Re: [linux-lvm] Can I combine LUKS and LVM to achieve encryption and snapshots?
Dne 25. 09. 23 v 0:09 Jean-Marc Saffroy napsal(a): Hello LVM experts, I am trying to create a volume with the following properties: - the volume can be resized - the volume is encrypted - the volume can be snapshotted (for online backups) So I thought I'd create the volume with LVM, encrypt it with LUKS, and snapshot it with LVM. However, LVM doesn't want to snapshot the unencrypted LUKS volume, as it is not an actual logical volume known to LVM (and I am not keen on snapshotting the encrypted volume, as that means the backup process would need the passphrase to mount the encrypted snapshot). Is there a good way to achieve this with LUKS and LVM, or should I look elsewhere? I have two ideas but I don't know if they are safe or practical: - I could try running LVM (snapshots) ontop of LUKS (encryption)itself ontop of LVM (resize) Hi Yep typical usage is to encrypt underlying PV - and then create LVs and its snapshots on encrypted device. - or I could try working with dmsetup to fill the gap between LUKS and LVM I did simple tests with dmsetup, and that *seems* to work, however I am not sure at all if that would be robust. An outline of my test: - create an LVM volume (lvcreate) from a larger volume group - make it a LUKS volume (cryptsetup lukfsFormat) - "open" the LUKS volume (cryptsetup open) - create a snapshot-origin volume from the open LUKS volume (dmsetup create) - mount that as my active volume - every time I want to do a backup: create a temporary snapshot volume from the origin, mount it, run the backup, unmount it, delete it Usually those 'into encryption' want to have encrypted everything - thus even layout of the whole storage. Encrypting 'individual' LVs - while certainly 'doable' would i.e. create a considerable larger amount of volumes that would need individual 'unlocking' with each activation. Speaking about snapshots - you should consider switching to 'thin-pools' for far better performance... Regards Zdenek ___ linux-lvm mailing list linux-lvm@redhat.com https://listman.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] Can I combine LUKS and LVM to achieve encryption and snapshots?
Hi, On Tue, Sep 26, 2023 at 10:00 PM Zdenek Kabelac wrote: > Yep typical usage is to encrypt underlying PV - and then create LVs and its > snapshots on encrypted device. Sure, I'd do that in other circumstances. But in my case it would just be a waste: I am replacing several disks on a desktop computer with a single 2TB NVME SSD for everything. Only /home needs to be encrypted, and it's tiny, like 100-200GB. Going through encryption for most application I/Os would use CPU time and increase latency with no benefit. So I prefer to manage available raw (un-encrypted) space with LVM. Now, I also need to do backups of /home, and that's why I want snapshots. But that first layer of LVM would only show a snapshot of an encrypted volume, and the backup job shouldn't have the passphrase to decrypt the volume. Which is why I'm trying to find a way of doing snaphots of an "opened" LUKS volume: this way, the backup job can do its job without requiring a passphrase. In simple tests, I could make it work, with dmsetup on LUKS on LVM, and also (after I sent my original email) with LVM on LUKS on LVM. But my tests don't tell me if there are other people doing similar things on production systems, or if they are happy with the results. Unusual setups tend to exhibit unusual bugs, and I am not super fond of bugs in my storage systems. :-) So that's really the core of my question: do other people run either "raw" dmsetup or LVM on top of LUKS/LVM, and with success? > Encrypting 'individual' LVs - while certainly 'doable' would i.e. create a > considerable larger amount of volumes that would need individual 'unlocking' > with each activation. Just the one /home in my case, so no worse than prompting for the passphrase for an entire disk. > Speaking about snapshots - you should consider switching to 'thin-pools' for > far better performance... I only need snapshots for backups: once a day, create a snapshot, mount it, do a file-level incremental backup, unmount it, delete it. Would the thin-pools make a difference in this case? Cheers, JM ___ linux-lvm mailing list linux-lvm@redhat.com https://listman.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] Can I combine LUKS and LVM to achieve encryption and snapshots?
On Wed, 27 Sep 2023, Jean-Marc Saffroy wrote: So I prefer to manage available raw (un-encrypted) space with LVM. Now, I also need to do backups of /home, and that's why I want snapshots. But that first layer of LVM would only show a snapshot of an encrypted volume, and the backup job shouldn't have the passphrase to decrypt the volume. Which is why I'm trying to find a way of doing snaphots of an "opened" LUKS volume: this way, the backup job can do its job without requiring a passphrase. Besides LVM on LUKS on LVM which you already tried, consider using a filesystem that supports snapshots. I use btrfs, and snapshots work beautifully, and if you use "btrfs send" you can even do differential backups. Btrfs is COW, so snaps share all blocks not touched. Pipe the output of btrfs send directly to your backup process/server running "btrfs receive". Note, this requires the backup server to have btrfs. If it doesn't, then just use rsync from the snapshot directory to the backup server like a typical unix backup solution. (E.g. my vm host uses XFS on the backup drives, so it uses rsync.) In simple tests, I could make it work, with dmsetup on LUKS on LVM, and also (after I sent my original email) with LVM on LUKS on LVM. ___ linux-lvm mailing list linux-lvm@redhat.com https://listman.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] Can I combine LUKS and LVM to achieve encryption and snapshots?
On Wed, Sep 27, 2023 at 01:10:10AM +0200, Jean-Marc Saffroy wrote: > Hi, > > On Tue, Sep 26, 2023 at 10:00 PM Zdenek Kabelac > wrote: > > Yep typical usage is to encrypt underlying PV - and then create LVs and its > > snapshots on encrypted device. > > Sure, I'd do that in other circumstances. > > But in my case it would just be a waste: I am replacing several disks > on a desktop computer with a single 2TB NVME SSD for everything. Only > /home needs to be encrypted, and it's tiny, like 100-200GB. Going > through encryption for most application I/Os would use CPU time and > increase latency with no benefit. "No benefit" depends on one's threat model. A surprising amount of sensitive data gets put outside of /home. For instance, SSH host keys are in /etc, and system daemons store their data in /var. That's why the standard is to encrypt the entire drive, except for /boot and /boot/efi. It's the only way to ensure that sensitive data doesn't wind up on the NVMe drive, from which it cannot be removed except by destroying or (cryptographically) securely erasing the drive. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab signature.asc Description: PGP signature ___ linux-lvm mailing list linux-lvm@redhat.com https://listman.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] Can I combine LUKS and LVM to achieve encryption and snapshots?
What about encrypting the physical volumes, and creating the volume groups and logical volumes on top of it? Regards Harri ___ linux-lvm mailing list linux-lvm@redhat.com https://listman.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/