Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora Resources > Guides & Solutions (No Questions)
FedoraForum Search

Forgot Password? Join Us!

Guides & Solutions (No Questions) Post your guides here (No links to Blogs accepted). You can also append your comments/questions to a guide, but don't start a new thread to ask a question. Use another forum for that.

 
 
Thread Tools Search this Thread Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 8th March 2009, 12:14 PM
eifij Offline
Registered User
 
Join Date: Apr 2008
Posts: 6
Adding a new encrypted volume to existing volume group

Problem: laptop with encrypted disk with lvm: how to add new physical (encrypted) volumes to existing volume group?

Warning: the steps are relatively simple and straight forward but making a single mistake can have very nasty consequences. Backup your data before proceeding! Practice with virtual machine if necessary. These instructions are tested on Fedora 10.

Quick guide for experts:
Code:
# encrypt
cryptsetup -c aes-cbc-essiv:sha256 luksFormat /dev/vda3
# locate UUID (in f12 you can use: cryptsetup luksUUID /dev/vda3)
cryptsetup luksDump /dev/vda3 | grep UUID
# open it
cryptsetup luksOpen /dev/vda3 luks-c5c2c638-9aeb-49cb-8a1e-65406a9e2be9
# check that the opened device maps to correct device/partition
ls /sys/block/dm-3/slaves/
# add it into crypttab
echo luks-c5c2c638-9aeb-49cb-8a1e-65406a9e2be9 UUID=c5c2c638-9aeb-49cb-8a1e-65406a9e2be9 none >> /etc/crypttab
# figure out what to do with the encrypted volume: e.g.:
pvcreate /dev/dm-3
# update the initrd
# if you are using f12 you should be able to use /usr/libexec/plymouth/plymouth-update-initrd. Let us know if this works.
rpm -e --nodeps kernel-2.6.27.9-159.fc10.x86_64
yum install kernel
In this example we'll create a new partition /dev/vda5 which is encrypted and add it into existing LVM volume group.

First you'll need to create a new disk partition. Search the forums or google how disk partitioning is done if you are not familiar with it.
Before:
Code:
/dev/vda1   *           1          25      200781   83  Linux
/dev/vda2              26        1045     8193150   8e  Linux LVM
/dev/vda3            1046        1177     1060290   8e  Linux LVM
After:
Code:
/dev/vda1   *           1          25      200781   83  Linux
/dev/vda2              26        1045     8193150   8e  Linux LVM
/dev/vda3            1046        1177     1060290   8e  Linux LVM
/dev/vda4            1178        2039     6924015    5  Extended
/dev/vda5            1178        1309     1060258+  8e  Linux LVM
The first step is to encrypt the partition. Or to be more specific, to add encryption metadata. Filling the partition with random data before encrypting it might be a good idea, especially if the partition contained confidential information previously.
To encrypt the partition:
Code:
# cryptsetup -c aes-cbc-essiv:sha256 luksFormat /dev/vda5

WARNING!
========
This will overwrite data on /dev/vda5 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: 
Verify passphrase: 
Command successful.
It is advisable to use the same password as the existing encrypted (root) partition. The Fedora boot process might not be able to handle situation where the root partition consist form multiple encrypted volumes with different pass phrases.

Each encrypted partition has a unique identifier which can be used to identify the partitions that should be opened at boot time.
To locate the identifier:
Code:
# cryptsetup luksDump /dev/vda5 | grep UUID
UUID:           3b21881d-bb4f-4c2c-8533-0bca9b588bf9
Note: in F12 you can use: cryptsetup luksUUID /dev/vda5.
When opening the encrypted devices Fedora uses naming scheme "luks-$UUID". So lets open the device by using that naming:
Code:
# cryptsetup luksOpen /dev/vda5 luks-3b21881d-bb4f-4c2c-8533-0bca9b588bf9
Enter LUKS passphrase for /dev/vda5: 
key slot 0 unlocked.
Command successful.
Now we can safely add it into /etc/crypttab so that the boot process knows that it should open the device.
Code:
# echo luks-3b21881d-bb4f-4c2c-8533-0bca9b588bf9 UUID=3b21881d-bb4f-4c2c-8533-0bca9b588bf9 none >> /etc/crypttab
The luks part is now done. Now we need to tell the LVM about it.
Lets look our current physical volumes:
Code:
# pvs
  PV         VG         Fmt  Attr PSize PFree 
  /dev/dm-0  VolGroup00 lvm2 a-   7.81G 32.00M
  /dev/dm-1  VolGroup00 lvm2 a-   1.00G  1.00G
What we want is that the our newly created luks partition would be part of the VolGroup00. Let's see
Code:
# dmsetup ls
luks-77d34d8e-a6c6-447f-b0b3-9f575e8728ae       (253, 1)
luks-3b21881d-bb4f-4c2c-8533-0bca9b588bf9       (253, 4)
luks-2e4249cd-2267-4b53-9ca3-e3e209c7860c       (253, 0)
VolGroup00-LogVol01     (253, 2)
VolGroup00-LogVol00     (253, 3)
Or alternatively
Code:
# ls -l /dev/mapper/
total 0
crw-rw---- 1 root root  10, 63 2009-03-08 10:03 control
brw-rw---- 1 root disk 253,  0 2009-03-08 10:03 luks-2e4249cd-2267-4b53-9ca3-e3e209c7860c
brw-rw---- 1 root disk 253,  4 2009-03-08 10:24 luks-3b21881d-bb4f-4c2c-8533-0bca9b588bf9
brw-rw---- 1 root disk 253,  1 2009-03-08 10:03 luks-77d34d8e-a6c6-447f-b0b3-9f575e8728ae
brw-rw---- 1 root disk 253,  3 2009-03-08 10:03 VolGroup00-LogVol00
brw-rw---- 1 root disk 253,  2 2009-03-08 10:03 VolGroup00-LogVol01
From the device number we can figure out that the /dev/dm-4 is our new physical volume. We can confirm this:
Code:
# ls /sys/block/dm-4/slaves/
vda5
Yep, just as it should be. Now lets create the volume
Code:
# pvcreate /dev/dm-4
Now you can launch the grahical tool system-config-lvm and do what you want. In here, we'll just add it into existing volume group:
Code:
# vgextend VolGroup00 /dev/dm-4
The last step is to tell the initrd about our new encrypted volumes. The easiest way to do this is to simply uninstall current kernel and then re-install it.
Note: In Fedora 12 you should be able to use /usr/libexec/plymouth/plymouth-update-initrd (I haven't tested this).
This is needed because the crypttab and possible other stuff must be available at the boot time. Kernel installation process gathers all necessary information and includes it into initrd. (If you know how to re-generate initrd without full kernel re-install, please post it below or send me a message. Thanks).
Code:
# rpm -q kernel
kernel-2.6.27.9-159.fc10.x86_64
# rpm -e --nodeps kernel-2.6.27.9-159.fc10.x86_64
# yum install kernel
Now you can reboot your computer to see does it work.

Last edited by eifij; 13th December 2009 at 07:59 PM.
Reply With Quote
 

Tags
encrypt, luks, lvm, partition

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't mount encrypted volume AnimeFreak Security and Privacy 6 6th January 2009 02:19 PM
Adding more space to a volume group bourne553 Using Fedora 2 8th April 2007 04:32 AM
Can't find physical volume or volume group at boot vifa84 Using Fedora 3 4th February 2007 05:10 PM
Guide for adding a disk to an existing Volume? misjka Using Fedora 10 22nd October 2006 07:03 PM


Current GMT-time: 14:08 (Sunday, 21-09-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat