From ArchWiki
Revision as of 18:15, 5 August 2012 by Javex (talk | contribs) (Created page with "==Using multiple hard drives, LVM & encryption== ===Introduction=== This section explains how to use multiple physical hard drives that should be encrypted an highly dynamic ...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Using multiple hard drives, LVM & encryption


This section explains how to use multiple physical hard drives that should be encrypted an highly dynamic with LVM usage. Imagine the following scenarion: You have two or more phsyical drives that should be merged into a single volume group with LVM (and one or multiple logical volumes afterwards). Also you don't want these drives to be mounted on boot (so not a system drive).

Generally, you have two options on the order: either use LVM first and then encrypt the created drives, or use encryption first and then create the LVM inside. If you have a single phyiscal drive, it is easy to decide on encryption first, simply, because it is the most convenient way and you only need to enter / provide a passphrase or keyfile once. But if you have multiple physical drives, you could want to create the LVM first and then the encryption on that LVM drive. The problem: LVM is supposed to be dynamic and you destroy all of this dynamic by applying encryption: Since LVM does not understand the filesystem type, it cannot neither reduce nor extend space (and hence adding a new physical drive would be a very hard task).

So again it seems that encryption first is a good option but imagine having 10 harddrives that all need to be decrypted. Using a passphrase for each drive is not very convenient, because you have to enter it everytime (if you can't cache it or don't want to). Using a keyfile has the disadvantage of having an unencrypted file ready to decrypt every drive (rendering encryption useless). So the best approach is to have one (or multiple) keyfiles which are encrypted. While there are guides for this during boot-up nothing has been suggested for runtime usage.


Note: This guide uses a lot of commands from LVM and dm-crypt, so if anything problematic occurs, look at the articles for guidance.