> Please note that the current version will probably not work with a default
> qubes LUKS-on-LVM installation. But if some experienced user is willing to
> help testing i'll try to come up with a version that supports this too.
>
> Besides the yubikey/luks stuff the module handles the rd.qubes.hide_all_usb
> stuff via its own rd.ykluks.hide_all_usb command line parameter because the
> yubikey is connected via USB and needs to be accessable until we got the
> challenge from it. i am still unsure if this is the best method to implement
> this. So if anyone with a deeper knowledge of qubes/dracut does have a
> better/more secure solution i happy about any help.
>
> Regards
> the2nd
So I've screwed up... when I filled up my LVM, I added a disk to the Volume
Group and expanded the pool.
But I didn't encrypt the new drive, thinking I had LVM on LUKS. But I have
this now.
[root@dom0]# lsblk | grep -v "\-\-"
NAME MAJ:MIN RM SIZE
RO TYPE MOUNTPOINT
sdb 8:16 0 3.7T
0 disk
└─sdb1 8:17 0 3.7T
0 part
├─qubes_dom0-pool00_tmeta 253:1 0 2.1G
0 lvm
│ └─qubes_dom0-pool00-tpool 253:3 0 1T
0 lvm
│ ├─qubes_dom0-pool00 253:6 0 1T
0 lvm
│ ├─qubes_dom0-root 253:4 0 192.6G
0 lvm /
├─qubes_dom0-pool00_meta0 253:63 0 2.1G
0 lvm
└─qubes_dom0-pool00_tdata 253:2 0 1T
0 lvm
└─qubes_dom0-pool00-tpool 253:3 0 1T
0 lvm
├─qubes_dom0-pool00 253:6 0 1T
0 lvm
├─qubes_dom0-root 253:4 0 192.6G
0 lvm /
sr0 11:0 1 1024M
0 rom
loop0 7:0 0 500M
0 loop
sda 8:0 0 232.9G
0 disk
└─sda1 8:1 0 232.9G
0 part
nvme0n1 259:0 0 232.9G
0 disk
├─nvme0n1p1 259:1 0 1G
0 part /boot
└─nvme0n1p2 259:2 0 231.9G
0 part
└─luks-bfcca13a-213d-46ec-b156-53df348dba30 253:0 0 231.9G
0 crypt
├─qubes_dom0-pool00_tdata 253:2 0 1T
0 lvm
│ └─qubes_dom0-pool00-tpool 253:3 0 1T
0 lvm
│ ├─qubes_dom0-pool00 253:6 0 1T
0 lvm
│ ├─qubes_dom0-root 253:4 0 192.6G
0 lvm /
└─qubes_dom0-swap 253:5 0 23.3G
0 lvm [SWAP]
With this LVM on LUKS setup, extending the thin pool onto a new disk that was
added to the volume group... winds up leaving plain text data on the new disk.
Here's what I think my setup will have to be:
nvme0n1 (2 drives in hw RAID 0)
├─nvme0n1p1 part /boot
└─nvme0n1p2 part
└─luks (same key) crypt
├─qubes_dom0-pool00_tmeta lvm
├─qubes_dom0-pool00_tdata lvm
│ └─qubes_dom0-pool00-tpool lvm
│ ├─qubes_dom0-pool00 lvm
│ ├─qubes_dom0-root lvm /
│ └─ ... vm lvm
└─qubes_dom0-swap lvm [SWAP]
sda (2 drives in hw RAID 0)
└─sda1 part
└─luks (same key) crypt
└─qubes_dom0-pool00_tdata lvm
└─qubes_dom0-pool00-tpool lvm
├─qubes_dom0-pool00 lvm
├─qubes_dom0-root lvm /
└─ ... vm lvm
With your ykluks dracut module:
> The default Qubes OS installation is a LVM-on-LUKS setup which will not work
> yet. Patches for LVM-on-LUKS are welcome as well as experienced testers
> because a dont have a LVM-on-LUKS installation to test with.
I will be a tester for this.
Thanks
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/08e39e6c-97f6-456b-b0c6-c09a86a8a856%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
