On Thu, Mar 5, 2015 at 10:25 PM, Tim <lists at kiuni.de> wrote: > Hi Chris, > > thanks for your answer. > > It is the first time I decided to encrypt my lvm. I choosed to encrypt the > volume group, not every logical volume itself, because in case of doing lvm > snapshots in that group they will be encrypted too? Yes, anything that's COW'd is also encrypted in this case. > And how do I create a new encrypted volume group? Strictly speaking the VG isn't the target of the encryption, the underlying PV is. Also, it's not absolutely necessary to partition the drive at all if you have no need for unencrypted space on this new drive. Since I use drives on multiple platforms, I always partition so that other OS's recognize the drive space is spoken for instead of appearing unpartitioned and hence blank. Linux via libblkid always looks at disk contents whether partitioned or not so if this is a Linux only drive you don't have to partition it. 1. Use cryptsetup to create a LUKS volume on the whole disk or a partition thereof. For the exact command, you can cheat by doing 'grep cryptsetup /var/log/anaconda/program.log' which will show you the command Anaconda used when setting up your first drive. PLEASE make sure you don't use that command directly or it'll wipe the LUKS header on your current drive. You have to change the /dev/sdX designation to point to the new drive or partition. 2 cryptsetup luksOpen /dev/sdX newdrive 3. pvcreate /dev/mapper/newdrive 4. vgcreate newvg /dev/mapper/newdrive 5. lvcreate -L 300G -n morestuff newvg 6. mkfs.xfs /dev/mapper/newvg-morestuff Adapt as needed. Don't forget crypttab is used to point to the LUKS volume, once it's unlocked the PV is revealed and lvm will activate the VG and the LVs on it, and then in your fstab you'll have the UUID for the XFS volume and mount this whereever you want it mounted. -- Chris Murphy