[CentOS] LVM encryption and new volume group

Fri Mar 6 06:10:31 UTC 2015
Chris Murphy <lists at colorremedies.com>

On Thu, Mar 5, 2015 at 10:25 PM, Tim <lists at kiuni.de> wrote:
> Hi Chris,
>
> thanks for your answer.
>
> It is the first time I decided to encrypt my lvm. I choosed to encrypt the
> volume group, not every logical volume itself, because in case of doing lvm
> snapshots in that group they will be encrypted too?

Yes, anything that's COW'd is also encrypted in this case.

> And how do I create a new encrypted volume group?

Strictly speaking the VG isn't the target of the encryption, the
underlying PV is. Also, it's not absolutely necessary to partition the
drive at all if you have no need for unencrypted space on this new
drive. Since I use drives on multiple platforms, I always partition so
that other OS's recognize the drive space is spoken for instead of
appearing unpartitioned and hence blank. Linux via libblkid always
looks at disk contents whether partitioned or not so if this is a
Linux only drive you don't have to partition it.

1. Use cryptsetup to create a LUKS volume on the whole disk or a
partition thereof. For the exact command, you can cheat by doing 'grep
cryptsetup /var/log/anaconda/program.log' which will show you the
command Anaconda used when setting up your first drive. PLEASE make
sure you don't use that command directly or it'll wipe the LUKS header
on your current drive. You have to change the /dev/sdX designation to
point to the new drive or partition.

2 cryptsetup luksOpen /dev/sdX newdrive
3. pvcreate /dev/mapper/newdrive
4. vgcreate newvg /dev/mapper/newdrive
5. lvcreate -L 300G -n morestuff newvg
6. mkfs.xfs /dev/mapper/newvg-morestuff

Adapt as needed. Don't forget crypttab is used to point to the LUKS
volume, once it's unlocked the PV is revealed and lvm will activate
the VG and the LVs on it, and then in your fstab you'll have the UUID
for the XFS volume and mount this whereever you want it mounted.




-- 
Chris Murphy