Re: encrypting /home partition post-install
Dear friends, I wanted to provide an update with my experience on this (last week). Recall that I had a few machines with separate /home partitions which needed to be encrypted without erasing them and writing them from backup. I was not that concerned about reinstalling because it takes me a few minutes to get going on Fedora using my own generated LiveCD (which runs OpenBox). From this forum, I learnt about luksipc. I proceeded to make, with Michael Schwendt's help, a RPM. Then I stuck that to my LiveCD kickstart and got a new LiveCD generated. I have four laptops: three were/are ext4 /home partitions but, as ill-luck would have it, one was xfs,. For some reason, luksipc does not work on xfs (because xfs filesystems can not be shrunk down, so I will address the xfs partition a bit later). So, I put on my LiveCD, opened a terminal and went through the steps in: https://johndoe31415.github.io/luksipc/ which is a detailed and thorough step-by-step documentation. After I did this encryption on /home for all three machines (successfully), I then (re-)installed Fedora 23 for each of them. Wow! The fourth, however presented a major issue. Luksipc needs to shrink the partition, and the shrinking tools that I know of (or could find) can not handle an xfs file system. Actually, from what I read, it does not appear to be possible. So, one option was to convert the filesystem to ext4 and then proceed as above. Reading around, I found a tool to do that. This tool is fstransform and is available at https://github.com/cosmos72/fstransform Though strictly not needed, I rolled a RPM (my first without any help or errors!) and created a new LiveCD with this new rpm on. Amazingly, it worked in converting the filesystem from xfs to ext4. (I followed the instructions at that github site.) I then encrypted this new ext4 filesystem using luksipc and went ahead and installed. So, in summary, the exercise worked. I guess I could have not installed, but I was a bit unclear about how to change grub using /etc/defaults/grub to bring in this new encrypted partition. (I did not quite tell which fields to look at.) I am considering submitting my luksipc and fstransform RPMs to Fedora. Perhaps, they could, in the future, be merged with Anaconda to make in situ encryption and filesystem transformation possible. Perhaps, with a few more scripts to automate the process. I thought that this update might be helpful for future folk. Thanks again for all the discussion and for pointing luksipc to me in the first place! Best wishes, Ranjan FREE 3D EARTH SCREENSAVER - Watch the Earth right on your desktop! Check it out at http://www.inbox.com/earth -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On Wed, 2015-12-02 at 14:42 -0800, Gordon Messmer wrote: > I'm not calling you names. I said that you made a dishonest > argument, but attacking an argument is not the same as attacking the > person making that argument. Sophistry. An honest person can make a mistaken argument but not a dishonest one. I think we're done here. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 12/02/2015 01:50 PM, Patrick O'Callaghan wrote: I made a suggestion based on my own perception. Do you do something different? No, I don't. That's why I'm not supporting my argument with claims about what the "average" user knows or wants. If you have data on the Fedora user community to support a contrary view then feel free to produce it, but I'd appreciate not being called names because you disagree with me. I'm not calling you names. I said that you made a dishonest argument, but attacking an argument is not the same as attacking the person making that argument. It's clear that you don't understand LVM and you don't want to learn it, and that's fine. I'm not suggesting that you spend a lot of time on it. Just don't pretend that you represent the rest of the user base. Your preferences are your own. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 12/02/2015 08:31 AM, Patrick O'Callaghan wrote: On Tue, 2015-12-01 at 19:07 -0600, Chris Adams wrote: Once upon a time, Patrick O'Callaghan said: On Tue, 2015-12-01 at 15:31 -0600, Chris Adams wrote: With LVM, I still get /dev/vg_foo/lv_bar, and don't care what raw device the underlying partition is, how it is connected, etc. (very useful for example when taking an internal drive from one computer and connecting it via an external adapter of some type on another). Which is fine if a) the second machine also runs LVM (what if it's on an Ubuntu machine without LVM, rather than Fedora?) and b) the two use the same LVM logical layout. For (a), the only Ubuntu system I have access to also has LVM; do they not even install the lvm tools? I've no idea. I don't even have a Ubuntu installation. It was a hypothetical question. For Ubuntu susbstitute Mint, Opensuse or whatever. Not all Linux distros install LVM by default. For (b), I have no idea what you mean by "same LVM logical layout". The PV size, VG and LV names, etc. are all part of a particular device. They don't have to match in any way a separate device (on the same or on a different computer). A good demonstration of the problems with LVM terminology. What do you mean by device? I often feel that many of the issues people have with LVM are caused by this sort of thing. I last used LVM several years ago and clearly remember reading over the docs multiple times before making what should have been a simple change, before finally resorting to asking the list. I don't doubt that people who use it every day are comfortable with it, but most of us just don't, so if I had to repeat the experience I would no doubt go through the same learning curve only to forget it again when I finished. For the vast majority of people, the entire LVM thing is on one physical drive. That means that that one (or more) partitions on that drive are used as LVM PVs (physical devices). Those PVs are grouped into one or more LVM VGs (volume groups), and bits of those VGs are used to create LVs (logical volumes). Filesystems are, in turn, laid down on those LVs to create the usable disk space. That's the basic concept behind LVM, and with a single drive, most people will not really need to worry about it. If you're doing something "advanced" such as adding a drive, turning it into one or more additional PVs and adding those to a VG which would permit creating more LVs or expanding existing LVs onto those new PVs, then yeah, you should learn LVM management. The most common gotcha people have are collisions between the VG names and LV names between machines. The installer uses a generic name for the VG (I think it uses "fedora") when it creates these things, so ADDING a drive from machine A to machine B will quite possibly end up with two VGs with the same name or two LVs with the same name. LVM won't let you activate that (the various combinations of VGname-LVname must be unique on a given machine). When I build a system, I name the volume group after the machine it's being built on (e.g. this machine is called "prophead", so the volume group is called "vgprophead"). The LVs are typically named after their function ("root", "swap", "usr", "home", whatever). Thus the /dev/mapper layouts end up with stuff like: /dev/mapper/vgprophead-root /dev/mapper/vgprophead-usr and so on. Other device nodes end up as: /dev/vgprophead/root /dev/vgprophead/usr and so on. Note that all of those /dev/mapper and /dev/vgprophead entries are just symlinks to /dev/dm-X (the actual LV devices created by LVM). Thus, if I were to take the drive from this machine and stick it in my test machine (hamster), I could possibly see: /dev/mapper/vghamster-root /dev/mapper/vgprophead-root That's fine (there's no name collision), and I could mount /dev/mapper/vgprophead-root anywhere I wanted to on hamster. I may have digressed a bit here, but LVM really isn't that scary or hard to grasp (well, at least to me :-)). There may be the odd distro that doesn't install LVM by default, but my guess is they're pretty rare. AFAIK all the major distros (Fedora, CentOS, RedHat, Ubuntu, Debian, SuSE, SciLinux) do. -- - Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com - - AIM/Skype: therps2ICQ: 226437340 Yahoo: origrps2 - -- - "If you can't fix it...duct tape it!" -- Tim Allen- -- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedorapr
Re: encrypting /home partition post-install
On Wed, 2015-12-02 at 12:00 -0800, Gordon Messmer wrote: > On 12/02/2015 11:42 AM, Joe Zeff wrote: > > Read what Patrick wrote as referring to the average *professional* > > Linux admin and remember that there are many of us out here who > > only > > use Fedora on our home machines. > > I did. He made a claim about what "average" admins know, without any > evidence to back it up. I think that attributing your own goals and > desires to the community at large is a dishonest way to engage in > discussion. I made a suggestion based on my own perception. Do you do something different? If you have data on the Fedora user community to support a contrary view then feel free to produce it, but I'd appreciate not being called names because you disagree with me. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On Wed, 2015-12-02 at 12:14 -0800, Joe Zeff wrote: > On 12/02/2015 12:00 PM, Gordon Messmer wrote: > > On 12/02/2015 11:42 AM, Joe Zeff wrote: > > > Read what Patrick wrote as referring to the average > > > *professional* > > > Linux admin and remember that there are many of us out here who > > > only > > > use Fedora on our home machines. > > > > I did. He made a claim about what "average" admins know, without > > any > > evidence to back it up. I think that attributing your own goals > > and > > desires to the community at large is a dishonest way to engage in > > discussion. > > OK, fair enough. I, however, thought that he was lumping home users > and > professionals together, which made his comment more reasonable. And, > I > must agree that some sort of evidence would have been nice. > > Patrick, please let us know what you meant by "average Linux admin" > because I know that I can't read your mind and I doubt that Gordon > can either. I was indeed lumping home users and professionals together (they aren't disjoint sets). If the benefits of LVM are mainly in the context of professional support (i.e. server installations with certain reliability and uptime requirements) that's fine, but Fedora is explicitly not meant to be used in these environments. I am assuming that the "average" Fedora user is his own sysadmin and doesn't want to be bothered about this stuff. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
I have to chime in here, as I've watched this thread... errrmm 'evolve'. I've had excellent experiences with LVM, both personally and in enterprise-wide deployments, by default. I've also helped a number of friends with their at-home linux explorations. A number of times, both personally and professionally, LVM by virtue of being installed by default, has saved the day. I've had situations where the user/owner needed to expand or migrate space, and with LVM it was a trivial exercise to accomplish that. The overhead discussion I believe is overblown... LVM obviously has a smidge of overhead when used... but in enterprise deployments that washes out as noise compared to the value it brings when problems arise. Edge cases where fedora is leveraged on older hardware with limited resources, are just that... edge cases. Bottom line, it seems the quibbling is over perceptions, past issues/successes and choices regarding implementation. Maybe it would be best to agree there are differences, there is value in that, and lets focus on more tangible issues each of us can meaningfully contribute to. Thank you. R,-Joe From: Patrick O'Callaghan To: users@lists.fedoraproject.org Sent: Wednesday, December 2, 2015 11:31 AM Subject: Re: encrypting /home partition post-install On Tue, 2015-12-01 at 19:07 -0600, Chris Adams wrote: > Once upon a time, Patrick O'Callaghan said: > > On Tue, 2015-12-01 at 15:31 -0600, Chris Adams wrote: > > > With LVM, I still get /dev/vg_foo/lv_bar, and > > > don't care what raw device the underlying partition is, how it is > > > connected, etc. (very useful for example when taking an internal > > > drive from one computer and connecting it via an external adapter > > > of > > > some type on another). > > > > Which is fine if a) the second machine also runs LVM (what if it's > > on > > an Ubuntu machine without LVM, rather than Fedora?) and b) the two > > use > > the same LVM logical layout. > > For (a), the only Ubuntu system I have access to also has LVM; do > they not even install the lvm tools? I've no idea. I don't even have a Ubuntu installation. It was a hypothetical question. For Ubuntu susbstitute Mint, Opensuse or whatever. Not all Linux distros install LVM by default. > For (b), I have no idea what you mean by "same LVM logical > layout". The PV size, VG and LV names, etc. are all part of a > particular device. They don't have to match in any way a separate > device (on the same or on a different computer). A good demonstration of the problems with LVM terminology. What do you mean by device? I often feel that many of the issues people have with LVM are caused by this sort of thing. I last used LVM several years ago and clearly remember reading over the docs multiple times before making what should have been a simple change, before finally resorting to asking the list. I don't doubt that people who use it every day are comfortable with it, but most of us just don't, so if I had to repeat the experience I would no doubt go through the same learning curve only to forget it again when I finished. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 12/02/2015 12:00 PM, Gordon Messmer wrote: On 12/02/2015 11:42 AM, Joe Zeff wrote: Read what Patrick wrote as referring to the average *professional* Linux admin and remember that there are many of us out here who only use Fedora on our home machines. I did. He made a claim about what "average" admins know, without any evidence to back it up. I think that attributing your own goals and desires to the community at large is a dishonest way to engage in discussion. OK, fair enough. I, however, thought that he was lumping home users and professionals together, which made his comment more reasonable. And, I must agree that some sort of evidence would have been nice. Patrick, please let us know what you meant by "average Linux admin" because I know that I can't read your mind and I doubt that Gordon can either. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 12/02/2015 11:42 AM, Joe Zeff wrote: Read what Patrick wrote as referring to the average *professional* Linux admin and remember that there are many of us out here who only use Fedora on our home machines. I did. He made a claim about what "average" admins know, without any evidence to back it up. I think that attributing your own goals and desires to the community at large is a dishonest way to engage in discussion. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 12/02/2015 11:41 AM, Gordon Messmer wrote: I would think that's an unusual operation. The simplest answer would be: access your volumes from live media rather than moving your storage to another similar system. Also, as Chris mentioned, Anaconda will attempt to generate unique (or at least, not generic) volume names to avoid that issue on new installs, though it did not always behave that way. I've never used LVM, so I don't know what happens when you select it in Anaconda, but it may help to know if the installer always sets the volume names or if you're allowed to specify your own. I'd think that given the choice, I'd rather select my own based on what I'm planning to use them for (and in a production environment, what server they're on) than hope that I remember to document what partition goes where and can find it when (not if) I need it. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 12/02/2015 11:32 AM, Gordon Messmer wrote: On 12/01/2015 04:26 PM, Patrick O'Callaghan wrote: I guess my point is that the average Linux admin is going to have a working knowledge of disk partitioning, whereas LVM is an*additional* layer of expertise that may pay dividends in certain use cases, but for most people is just irrelevant. Your argument would come across more as more authentic if you took ownership of it, instead of placing your own lack of experience and dislike for LVM on the heads of "average Linux admins." Read what Patrick wrote as referring to the average *professional* Linux admin and remember that there are many of us out here who only use Fedora on our home machines. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 12/02/2015 04:35 AM, Tim wrote: Actually, that'd be related to one of my issues with LVM, it gives every install the same default volume names, so plugging a broken PCs drive into a working PC, to work on it, requires quite a bit of mucking around to mount the second drive with the same volume names. That's a fair criticism. Bad things do happen if you move a disk with generic volume group names or logical volume names to another system. I would think that's an unusual operation. The simplest answer would be: access your volumes from live media rather than moving your storage to another similar system. Also, as Chris mentioned, Anaconda will attempt to generate unique (or at least, not generic) volume names to avoid that issue on new installs, though it did not always behave that way. But as this discussion began with a defense of the "typical use case" and "95% of users," I would also note that this is an issue that won't affect most users so it doesn't seem like a compelling reason to avoid LVM in the default layout. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 12/01/2015 04:26 PM, Patrick O'Callaghan wrote: I guess my point is that the average Linux admin is going to have a working knowledge of disk partitioning, whereas LVM is an*additional* layer of expertise that may pay dividends in certain use cases, but for most people is just irrelevant. Your argument would come across more as more authentic if you took ownership of it, instead of placing your own lack of experience and dislike for LVM on the heads of "average Linux admins." -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On Tue, 2015-12-01 at 19:07 -0600, Chris Adams wrote: > Once upon a time, Patrick O'Callaghan said: > > On Tue, 2015-12-01 at 15:31 -0600, Chris Adams wrote: > > > With LVM, I still get /dev/vg_foo/lv_bar, and > > > don't care what raw device the underlying partition is, how it is > > > connected, etc. (very useful for example when taking an internal > > > drive from one computer and connecting it via an external adapter > > > of > > > some type on another). > > > > Which is fine if a) the second machine also runs LVM (what if it's > > on > > an Ubuntu machine without LVM, rather than Fedora?) and b) the two > > use > > the same LVM logical layout. > > For (a), the only Ubuntu system I have access to also has LVM; do > they not even install the lvm tools? I've no idea. I don't even have a Ubuntu installation. It was a hypothetical question. For Ubuntu susbstitute Mint, Opensuse or whatever. Not all Linux distros install LVM by default. > For (b), I have no idea what you mean by "same LVM logical > layout". The PV size, VG and LV names, etc. are all part of a > particular device. They don't have to match in any way a separate > device (on the same or on a different computer). A good demonstration of the problems with LVM terminology. What do you mean by device? I often feel that many of the issues people have with LVM are caused by this sort of thing. I last used LVM several years ago and clearly remember reading over the docs multiple times before making what should have been a simple change, before finally resorting to asking the list. I don't doubt that people who use it every day are comfortable with it, but most of us just don't, so if I had to repeat the experience I would no doubt go through the same learning curve only to forget it again when I finished. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
Once upon a time, Tim said: > Actually, that'd be related to one of my issues with LVM, it gives every > install the same default volume names, so plugging a broken PCs drive > into a working PC, to work on it, requires quite a bit of mucking around > to mount the second drive with the same volume names. That's not LVM, that's the installer, and IIRC that behavior changed in Fedora several releases ago (I always manually partition anyway so I don't remember what the default does these days). -- Chris Adams -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
Allegedly, on or about 01 December 2015, Joe Zeff sent: > This is why you mount them either by UUID or Label. Actually, that'd be related to one of my issues with LVM, it gives every install the same default volume names, so plugging a broken PCs drive into a working PC, to work on it, requires quite a bit of mucking around to mount the second drive with the same volume names. Then, related to both issues, is the difficulty in temporarily mounting some other LVM drive. Nautilus gave the impression that you could automatically mount a so-many-gigs drive by double-clicking on it, like you could mount a flash drive, CD-ROM, etc., but that didn't work. Manually mounting it requires quite a bit of digging about arcane LVM commands, all the more worse if it has the same names as your main drive. -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I will only read messages posted to the public lists. Windows (TM) [Typhoid Mary]. They refuse to believe that there's anything wrong with it, but everyone else knows Windows is a disease that spreads. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 12/01/2015 05:02 PM, Chris Adams wrote: In the context of moving drives from computer to computer, I doubt you're going to type a UUID in by hand. Label works if you remember to set one. You get the UUID before moving the drive, and put it in a text file on a flash drive. Then, when you edit fstab, you copy/paste the UUID into the file and Bob's your uncle. It's not exactly rocket surgery, it just takes a moment to think ahead. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
Once upon a time, Patrick O'Callaghan said: > On Tue, 2015-12-01 at 15:31 -0600, Chris Adams wrote: > > With LVM, I still get /dev/vg_foo/lv_bar, and > > don't care what raw device the underlying partition is, how it is > > connected, etc. (very useful for example when taking an internal > > drive from one computer and connecting it via an external adapter of > > some type on another). > > Which is fine if a) the second machine also runs LVM (what if it's on > an Ubuntu machine without LVM, rather than Fedora?) and b) the two use > the same LVM logical layout. For (a), the only Ubuntu system I have access to also has LVM; do they not even install the lvm tools? For (b), I have no idea what you mean by "same LVM logical layout". The PV size, VG and LV names, etc. are all part of a particular device. They don't have to match in any way a separate device (on the same or on a different computer). -- Chris Adams -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
Once upon a time, Joe Zeff said: > On 12/01/2015 01:31 PM, Chris Adams wrote: > >I find quite the opposite: without LVM, I have to know that the drive I > >just moved from computer to computer changed from sdb to sdc, and edit > >fstab and such manually. > > This is why you mount them either by UUID or Label. In the context of moving drives from computer to computer, I doubt you're going to type a UUID in by hand. Label works if you remember to set one. -- Chris Adams -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On Tue, 2015-12-01 at 15:31 -0600, Chris Adams wrote: > Once upon a time, Patrick O'Callaghan said: > > Because I know what physical disks I have in my machine and I want > > to > > relate that to what I see in the output of df. I might even want to > > move a device to another machine and be able to mount the right > > partitions in the right places. With "normal" (i.e. non-LVM) > > partitioning it's fairly easy to do this. With LVM it's definitely > > not. > > I find quite the opposite: without LVM, I have to know that the drive > I just moved from computer to computer changed from sdb to sdc, and > edit fstab and such manually. Maybe so, but it's still easy to do. > With LVM, I still get /dev/vg_foo/lv_bar, and > don't care what raw device the underlying partition is, how it is > connected, etc. (very useful for example when taking an internal > drive from one computer and connecting it via an external adapter of > some type on another). Which is fine if a) the second machine also runs LVM (what if it's on an Ubuntu machine without LVM, rather than Fedora?) and b) the two use the same LVM logical layout. I guess my point is that the average Linux admin is going to have a working knowledge of disk partitioning, whereas LVM is an *additional* layer of expertise that may pay dividends in certain use cases, but for most people is just irrelevant. Anyway, we're getting way off the original topic of this thread. I didn't really want to start a whole discussion (all of which has been said before more than once). poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 12/01/2015 01:31 PM, Chris Adams wrote: I find quite the opposite: without LVM, I have to know that the drive I just moved from computer to computer changed from sdb to sdc, and edit fstab and such manually. This is why you mount them either by UUID or Label. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
Once upon a time, Patrick O'Callaghan said: > Because I know what physical disks I have in my machine and I want to > relate that to what I see in the output of df. I might even want to > move a device to another machine and be able to mount the right > partitions in the right places. With "normal" (i.e. non-LVM) > partitioning it's fairly easy to do this. With LVM it's definitely not. I find quite the opposite: without LVM, I have to know that the drive I just moved from computer to computer changed from sdb to sdc, and edit fstab and such manually. With LVM, I still get /dev/vg_foo/lv_bar, and don't care what raw device the underlying partition is, how it is connected, etc. (very useful for example when taking an internal drive from one computer and connecting it via an external adapter of some type on another). -- Chris Adams -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On Tue, 2015-12-01 at 09:29 -0800, Gordon Messmer wrote: > > Not so. If you have LVM you have to*know* you have LVM, otherwise > your > > disk partition names won't make any sense. Just doing a "df" > requires you to know this and understand what it means. > > Why is understanding the device names, as opposed to understanding > what filesystems are, critical to understanding the output of "df"? Because I know what physical disks I have in my machine and I want to relate that to what I see in the output of df. I might even want to move a device to another machine and be able to mount the right partitions in the right places. With "normal" (i.e. non-LVM) partitioning it's fairly easy to do this. With LVM it's definitely not. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 12/01/2015 06:35 PM, Gordon Messmer wrote: > On 12/01/2015 06:43 AM, Roberto Ragusa wrote: >>> ... should note that you'll have to shrink at least one of your volumes, >>> though. The encrypted PV that you create will be slightly smaller than it >>> was, before encryption. As a result, there won't be enough extents to move >>> all of the volumes off and then back. >> The PV is used in multiple of the segment size, so, depending on rounding >> errors you may >> have some free blocks. > > Sounds right. "pvdisplay" will print information about unusable space in the > "PV Size" line. As long as that's larger than the LUKS header (2MiB, I > believe) you should be able to do a live migration to an encrypted PV using a > second disk. > > Interesting. And one can do it on purpose: - big segments (64MiB) - partitions with a little overhead (100.01GiB, so there are 10MiB of extra room) - PV, mdadm or luks headers will never be a problem -- Roberto Ragusamail at robertoragusa.it -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 12/01/2015 06:29 PM, Gordon Messmer wrote: > On 12/01/2015 03:37 AM, Patrick O'Callaghan wrote: >> Not so. If you have LVM you have to*know* you have LVM, otherwise your >> disk partition names won't make any sense. Just doing a "df" requires >> you to know this and understand what it means. > > Why is understanding the device names, as opposed to understanding what > filesystems are, critical to understanding the output of "df"? Addressing the > issue of filesystem use typically involves searching and summing file sizes > (du). The first step to addressing filesystem use issues is probably > archiving or deleting unnecessary data, which isn't affected by LVM. Beyond > that, users might choose to address such an issue by re-sizing the > filesystem, which is possible with LVM but generally difficult or impossible > without it. Or they might choose to reinstall with different filesystem > allocations and restore data from backup, which also isn't affected by LVM. > > I don't see your case, frankly. I can't find any process here that LVM > complicates. lsblk is magic, when you have RAID, encryption, LVM, ... -- Roberto Ragusamail at robertoragusa.it -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 11/30/2015 11:11 PM, Joe Zeff wrote: It's one more layer of abstraction to confuse newer users when things go wrong. In the context of a conversation where LVM provides a means of addressing the OP's requirement (encrypting a system after-the-fact), and where I've outlined numerous concrete examples of LVM features that I think are useful on desktop systems (backups, SSD acceleration, and virtualization), do you see how "things might go wrong" isn't very convincing? It's kind of vague and, honestly, applies to every aspect of computing. Yes, things can go wrong. Software contains bugs. Simplicity is good. But LVM is less complex than the vast majority of system components, and using a similar configuration on desktops and servers is, from the vendor's perspective, less complexity than different layouts. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 12/01/2015 02:57 AM, Tim wrote: Do we have file system recovery tools for it, yet? (Assuming that a problem might occur with LVM, itself, rather than an EXT3 filesystem within it.) pvck and vgck. I believe the answer is "yes". vgck is present in tag v1_00_03, so it's at least 12 years old. pvck looks like it was added in 2007. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 12/01/2015 06:43 AM, Roberto Ragusa wrote: ... should note that you'll have to shrink at least one of your volumes, though. The encrypted PV that you create will be slightly smaller than it was, before encryption. As a result, there won't be enough extents to move all of the volumes off and then back. The PV is used in multiple of the segment size, so, depending on rounding errors you may have some free blocks. Sounds right. "pvdisplay" will print information about unusable space in the "PV Size" line. As long as that's larger than the LUKS header (2MiB, I believe) you should be able to do a live migration to an encrypted PV using a second disk. Interesting. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 12/01/2015 03:37 AM, Patrick O'Callaghan wrote: Not so. If you have LVM you have to*know* you have LVM, otherwise your disk partition names won't make any sense. Just doing a "df" requires you to know this and understand what it means. Why is understanding the device names, as opposed to understanding what filesystems are, critical to understanding the output of "df"? Addressing the issue of filesystem use typically involves searching and summing file sizes (du). The first step to addressing filesystem use issues is probably archiving or deleting unnecessary data, which isn't affected by LVM. Beyond that, users might choose to address such an issue by re-sizing the filesystem, which is possible with LVM but generally difficult or impossible without it. Or they might choose to reinstall with different filesystem allocations and restore data from backup, which also isn't affected by LVM. I don't see your case, frankly. I can't find any process here that LVM complicates. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 12/01/2015 04:27 PM, Ranjan Maitra wrote: > On Tue, 1 Dec 2015 16:12:07 +0100 Roberto Ragusa > wrote: > No problem. Thank you. this is very helpful. Btw, isn't the recommended way > to edit grub by changing /etc/defaults/grub and then running grub-mkconfig or > is that for something else? > Yes, in fact I said "/boot/grub/grub.conf should contain", not "edit the file and add". ;-) If you can make it to contain the stuff by using /etc/defaults/grub it's perfect, but I never really understood how that flow is supposed to work, as it seems that installing a new kernel, options are just copied from the existing kernel to the new one. This could be different/fixed in recent Fedora versions... -- Roberto Ragusamail at robertoragusa.it -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On Tue, 1 Dec 2015 16:12:07 +0100 Roberto Ragusa wrote: > On 11/30/2015 11:24 PM, Ranjan Maitra wrote: > > On Mon, 30 Nov 2015 21:59:35 +0100 Roberto Ragusa > > wrote: > > > >> All of this can be done while the system is running > >> normally. > >> Before rebooting, fix your /etc/crypttab and initramfs > >> so you will be asked the passphrase at next boot. > > > > Can you please give me a reference on how to fix /etc/cryptab or this > > initramfs up? > > I do not have a reference, I just discovered things with experience: > > /etc/crypttab should contain something like: > > luks----- > UUID=---- none > > > /boot/grub/grub.conf should contain on your kernel line the part > > rd.md=1 rd.dm=1 rd.luks=1 > > or at least the luks one > > > then I rebuild the initramfs; the way to do this is continuously changed so my > method is to run rpm -q --scripts kernel and look at the posttrans part: > > posttrans scriptlet (using /bin/sh): > /sbin/new-kernel-pkg --package kernel --mkinitrd --dracut --depmod --update > 3.14.17-100.fc19.x86_64 || exit $? > /sbin/new-kernel-pkg --package kernel --rpmposttrans 3.14.17-100.fc19.x86_64 > || exit $? > > so I run those two commands. > > > Sorry for not giving an accurate procedure, but those are the points to > consider. No problem. Thank you. this is very helpful. Btw, isn't the recommended way to edit grub by changing /etc/defaults/grub and then running grub-mkconfig or is that for something else? Best wishes, Ranjan FREE ONLINE PHOTOSHARING - Share your photos online with your friends and family! Visit http://www.inbox.com/photosharing to find out more! -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 11/30/2015 11:24 PM, Ranjan Maitra wrote: > On Mon, 30 Nov 2015 21:59:35 +0100 Roberto Ragusa > wrote: > >> All of this can be done while the system is running >> normally. >> Before rebooting, fix your /etc/crypttab and initramfs >> so you will be asked the passphrase at next boot. > > Can you please give me a reference on how to fix /etc/cryptab or this > initramfs up? I do not have a reference, I just discovered things with experience: /etc/crypttab should contain something like: luks----- UUID=---- none /boot/grub/grub.conf should contain on your kernel line the part rd.md=1 rd.dm=1 rd.luks=1 or at least the luks one then I rebuild the initramfs; the way to do this is continuously changed so my method is to run rpm -q --scripts kernel and look at the posttrans part: posttrans scriptlet (using /bin/sh): /sbin/new-kernel-pkg --package kernel --mkinitrd --dracut --depmod --update 3.14.17-100.fc19.x86_64 || exit $? /sbin/new-kernel-pkg --package kernel --rpmposttrans 3.14.17-100.fc19.x86_64 || exit $? so I run those two commands. Sorry for not giving an accurate procedure, but those are the points to consider. Regards. -- Roberto Ragusamail at robertoragusa.it -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 11/30/2015 10:07 PM, Gordon Messmer wrote: > On 11/30/2015 01:06 PM, Gordon Messmer wrote: >> You can add a PV to encrypt the system without rebooting. > > ... should note that you'll have to shrink at least one of your volumes, > though. The encrypted PV that you create will be slightly smaller than it > was, before encryption. As a result, there won't be enough extents to move > all of the volumes off and then back. Not always. The PV is used in multiple of the segment size, so, depending on rounding errors you may have some free blocks. For example, if you use 64MiB as segment, a 650MiB PV will contain 10 of them. The same PV when encrypted will be 649.99MiB (just guessing...), but it will perfectly contain 10 segments again. This was very true when partition were very badly aligned (factors 63, 16, 255 around); nowadays because of 4k disks and SSD, things are better aligned so it may actually happen that you miss one segment and one filesystem must be resized. Again, if the PV goes up to the end of the disk, you have probably some misaligned ending block, so you are lucky again (even SSD have kept the strange habit of being sized in 10^3 instead that 2^10). Regards. -- Roberto Ragusamail at robertoragusa.it -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On Mon, 2015-11-30 at 19:01 -0800, Gordon Messmer wrote: > Systems with simple, relatively static storage will, by the same > token, not require users to interact with LVM. > So where is the case for not using it, exactly? Not so. If you have LVM you have to *know* you have LVM, otherwise your disk partition names won't make any sense. Just doing a "df" requires you to know this and understand what it means. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
Allegedly, on or about 30 November 2015, Gordon Messmer sent: > Systems with simple, relatively static storage will, by the same > token, not require users to interact with LVM. So where is the case > for not using it, exactly? Do we have file system recovery tools for it, yet? (Assuming that a problem might occur with LVM, itself, rather than an EXT3 filesystem within it.) That was always the kicker, before. -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I will only read messages posted to the public lists. ZNQR LBH YBBX! -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 11/30/2015 07:01 PM, Gordon Messmer wrote: So where is the case for not using it, exactly? It's one more layer of abstraction to confuse newer users when things go wrong. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 11/30/2015 05:05 PM, Sam Varshavchik wrote: Such as during the grub -> grub2 transition, when a larger spare chunk of space was needed, after the MBR, to accomodate the larger bootloader. Yes, but only for systems that had /boot on md RAID1. In the context of a discussion about "95% of users systems" that seems like an odd argument. But if I had to deal with useless LVM interloper, I would've been, pretty much, up the creek. Probably not. The default setup still puts /boot at the beginning of the drive, and not inside LVM. On a more-or-less default configuration with RAID1, you'd have taken the same steps that you did. LVM isn't as complicated as you make it out to be, and as Roberto pointed out earlier, it allows users to do things with their storage that they might not have realized they wanted initially, like encrypting the system while it's running. If we accept that 95% of users won't benefit from LVM (they won't use any LVM features), that's true because many systems have simple, relatively static storage. Systems with simple, relatively static storage will, by the same token, not require users to interact with LVM. So where is the case for not using it, exactly? -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
Heinz Diehl writes: Automatically introducing complexity into 95% of the users systems just because it could be useful some day is, quite frankly, embarassing. It makes sense the other way 'round: complexity adds to the diffculties when having to handle data operations (backup, encryption, transfer, recovery..) , which in turn makes data loss more likely. Precisely. Such as during the grub -> grub2 transition, when a larger spare chunk of space was needed, after the MBR, to accomodate the larger bootloader. Two of my servers did not have sufficient space for grub2. But both of them were formatted as raw, RAID-1 volumes. This made it possible to use a combination of resize2fs+fdisk to repartition "in-place", in order to give more spare room to the MBR. But if I had to deal with useless LVM interloper, I would've been, pretty much, up the creek. pgposNRbe6tn6.pgp Description: PGP signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
Ranjan Maitra writes: On Mon, 30 Nov 2015 08:38:50 -0500 Sam Varshavchik wrote: > In this case, this is not possible. /boot cannot be encrypted. If you have > one / partition, and /boot lives on it, it cannot be encrypted. Thanks! But I was talking about encrypting the /home partition which is separate. Does this make a difference? If it's a separate partition from /boot, it can be encrypted. pgpEucLn27JSV.pgp Description: PGP signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 11/30/2015 03:07 PM, Gordon Messmer wrote: On 11/30/2015 01:06 PM, Gordon Messmer wrote: You can add a PV to encrypt the system without rebooting. ... should note that you'll have to shrink at least one of your volumes, though. The encrypted PV that you create will be slightly smaller than it was, before encryption. As a result, there won't be enough extents to move all of the volumes off and then back. You can set up LUKS with a detached header that is stored somewhere other than the encrypted PV. -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On Mon, 30 Nov 2015 21:59:35 +0100 Roberto Ragusa wrote: > On 11/30/2015 08:44 PM, Gordon Messmer wrote: > > On 11/30/2015 03:44 AM, Roberto Ragusa wrote: > >> This thread is about someone wanting to encrypt an existing > >> system: LVM makes it possible to do this, without a reboot, > >> without unmounting. > > > > As far as I'm aware, no it doesn't. > > It does. > > Suppose you have your LVs (/, /home, /var, > whatever partitioning scheme you have) on a single > VG on a single PV (e.g. /dev/sda2). > > You can encrypt the system without even rebooting. > > Connect an external temporary USB disk (dev/sdb). > Create a PV there (big enough for all your partitions). > Add the PV to your VG. > Move all the LV to the external PV. > Remove /dev/sda2 from the VG. > Make /dev/sda2 not a PV anymore (pvremove). > Turn /dev/sda2 into an encrypted block device (dmsetup). > Make the encrypted device a PV. > Add the PV to your VG. > Move your volumes to this PV. > Remove the external PV from the VG. > Disconnect the external disk. > > All of this can be done while the system is running > normally. > Before rebooting, fix your /etc/crypttab and initramfs > so you will be asked the passphrase at next boot. Can you please give me a reference on how to fix /etc/cryptab or this initramfs up? Thanks again! Ranjan FREE ONLINE PHOTOSHARING - Share your photos online with your friends and family! Visit http://www.inbox.com/photosharing to find out more! -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 11/30/2015 01:06 PM, Gordon Messmer wrote: You can add a PV to encrypt the system without rebooting. ... should note that you'll have to shrink at least one of your volumes, though. The encrypted PV that you create will be slightly smaller than it was, before encryption. As a result, there won't be enough extents to move all of the volumes off and then back. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 11/30/2015 12:59 PM, Roberto Ragusa wrote: On 11/30/2015 08:44 PM, Gordon Messmer wrote: As far as I'm aware, no it doesn't. You can encrypt the system without even rebooting. Connect an external temporary USB disk (dev/sdb). Create a PV there (big enough for all your partitions). ... Yes, you're correct. You can add a PV to encrypt the system without rebooting. You can't encrypt in place, and that's what I thought you meant. My apologies. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 11/30/2015 08:44 PM, Gordon Messmer wrote: > On 11/30/2015 03:44 AM, Roberto Ragusa wrote: >> This thread is about someone wanting to encrypt an existing >> system: LVM makes it possible to do this, without a reboot, >> without unmounting. > > As far as I'm aware, no it doesn't. It does. Suppose you have your LVs (/, /home, /var, whatever partitioning scheme you have) on a single VG on a single PV (e.g. /dev/sda2). You can encrypt the system without even rebooting. Connect an external temporary USB disk (dev/sdb). Create a PV there (big enough for all your partitions). Add the PV to your VG. Move all the LV to the external PV. Remove /dev/sda2 from the VG. Make /dev/sda2 not a PV anymore (pvremove). Turn /dev/sda2 into an encrypted block device (dmsetup). Make the encrypted device a PV. Add the PV to your VG. Move your volumes to this PV. Remove the external PV from the VG. Disconnect the external disk. All of this can be done while the system is running normally. Before rebooting, fix your /etc/crypttab and initramfs so you will be asked the passphrase at next boot. -- Roberto Ragusamail at robertoragusa.it -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 11/30/2015 06:08 AM, Ranjan Maitra wrote: But there is only one filesystem (/dev/sda) and one HDD on these two > >laptops. Therefore, I am not sure how to do this other than through going in > >through a LiveCD. Thanks! But I was talking about encrypting the /home partition which is separate. Does this make a difference? You're saying two different things. If /home is a separate partition, then you can log in as root, unmount /home, and (maybe) use luksipc to encrypt it. If you have "only one filesystem" that would be "/". As Sam said, encrypting such a system is not supported. It's possible, though: http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/ -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 11/30/2015 03:44 AM, Roberto Ragusa wrote: This thread is about someone wanting to encrypt an existing system: LVM makes it possible to do this, without a reboot, without unmounting. As far as I'm aware, no it doesn't. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 11/29/2015 01:19 PM, Sam Varshavchik wrote: I really don't understand why Fedora is still foisting all the overhead of LVM on everyone, by default. I would imagine that the simple answer is "consistency." The slightly longer answer, IMO: Would you like to make snapshots for consistent backups? That's enabled by LVM. Would you like to accelerate magnetic disks using SSD-backed cache? That's enabled by LVM. Would you like storage for virtual machines with low overhead? That's enabled by LVM. Personally, I think all of those are relevant to desktop systems. I make use of those features on my home desktop. And while not everyone does, there's really no reason to exclude the component that would allow them to do so when they decide that they would like to. Those are benefits to users. Developers (Anaconda and dracut, maybe others) benefit from having a consistent configuration that's supported from laptops up to servers. The more consistent those systems are, the better tested the storage stack is, and the more stable it will be for everyone. But I wonder how often does that happen, versus how often LVM's overhead ends up getting competely wasted. Unless you have a snapshot of a volume, LVM doesn't have a measurable overhead. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On Mon, 2015-11-30 at 13:00 +, Patrick O'Callaghan wrote: > It does if a) there is no overhead (which is being claimed for LVM) > and b) it doesn't burden the user, which LVM does even if you never do > anything with it. The burden being a cognitive one: that you have to > know it's there and understand how to interpret disk partitions. I don't know about now, but it was noticeably slower to use LVM than just EXT3 in a normal partition, on my old 500 MHz computer. There's always been a drawback in abstraction. Every hoop something has to jump through, is a bottleneck (yay, managed to mix two metaphors). You certainly noticed with older slower computers that having to go through a stack of routines to do something, rather than do it directly, has a detrimental effect. And while people say it's not noticeable with newer GHz processors, every slowdown builds up. -- tim@localhost ~]$ uname -rsvp Linux 3.19.8-100.fc20.i686 #1 SMP Tue May 12 17:42:35 UTC 2015 i686 All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I will only read messages posted to the public lists. George Orwell's '1984' was supposed to be a warning against tyranny, not a set of instructions for supposedly democratic governments. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On Mon, 2015-11-30 at 15:58 +0100, Heinz Diehl wrote: > On 30.11.2015, Roberto Ragusa wrote: > > > Seat belts are also useless for >99.9% of car passengers. :-) The > > little inconvenience is accepted because > > they may turn useful one day. > > LVM can not possibly be life-threatening, in opposite to a non-used > seatbelt, which is why your argument is bogus ;-) > > Automatically introducing complexity into 95% of the users systems > just because it could > be useful some day is, quite frankly, embarassing. It makes sense the > other way 'round: complexity adds to the diffculties when > having to handle data operations (backup, encryption, transfer, > recovery..) , which in turn makes data loss more likely. A possible compromise would be to install LVM for the server version of Fedora and not for the workstation version. Just a thought. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 30.11.2015, Roberto Ragusa wrote: > Seat belts are also useless for >99.9% of car passengers. :-) The little > inconvenience is accepted because > they may turn useful one day. LVM can not possibly be life-threatening, in opposite to a non-used seatbelt, which is why your argument is bogus ;-) Automatically introducing complexity into 95% of the users systems just because it could be useful some day is, quite frankly, embarassing. It makes sense the other way 'round: complexity adds to the diffculties when having to handle data operations (backup, encryption, transfer, recovery..) , which in turn makes data loss more likely. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 11/30/2015 01:01 PM, Sam Varshavchik wrote: > Roberto Ragusa writes: > >> On 11/29/2015 10:19 PM, Sam Varshavchik wrote: >> >>> I really don't understand why Fedora is still foisting all the overhead of >>> LVM on everyone, by default. I would tend to think that for typical use >>> cases, LVM brings absolutely nothing value-added. I would expect that, with >>> most use cases, people install Fedora with the default filesystem layout, >>> and never have the need to move or grow their existing partitions. >> >> What overhead? You gain flexibility with nearly zero overhead. > > What "flexibility"? Can you explain to me exactly what "flexibility" LVM > brings to the table for 95% of users who, after installing Fedora, never have > any new disks added to the machine, and never need to touch anything related > to the disk layout? To that 95%? Nothing. Seat belts are also useless for >99.9% of car passengers. :-) The little inconvenience is accepted because they may turn useful one day. -- Roberto Ragusamail at robertoragusa.it -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On Mon, 30 Nov 2015 08:38:50 -0500 Sam Varshavchik wrote: > Ranjan Maitra writes: > > > On Sun, 29 Nov 2015 20:29:09 -0800 Gordon Messmer > > > > wrote: > > > > > On 11/29/2015 05:59 PM, Ranjan Maitra wrote: > > > > Thanks! I was wondering about this some more. Can I not put this tool > > > > luksipc on a LiveCD and then compile and run it from there? Then the > > > > actual disks would be "offline", isn't that correct? > > > > > > Yes, but you don't really need to do that. You just need to unmount the > > > filesystem you want to encrypt. > > > > But there is only one filesystem (/dev/sda) and one HDD on these two > > laptops. Therefore, I am not sure how to do this other than through going > > in > > through a LiveCD. > > In this case, this is not possible. /boot cannot be encrypted. If you have > one / partition, and /boot lives on it, it cannot be encrypted. Thanks! But I was talking about encrypting the /home partition which is separate. Does this make a difference? Best wishes, Ranjan -- Important Notice: This mailbox is ignored: e-mails are set to be deleted on receipt. Please respond to the mailing list if appropriate. For those needing to send personal or professional e-mail, please use appropriate addresses. Can't remember your password? Do you need a strong and secure password? Use Password manager! It stores your passwords & protects your account. Check it out at http://mysecurelogon.com/password-manager -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
Ranjan Maitra writes: On Sun, 29 Nov 2015 20:29:09 -0800 Gordon Messmer wrote: > On 11/29/2015 05:59 PM, Ranjan Maitra wrote: > > Thanks! I was wondering about this some more. Can I not put this tool > > luksipc on a LiveCD and then compile and run it from there? Then the > > actual disks would be "offline", isn't that correct? > > Yes, but you don't really need to do that. You just need to unmount the > filesystem you want to encrypt. But there is only one filesystem (/dev/sda) and one HDD on these two laptops. Therefore, I am not sure how to do this other than through going in through a LiveCD. In this case, this is not possible. /boot cannot be encrypted. If you have one / partition, and /boot lives on it, it cannot be encrypted. pgppQCNPvdtxQ.pgp Description: PGP signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On Sun, 29 Nov 2015 20:29:09 -0800 Gordon Messmer wrote: > On 11/29/2015 05:59 PM, Ranjan Maitra wrote: > > Thanks! I was wondering about this some more. Can I not put this tool > > luksipc on a LiveCD and then compile and run it from there? Then the > > actual disks would be "offline", isn't that correct? > > Yes, but you don't really need to do that. You just need to unmount the > filesystem you want to encrypt. But there is only one filesystem (/dev/sda) and one HDD on these two laptops. Therefore, I am not sure how to do this other than through going in through a LiveCD. > > Btw, I also tried building an RPM of the tool. But I am stuck in the > > step of installing in the spec file. > ... > > %install > > (what do I put in here?) > > Maybe: > > install -d $RPM_BUILD_ROOT/%{_bindir} > install -m 755 luskipc $RPM_BUILD_ROOT/%{_bindir}/luksipc Thanks! I tried this but get the following error (also posted in response to Michael's suggestion). + install -m 755 luskipc /home/maitra/rpmbuild/BUILDROOT/luksipc-0.04-1.fc23.x86_64//usr/bin/luksipc install: cannot stat 'luskipc': No such file or directory error: Bad exit status from /var/tmp/rpm-tmp.lyU1cP (%install) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.lyU1cP (%install) Any other suggestions? The SPEC file is here: $ fpaste luksipc.spec Uploading (2.0KiB)... WARNING: Could not shorten URL http://paste.fedoraproject.org/295774/7881 Thanks again! Ranjan FREE 3D EARTH SCREENSAVER - Watch the Earth right on your desktop! Check it out at http://www.inbox.com/earth -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On Mon, 2015-11-30 at 06:59 -0500, Sam Varshavchik wrote: > > It's an issue that raises its head sporadically and has done for > > several years. I'm also in the No camp and take care to disable LVM > on > > any new install, but I can't see the situation changing unless or > until > > something functionally equivalent comes along (BRTFS?). In the > > meantime, we sigh and move on. > > No, the whole point is that "functionally equivalent" still doesn't > bring > anything value-added to the table. It does if a) there is no overhead (which is being claimed for LVM) and b) it doesn't burden the user, which LVM does even if you never do anything with it. The burden being a cognitive one: that you have to know it's there and understand how to interpret disk partitions. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
Roberto Ragusa writes: On 11/29/2015 10:19 PM, Sam Varshavchik wrote: > I really don't understand why Fedora is still foisting all the overhead of LVM on everyone, by default. I would tend to think that for typical use cases, LVM brings absolutely nothing value-added. I would expect that, with most use cases, people install Fedora with the default filesystem layout, and never have the need to move or grow their existing partitions. What overhead? You gain flexibility with nearly zero overhead. What "flexibility"? Can you explain to me exactly what "flexibility" LVM brings to the table for 95% of users who, after installing Fedora, never have any new disks added to the machine, and never need to touch anything related to the disk layout? pgpsle8j8O2dE.pgp Description: PGP signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
Patrick O'Callaghan writes: On Mon, 2015-11-30 at 08:36 +0100, Heinz Diehl wrote: > On 29.11.2015, Sam Varshavchik wrote: > > > I really don't understand why Fedora is still foisting all the > > overhead of > > LVM on everyone, by default. I would tend to think that for typical > > use > > cases, LVM brings absolutely nothing value-added. > > I'd like to second that! > > Mentioned the same issue here on this list several months ago when > F22 came up.. It's an issue that raises its head sporadically and has done for several years. I'm also in the No camp and take care to disable LVM on any new install, but I can't see the situation changing unless or until something functionally equivalent comes along (BRTFS?). In the meantime, we sigh and move on. No, the whole point is that "functionally equivalent" still doesn't bring anything value-added to the table. pgpgScw8JQ1eX.pgp Description: PGP signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 11/29/2015 10:19 PM, Sam Varshavchik wrote: > I really don't understand why Fedora is still foisting all the overhead of > LVM on everyone, by default. I would tend to think that for typical use > cases, LVM brings absolutely nothing value-added. I would expect that, with > most use cases, people install Fedora with the default filesystem layout, and > never have the need to move or grow their existing partitions. What overhead? You gain flexibility with nearly zero overhead. This thread is about someone wanting to encrypt an existing system: LVM makes it possible to do this, without a reboot, without unmounting. Regards. -- Roberto Ragusamail at robertoragusa.it -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On Mon, 2015-11-30 at 08:36 +0100, Heinz Diehl wrote: > On 29.11.2015, Sam Varshavchik wrote: > > > I really don't understand why Fedora is still foisting all the > > overhead of > > LVM on everyone, by default. I would tend to think that for typical > > use > > cases, LVM brings absolutely nothing value-added. > > I'd like to second that! > > Mentioned the same issue here on this list several months ago when > F22 came up.. It's an issue that raises its head sporadically and has done for several years. I'm also in the No camp and take care to disable LVM on any new install, but I can't see the situation changing unless or until something functionally equivalent comes along (BRTFS?). In the meantime, we sigh and move on. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 29.11.2015, Sam Varshavchik wrote: > I really don't understand why Fedora is still foisting all the overhead of > LVM on everyone, by default. I would tend to think that for typical use > cases, LVM brings absolutely nothing value-added. I'd like to second that! Mentioned the same issue here on this list several months ago when F22 came up.. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 11/29/2015 05:59 PM, Ranjan Maitra wrote: Thanks! I was wondering about this some more. Can I not put this tool luksipc on a LiveCD and then compile and run it from there? Then the actual disks would be "offline", isn't that correct? Yes, but you don't really need to do that. You just need to unmount the filesystem you want to encrypt. Btw, I also tried building an RPM of the tool. But I am stuck in the step of installing in the spec file. ... %install (what do I put in here?) Maybe: install -d $RPM_BUILD_ROOT/%{_bindir} install -m 755 luskipc $RPM_BUILD_ROOT/%{_bindir}/luksipc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On Sun, 29 Nov 2015 17:08:25 -0800 Gordon Messmer wrote: > On 11/29/2015 04:22 PM, Ranjan Maitra wrote: > > I do have backups in place, but I don't really want to have to go > > back to them (one of the partitions has 367 GB of data, the other has > > 100 GB). At the least, it will be disruptive. > > Disruption is unavoidable. The tool I described earlier might be able > to encrypt in place, but it has to be done offline. Thanks! I was wondering about this some more. Can I not put this tool luksipc on a LiveCD and then compile and run it from there? Then the actual disks would be "offline", isn't that correct? Btw, I also tried building an RPM of the tool. But I am stuck in the step of installing in the spec file. The Makefile (for luksipc) does not have an install option. I can go up to the %build section easily, but my .spec file has problems in the install stage. Here are the operative portions of my specfile: %prep %setup -q %build make %install (what do I put in here?) Many thanks for your time, and best wishes, Ranjan Can't remember your password? Do you need a strong and secure password? Use Password manager! It stores your passwords & protects your account. Check it out at http://mysecurelogon.com/password-manager -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On Sun, 29 Nov 2015 20:29:47 -0500 Sam Varshavchik wrote: > Ranjan Maitra writes: > > > Thanks! Btw, either way, is it possible to encrypt a non-LVM partition? As I > > Yes, and I mentioned the fact that I did just that, earlier in this thread. > Yes, you did. but I was not clear because the default was the only option. Thank you again for making this clarification: it really helps to go in with correct information and with knowledge of possibilities! Best wishes, Ranjan -- Important Notice: This mailbox is ignored: e-mails are set to be deleted on receipt. Please respond to the mailing list if appropriate. For those needing to send personal or professional e-mail, please use appropriate addresses. Can't remember your password? Do you need a strong and secure password? Use Password manager! It stores your passwords & protects your account. Check it out at http://mysecurelogon.com/password-manager -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
Ranjan Maitra writes: Thanks! Btw, either way, is it possible to encrypt a non-LVM partition? As I Yes, and I mentioned the fact that I did just that, earlier in this thread. pgpfdZl_6H1qb.pgp Description: PGP signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On Sun, 29 Nov 2015 17:08:25 -0800 Gordon Messmer wrote: > On 11/29/2015 04:22 PM, Ranjan Maitra wrote: > > I do have backups in place, but I don't really want to have to go > > back to them (one of the partitions has 367 GB of data, the other has > > 100 GB). At the least, it will be disruptive. > > Disruption is unavoidable. The tool I described earlier might be able > to encrypt in place, but it has to be done offline. I don't know how > near your backups are, but it would probably take me longer to > encrypt-in-place than to install and restore. Thanks! Btw, either way, is it possible to encrypt a non-LVM partition? As I said before, I have xfs and ext4 filesystems and do not want to get into LVM. Tried this a year ago, and it was a royal mess. Best wishes, Ranjan > -- > users mailing list > users@lists.fedoraproject.org > To unsubscribe or change subscription options: > https://admin.fedoraproject.org/mailman/listinfo/users > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct > Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines > Have a question? Ask away: http://ask.fedoraproject.org -- Important Notice: This mailbox is ignored: e-mails are set to be deleted on receipt. Please respond to the mailing list if appropriate. For those needing to send personal or professional e-mail, please use appropriate addresses. Receive Notifications of Incoming Messages Easily monitor multiple email accounts & access them with a click. Visit http://www.inbox.com/notifier and check it out! -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 11/29/2015 04:22 PM, Ranjan Maitra wrote: I do have backups in place, but I don't really want to have to go back to them (one of the partitions has 367 GB of data, the other has 100 GB). At the least, it will be disruptive. Disruption is unavoidable. The tool I described earlier might be able to encrypt in place, but it has to be done offline. I don't know how near your backups are, but it would probably take me longer to encrypt-in-place than to install and restore. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On Sun, 29 Nov 2015 14:19:51 -0800 Joe Zeff wrote: > On 11/29/2015 01:19 PM, Sam Varshavchik wrote: > > > > I really don't understand why Fedora is still foisting all the overhead > > of LVM on everyone, by default. I would tend to think that for typical > > use cases, LVM brings absolutely nothing value-added. I would expect > > that, with most use cases, people install Fedora with the default > > filesystem layout, and never have the need to move or grow their > > existing partitions. > > Exactly my feelings. LVM may be useful on a production server, or > professional workstation but I've never seen a use for it on a home > computer or personal laptop. Thanks to Ted, Gordon, Robert, Sam, Joe for responding! Sorry, I wanted to mention that I have both these /home partitions (on the same drive) on two laptops. One is ext4 and the other is an xfs. In other words, none of them are LVM (which I have no use for). Does this make a difference? I do have backups in place, but I don't really want to have to go back to them (one of the partitions has 367 GB of data, the other has 100 GB). At the least, it will be disruptive. Best wishes, Ranjan FREE ONLINE PHOTOSHARING - Share your photos online with your friends and family! Visit http://www.inbox.com/photosharing to find out more! -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 11/29/2015 01:19 PM, Sam Varshavchik wrote: I really don't understand why Fedora is still foisting all the overhead of LVM on everyone, by default. I would tend to think that for typical use cases, LVM brings absolutely nothing value-added. I would expect that, with most use cases, people install Fedora with the default filesystem layout, and never have the need to move or grow their existing partitions. Exactly my feelings. LVM may be useful on a production server, or professional workstation but I've never seen a use for it on a home computer or personal laptop. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
Please remember to make backups and more backups. Perhaps also a second user account with a copy of your stuff in case this goes really, really bad. There's a caution at the top of the page that this page has been marked 'old' so proceed with caution. https://fedoraproject.org/wiki/Disk_Encryption_User_Guide#Creating_Encrypted_Block_Devices_on_the_Installed_System_After_Installation On Sun, Nov 29, 2015 at 3:25 PM, Ranjan Maitra wrote: > Hi, > > Is it possible to encrypt a /home partition on F23 without losing the data? > If so, what is the recommended method? > > Many thanks and best wishes, > Ranjan > > > -- > Important Notice: This mailbox is ignored: e-mails are set to be deleted on > receipt. Please respond to the mailing list if appropriate. For those needing > to send personal or professional e-mail, please use appropriate addresses. > > > Can't remember your password? Do you need a strong and secure password? > Use Password manager! It stores your passwords & protects your account. > Check it out at http://mysecurelogon.com/manager > > > -- > users mailing list > users@lists.fedoraproject.org > To unsubscribe or change subscription options: > https://admin.fedoraproject.org/mailman/listinfo/users > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct > Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines > Have a question? Ask away: http://ask.fedoraproject.org -- Ted Roche Ted Roche & Associates, LLC http://www.tedroche.com -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
Gordon Messmer writes: On 11/29/2015 12:25 PM, Ranjan Maitra wrote: Is it possible to encrypt a /home partition on F23 without losing the data? If so, what is the recommended method? Possible, yes. Supported? No. http://www.johannes-bauer.com/linux/luksipc/ If you trust the author, you might be able to convert a single filesystem in-place to LUKS. The result will not resemble the manner in which Anaconda (the Fedora installer) creates encrypted filesystems. Anaconda will, by default, encrypt a volume group. That might be Anaconda's default behavior, but at least as of F23 Anaconda still lets you create raw+encrypted partitions. I just did that on a new laptop. I really don't understand why Fedora is still foisting all the overhead of LVM on everyone, by default. I would tend to think that for typical use cases, LVM brings absolutely nothing value-added. I would expect that, with most use cases, people install Fedora with the default filesystem layout, and never have the need to move or grow their existing partitions. In the few cases where someone might add another hard drive, an initial LVM- based format will certainly offer an option of growing the existing partitions to the new hard drive. But I wonder how often does that happen, versus how often LVM's overhead ends up getting competely wasted. And, after all, you can still create new partitions on the new hard drive and use them, without LVM. pgpeQRFKZhfXR.pgp Description: PGP signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: encrypting /home partition post-install
On 11/29/2015 12:25 PM, Ranjan Maitra wrote: Is it possible to encrypt a /home partition on F23 without losing the data? If so, what is the recommended method? Possible, yes. Supported? No. http://www.johannes-bauer.com/linux/luksipc/ If you trust the author, you might be able to convert a single filesystem in-place to LUKS. The result will not resemble the manner in which Anaconda (the Fedora installer) creates encrypted filesystems. Anaconda will, by default, encrypt a volume group. The recommended process is to do a fresh install with encryption, and then restore data from backup. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
encrypting /home partition post-install
Hi, Is it possible to encrypt a /home partition on F23 without losing the data? If so, what is the recommended method? Many thanks and best wishes, Ranjan -- Important Notice: This mailbox is ignored: e-mails are set to be deleted on receipt. Please respond to the mailing list if appropriate. For those needing to send personal or professional e-mail, please use appropriate addresses. Can't remember your password? Do you need a strong and secure password? Use Password manager! It stores your passwords & protects your account. Check it out at http://mysecurelogon.com/manager -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org