup a layer in its own right, or part of lvm? I prefer the Unix "use several tools each of which does one thing well", other people prefer a swiss army knife like ZFS or btrfs. I don't know where cryptsetup lies on that spectrum, and I don't know your preferences on that spectrum. Cheers, Wol
Re: [gentoo-user] LVM and moving things around
On Sun, Mar 27, 2022 at 4:13 PM Dale wrote: > > What is the advantage of dm-crypt over cryptsetup? I've learned how to > use cryptsetup with my external drive so was hoping to stick with what I > already know. Unless there is a advantage to dm-crypt. So, I suspect that terms are being used loosely here, but dm-crypt is a kernel block device encryption layer, and cryptsetup is just a userspace wrapper that sets up dm-crypt. I don't think cryptsetup works without dm-crypt, but you could of course use dm-crypt without cryptsetup. There is an on-disk standard called LUKS that cryptsetup typically uses. This stores metadata about the layout, fields to store session keys encrypted with a passphrase, space to store info like rekeying progress, and so on. The kernel dm-crypt will just want a cipher/key to use and a range of disk blocks to apply it to. With LUKS / cryptsetup you can do handy things like have a passphrase that goes through many rounds to yield the session key, or the ability to have multiple passphrases that work, or the ability to change the session key, or temporarily store the session key in the clear so that the drive can be used without a passphrase, and so on. 99% of the time linux distros are using cryptsetup/LUKS to manage encryption. If you wanted to use dm-crypt directly you'd basically have to either re-implement your own version of LUKS, or memorize a 128 bit AES key. Even if you intend to use a key file I'd still consider using LUKS just for the standardization and options. I'm guessing that 99% of the time if somebody is talking about dm-crypt, they really mean cryptsetup/LUKS+dm-crypt. (I think LUKS is the on-disk standard, and cryptsetup is an implementation of it all.) -- Rich
Re: [gentoo-user] LVM and moving things around
Wol wrote: > On 27/03/2022 20:17, Dale wrote: >> Howdy, >> >> I sort of started this on another thread but wanted to nail a few things >> down first. I'm wanting to encrypt some parts of my data on /home. >> This is what I got hard drive wise. >> >> >> root@fireball / # pvs >> PV VG Fmt Attr PSize PFree >> /dev/sda7 OS lvm2 a-- <124.46g 21.39g >> /dev/sdb1 Home2 lvm2 a-- <5.46t 0 >> /dev/sdc1 Home2 lvm2 a-- <7.28t 0 >> /dev/sdd1 Home2 lvm2 a-- <7.28t 0 >> /dev/sde1 backup lvm2 a-- 698.63g 0 >> root@fireball / # >> > One big piece of missing information. What does fdisk say about > sd[b,c,d]1? And can you add sdf1? I have the entire drive as one large partition for each drive. I could have done it as a whole device but I wanted partitions to give a hint that the drive is in use, if booted from other medium for example. I have enough extra space that I can remove either a 6TB or a 8TB drive. Once that is done, I can start to encrypt and move data around. This is some additional info from df for /home: /dev/mapper/Home2-Home2 20T 8.7T 12T 45% /home If I remove a 8TB drive, I'd still have enough room for my data. I could then rebuild /home starting with the 8TB drive just freed up. Then as I move data, I could expand them one at a time encrypting as I go. I'd rather not have to buy a hard drive right now. Tight budget given other things I got going on. I do have backups, more than one in a couple important data spots. > > I'm guessing you've got three 8TB drives? Or is it two 8s and a 6? Can > you get a third 8TB? And if you're encrypting *parts* of /home ... > what parts? >> >> I've done some checking on sizes of things I want to encrypt and am >> weighing options. I use LVM which should help make things easier. I've >> downloaded and printed some howtos regarding shrinking the file system >> and LVM thingys. It seems I need to shrink the file system while my >> /home partition is unmounted. Then move the data off whichever drive I >> want to remove and then remove the drive itself. After that I can >> encrypt the just removed drive and start moving files over, using rsync >> is my plan. I think that is the basic steps. > > Not necessarily. >> >> My question now comes to this. When I encrypt one of the drives, can I >> then expand that drive with it being encrypted or is that not a option? >> I plan to encrypt two of the drives as one volume group and leave one >> other volume group as normal. I just want to be sure whether or not I >> can expand a encrypted LVM drive the same as a normal LVM since both >> uses LVM. I use cryptsetup commands to accomplish the encryption if >> that matters. So as a example, I start with one 7TB drive encrypted, >> move some data to it, then want to add either the 5TB or 7TB drive. Can >> I just expand it like a normal LVM or does it being encrypted change >> things? >> >> Thoughts? My remove steps look sensible? Expanding encrypted LVM >> possible? > > If you are using LVM to do the encryption, then I can't see any > problems adding a new PV to an encrypted VG. >> >> Dale >> > Personally, I'd use dm-crypt to encrypt the drive, and then the whole > lot is encrypted, and put plain LVM over that. I've got dedicated > layers for everything. > > It looks like your home2 is 6TB+8TB+8TB. I'd get a new 8TB, put > dm-crypt on it, and add it. Now I can remove the first 8TB, dm-crypt > it and re-add it. Same with the second 8TB. Now remove the 6TB and > there you are ... > > My layout's rather different from yours, so I don't think I ought to > say too much :-) > > Cheers, > Wol > > What is the advantage of dm-crypt over cryptsetup? I've learned how to use cryptsetup with my external drive so was hoping to stick with what I already know. Unless there is a advantage to dm-crypt. Thanks. Dale :-) :-)
Re: [gentoo-user] LVM and moving things around
On 27/03/2022 20:17, Dale wrote: Howdy, I sort of started this on another thread but wanted to nail a few things down first. I'm wanting to encrypt some parts of my data on /home. This is what I got hard drive wise. root@fireball / # pvs PV VG Fmt Attr PSize PFree /dev/sda7 OS lvm2 a-- <124.46g 21.39g /dev/sdb1 Home2 lvm2 a-- <5.46t 0 /dev/sdc1 Home2 lvm2 a-- <7.28t 0 /dev/sdd1 Home2 lvm2 a-- <7.28t 0 /dev/sde1 backup lvm2 a-- 698.63g 0 root@fireball / # One big piece of missing information. What does fdisk say about sd[b,c,d]1? And can you add sdf1? I'm guessing you've got three 8TB drives? Or is it two 8s and a 6? Can you get a third 8TB? And if you're encrypting *parts* of /home ... what parts? I've done some checking on sizes of things I want to encrypt and am weighing options. I use LVM which should help make things easier. I've downloaded and printed some howtos regarding shrinking the file system and LVM thingys. It seems I need to shrink the file system while my /home partition is unmounted. Then move the data off whichever drive I want to remove and then remove the drive itself. After that I can encrypt the just removed drive and start moving files over, using rsync is my plan. I think that is the basic steps. Not necessarily. My question now comes to this. When I encrypt one of the drives, can I then expand that drive with it being encrypted or is that not a option? I plan to encrypt two of the drives as one volume group and leave one other volume group as normal. I just want to be sure whether or not I can expand a encrypted LVM drive the same as a normal LVM since both uses LVM. I use cryptsetup commands to accomplish the encryption if that matters. So as a example, I start with one 7TB drive encrypted, move some data to it, then want to add either the 5TB or 7TB drive. Can I just expand it like a normal LVM or does it being encrypted change things? Thoughts? My remove steps look sensible? Expanding encrypted LVM possible? If you are using LVM to do the encryption, then I can't see any problems adding a new PV to an encrypted VG. Dale Personally, I'd use dm-crypt to encrypt the drive, and then the whole lot is encrypted, and put plain LVM over that. I've got dedicated layers for everything. It looks like your home2 is 6TB+8TB+8TB. I'd get a new 8TB, put dm-crypt on it, and add it. Now I can remove the first 8TB, dm-crypt it and re-add it. Same with the second 8TB. Now remove the 6TB and there you are ... My layout's rather different from yours, so I don't think I ought to say too much :-) Cheers, Wol
[gentoo-user] LVM and moving things around
Howdy, I sort of started this on another thread but wanted to nail a few things down first. I'm wanting to encrypt some parts of my data on /home. This is what I got hard drive wise. root@fireball / # pvs PV VG Fmt Attr PSize PFree /dev/sda7 OS lvm2 a-- <124.46g 21.39g /dev/sdb1 Home2 lvm2 a-- <5.46t 0 /dev/sdc1 Home2 lvm2 a-- <7.28t 0 /dev/sdd1 Home2 lvm2 a-- <7.28t 0 /dev/sde1 backup lvm2 a-- 698.63g 0 root@fireball / # I've done some checking on sizes of things I want to encrypt and am weighing options. I use LVM which should help make things easier. I've downloaded and printed some howtos regarding shrinking the file system and LVM thingys. It seems I need to shrink the file system while my /home partition is unmounted. Then move the data off whichever drive I want to remove and then remove the drive itself. After that I can encrypt the just removed drive and start moving files over, using rsync is my plan. I think that is the basic steps. My question now comes to this. When I encrypt one of the drives, can I then expand that drive with it being encrypted or is that not a option? I plan to encrypt two of the drives as one volume group and leave one other volume group as normal. I just want to be sure whether or not I can expand a encrypted LVM drive the same as a normal LVM since both uses LVM. I use cryptsetup commands to accomplish the encryption if that matters. So as a example, I start with one 7TB drive encrypted, move some data to it, then want to add either the 5TB or 7TB drive. Can I just expand it like a normal LVM or does it being encrypted change things? Thoughts? My remove steps look sensible? Expanding encrypted LVM possible? Dale :-) :-)