Adding a new encrypted volume to existing volume group
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 1 of 1
  1. #1
    Join Date
    Apr 2008
    Posts
    6

    Adding a new encrypted volume to existing volume group

    Problem: laptop with encrypted disk with lvm: how to add new physical (encrypted) volumes to existing volume group?

    Warning: the steps are relatively simple and straight forward but making a single mistake can have very nasty consequences. Backup your data before proceeding! Practice with virtual machine if necessary. These instructions are tested on Fedora 10.

    Quick guide for experts:
    Code:
    # encrypt
    cryptsetup -c aes-cbc-essiv:sha256 luksFormat /dev/vda3
    # locate UUID (in f12 you can use: cryptsetup luksUUID /dev/vda3)
    cryptsetup luksDump /dev/vda3 | grep UUID
    # open it
    cryptsetup luksOpen /dev/vda3 luks-c5c2c638-9aeb-49cb-8a1e-65406a9e2be9
    # check that the opened device maps to correct device/partition
    ls /sys/block/dm-3/slaves/
    # add it into crypttab
    echo luks-c5c2c638-9aeb-49cb-8a1e-65406a9e2be9 UUID=c5c2c638-9aeb-49cb-8a1e-65406a9e2be9 none >> /etc/crypttab
    # figure out what to do with the encrypted volume: e.g.:
    pvcreate /dev/dm-3
    # update the initrd
    # if you are using f12 you should be able to use /usr/libexec/plymouth/plymouth-update-initrd. Let us know if this works.
    rpm -e --nodeps kernel-2.6.27.9-159.fc10.x86_64
    yum install kernel
    In this example we'll create a new partition /dev/vda5 which is encrypted and add it into existing LVM volume group.

    First you'll need to create a new disk partition. Search the forums or google how disk partitioning is done if you are not familiar with it.
    Before:
    Code:
    /dev/vda1   *           1          25      200781   83  Linux
    /dev/vda2              26        1045     8193150   8e  Linux LVM
    /dev/vda3            1046        1177     1060290   8e  Linux LVM
    After:
    Code:
    /dev/vda1   *           1          25      200781   83  Linux
    /dev/vda2              26        1045     8193150   8e  Linux LVM
    /dev/vda3            1046        1177     1060290   8e  Linux LVM
    /dev/vda4            1178        2039     6924015    5  Extended
    /dev/vda5            1178        1309     1060258+  8e  Linux LVM
    The first step is to encrypt the partition. Or to be more specific, to add encryption metadata. Filling the partition with random data before encrypting it might be a good idea, especially if the partition contained confidential information previously.
    To encrypt the partition:
    Code:
    # cryptsetup -c aes-cbc-essiv:sha256 luksFormat /dev/vda5
    
    WARNING!
    ========
    This will overwrite data on /dev/vda5 irrevocably.
    
    Are you sure? (Type uppercase yes): YES
    Enter LUKS passphrase: 
    Verify passphrase: 
    Command successful.
    It is advisable to use the same password as the existing encrypted (root) partition. The Fedora boot process might not be able to handle situation where the root partition consist form multiple encrypted volumes with different pass phrases.

    Each encrypted partition has a unique identifier which can be used to identify the partitions that should be opened at boot time.
    To locate the identifier:
    Code:
    # cryptsetup luksDump /dev/vda5 | grep UUID
    UUID:           3b21881d-bb4f-4c2c-8533-0bca9b588bf9
    Note: in F12 you can use: cryptsetup luksUUID /dev/vda5.
    When opening the encrypted devices Fedora uses naming scheme "luks-$UUID". So lets open the device by using that naming:
    Code:
    # cryptsetup luksOpen /dev/vda5 luks-3b21881d-bb4f-4c2c-8533-0bca9b588bf9
    Enter LUKS passphrase for /dev/vda5: 
    key slot 0 unlocked.
    Command successful.
    Now we can safely add it into /etc/crypttab so that the boot process knows that it should open the device.
    Code:
    # echo luks-3b21881d-bb4f-4c2c-8533-0bca9b588bf9 UUID=3b21881d-bb4f-4c2c-8533-0bca9b588bf9 none >> /etc/crypttab
    The luks part is now done. Now we need to tell the LVM about it.
    Lets look our current physical volumes:
    Code:
    # pvs
      PV         VG         Fmt  Attr PSize PFree 
      /dev/dm-0  VolGroup00 lvm2 a-   7.81G 32.00M
      /dev/dm-1  VolGroup00 lvm2 a-   1.00G  1.00G
    What we want is that the our newly created luks partition would be part of the VolGroup00. Let's see
    Code:
    # dmsetup ls
    luks-77d34d8e-a6c6-447f-b0b3-9f575e8728ae       (253, 1)
    luks-3b21881d-bb4f-4c2c-8533-0bca9b588bf9       (253, 4)
    luks-2e4249cd-2267-4b53-9ca3-e3e209c7860c       (253, 0)
    VolGroup00-LogVol01     (253, 2)
    VolGroup00-LogVol00     (253, 3)
    Or alternatively
    Code:
    # ls -l /dev/mapper/
    total 0
    crw-rw---- 1 root root  10, 63 2009-03-08 10:03 control
    brw-rw---- 1 root disk 253,  0 2009-03-08 10:03 luks-2e4249cd-2267-4b53-9ca3-e3e209c7860c
    brw-rw---- 1 root disk 253,  4 2009-03-08 10:24 luks-3b21881d-bb4f-4c2c-8533-0bca9b588bf9
    brw-rw---- 1 root disk 253,  1 2009-03-08 10:03 luks-77d34d8e-a6c6-447f-b0b3-9f575e8728ae
    brw-rw---- 1 root disk 253,  3 2009-03-08 10:03 VolGroup00-LogVol00
    brw-rw---- 1 root disk 253,  2 2009-03-08 10:03 VolGroup00-LogVol01
    From the device number we can figure out that the /dev/dm-4 is our new physical volume. We can confirm this:
    Code:
    # ls /sys/block/dm-4/slaves/
    vda5
    Yep, just as it should be. Now lets create the volume
    Code:
    # pvcreate /dev/dm-4
    Now you can launch the grahical tool system-config-lvm and do what you want. In here, we'll just add it into existing volume group:
    Code:
    # vgextend VolGroup00 /dev/dm-4
    The last step is to tell the initrd about our new encrypted volumes. The easiest way to do this is to simply uninstall current kernel and then re-install it.
    Note: In Fedora 12 you should be able to use /usr/libexec/plymouth/plymouth-update-initrd (I haven't tested this).
    This is needed because the crypttab and possible other stuff must be available at the boot time. Kernel installation process gathers all necessary information and includes it into initrd. (If you know how to re-generate initrd without full kernel re-install, please post it below or send me a message. Thanks).
    Code:
    # rpm -q kernel
    kernel-2.6.27.9-159.fc10.x86_64
    # rpm -e --nodeps kernel-2.6.27.9-159.fc10.x86_64
    # yum install kernel
    Now you can reboot your computer to see does it work.
    Last edited by eifij; 13th December 2009 at 08:59 PM.

Similar Threads

  1. Can't mount encrypted volume
    By AnimeFreak in forum Security and Privacy
    Replies: 6
    Last Post: 6th January 2009, 03:19 PM
  2. Adding more space to a volume group
    By bourne553 in forum Using Fedora
    Replies: 2
    Last Post: 8th April 2007, 04:32 AM
  3. Can't find physical volume or volume group at boot
    By vifa84 in forum Using Fedora
    Replies: 3
    Last Post: 4th February 2007, 06:10 PM
  4. Guide for adding a disk to an existing Volume?
    By misjka in forum Using Fedora
    Replies: 10
    Last Post: 22nd October 2006, 07:03 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •