How-To: encrypted partitions over LVM with LUKS
Even though new distros installers tend to support filesystem encryption out of the box, most of the time, it might be interesting to actually understand how it works, mainly when it happens that your system fails to boot :).
Most literature found on the Internet tend to cover how to set up LVM over a partition encrypted with LUKS, this tutorial takes another approach and will explain how to create LUKS encrypted partitions over LVM. The reason for this…. I wanted to have unencrypted partitions :D.
This tutorial was done using an Ubuntu 8.04 livecd, but the process should be approximately the same with other distros.
As we are gong to play with partitions, and thus possible data loss… I guess the following is worth reminding:
Back up your data before reading any further!!!!
1. Getting started:
Boot up your PC from a live CD and make sure you choose “Try ubuntu without installing”. Once the desktop is loaded, start a terminal and get root credentials:
$ sudo su -
Then, install the packages required to set up lvm and make encryption setup easier:
# apt-get install cryptsetup lvm2
Finally load the kernel modules that handle lvm and luks encryption:
# modprobe dm-crypt
2. Setting up the partitions
Here, we are going to partition the disk as follow:
- a boot partition of 200M which will be on a standard ext3 filesystem
- a LVM volume that will take the rest of the disk.
the lvmvolume will then be divided in 3 other partitions:
- / of 5G and encrypted
- /home 2G and encrypted
- swap of 512M and unencrypted
2.1. The physical partitions: fdisk
So, in the first place, let create the physical partition with fdisk. Those are going to be the place holder of our boot partition and lvm volume:
# fdisk /dev/sda
##/boot
n
p
1
accept default
+200M
## lvm volume
n
p
2
accept default
accept default
#set the type to lvm
t
2
8e
w
q
###
2.2. The logical volumes: lvm tools
Now that we have our LVM placeholder, we need to set it up. To do this, we need to: create the physical volume, create the volume group and then create the logical volumes on this volume group.
If you already have your LVM set up, run: # lvchange -ay lvmvolume to see your partitions.
Let’s create this physical volume first:
# pvcreate /dev/sda2
then, the volume group:
# vgcreate lvmvolume /dev/sda2
finally, we create the logical partitions:
# lvcreate -L 5G -n encryptedroot lvmvolume
# lvcreate -L 512M -n swap lvmvolume
# lvcreate -L 2G -n encryptedhome lvmvolume
Ok, now we got our partition layout almost set up, we just need to encrypt the partitions, and format them…