Announcement

Collapse
No announcement yet.

LVM - questions

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    LVM - questions

    I'm new to LVM, and have been searching for material online, to become better informed. I'm also out of time and need to keep moving forward. So, here are my questions:

    I am concluding a clean install of 15.04 to a 160GB hard drive box. At the drive setup screen in the install sequence, I opted for "Guided - use entire disk and setup encrypted LVM". When offered the option of an encrypted /home partition, I said NO (based on a thread I'd read on an Ubuntu forum, where things didn't work UNLESS the drive was set up this way).

    My goal is that there be NO raw data on the drive which a thief could read, as I have client data to protect. That means that both system and /home areas need to be encrypted.

    The problem is that the setup confuses me. If I have an "encrypted LVM" is or is not the entire hard drive encrypted? And if it is, then why am I offered the option of an encrypted /home?

    I'd be very grateful for any clarifications on my situation anyone can offer.

    ===== UPDATE - for those who come after me! =====

    FIRST: Here's a really fine general article about disk encryption - https://wiki.archlinux.org/index.php/Disk_encryption

    An excellent reference and good place to start one's study, before getting too committed to any one approach. One revision to it however - I have it from very reliable sources that Truecrypt is no longer being maintained. I've used it, but do no longer, for this reason. I do think my current solution (see below) is far better.

    1. GUI management of LVM volumes: Most documentation on LVM is about command line management. For example, see:

    * "A simple introduction to working with LVM" - https://www.debian-administration.or...rking_with_LVM
    * "Setup and use the Logical Volume Manager (LVM) on Debian" - http://howto.biapy.com/en/debian-gnu...-lvm-on-debian
    * "LVM manager - graphical" - a forum thread about LVM management which looks useful; it's actually about command line management - http://www.linuxquestions.org/questi...phical-934846/

    All of that is fine, but it's also too fine-grained for most needs, I expect - especially mine.

    Here's a decent tutorial about using a GUI - * Linux Sysadmin: How To Manage LVMs With a GUI - http://www.howtogeek.com/howto/36568...-it-in-ubuntu/

    There are two graphic management tools in the KB packages:

    a. "kvpm" - the KDE graphic manager for LVM. It has a handbook which appears on my initial scan to be well developed.

    b. "system-config-lvm" - from RedHat, it's been adapted to run in Ubuntu

    I can't strongly recommend one over the other, as I've only just launched them both, but my initial impressions lead me to favor kvpm. It's GUI is well laid out, and plenty of useful options and an excellent R-click menu. For now, I'm going with kvpm.

    2. Answer to my main question: Having selected the "Guided - use entire disk and setup encrypted LVM" option at disk setup, what did I actually get? Inasmuch as my single logical volume /dev/sda5, on the "storage devices" tab, has a usage designation of "crypto-LUKS", I'd bet that everything except /boot is encrypted, which is exactly what I wanted.

    NOT selecting the encryption option for /home makes plenty of sense, now. It's already encrypted. I don't know if selected that option would have resulted in a double encryption, but I see no reason to gamble on it.

    So, all's well. Am closing this thread.
    Last edited by tomcloyd; Jun 08, 2015, 05:52 PM. Reason: updated post again

    #2
    I'm getting no response on this. Is no one else using LVM? It is a silly question?

    Comment


      #3
      It's a good question.

      I'm not using LVM ...
      I'd rather be locked out than locked in.

      Comment


        #4
        Me neither, but if I wanted to set it up, I would follow these:

        https://www.debian-administration.or...rking_with_LVM

        http://howto.biapy.com/en/debian-gnu...-lvm-on-debian

        I think I recall reading that there is little reason to encrypt the root filesystem if you are using a separate /home partition, since there is normally no sensitive personal data on / (of course the user passwords are there, but not easily discovered ....).

        Comment


          #5
          Thanks to all for responses. Much appreciated! Opting to encrypt everything seemed inherently more secure, in theory, and my time to study the matter is small. The issue isn't my own personal data, but notes and such on clients. I just cannot be sure where stuff might be left hanging around, in backups and buffers and such. I'd expect it to be in /home, but the problem is that I'm not informed enough to really know. AND I need to grab a quick solution and keep running.

          So far, my clean install of 15.04 on my HP netbook is doing quite well. I'm pleased.

          dibl - thank for the links. I'll go study.
          Last edited by tomcloyd; Jun 08, 2015, 02:15 PM. Reason: correct error in KB vers. no.

          Comment


            #6
            In the interests of providing useful documentation for those who follow, I'm updating my initial post. I'll be marking this as solved.

            Comment


              #7
              The Arch wiki page about disk encryption has an excellent explanation and comparison of various encryption strategies. Note that if you plan to truly encrypt the entire disk, then you'll need to prepare the system to boot from some other unencrypted media -- typically a USB drive. This is because a computer's firmware has no access to the necessary keys.

              Comment


                #8
                OK - but do I have this right? The KDE GUI LVM manager kvpm tells me that /dev/sda1 is ext2 and /boot, which all the rest is /dev/sda2 and crypto_LUKS.

                You're concerned about encrypting literally ALL the disk, but that's not what the Kubuntu disk setup utility does when I select "Guided - use entire disk and setup encrypted LVM".

                Do you agree? And if so, that resolves the problem you were addressing, yes?

                Thanks! (as always)

                And thanks for that link - I'll go study it. Much appreciated.

                Comment


                  #9
                  Your scenario matches example 4 in the Arch wiki. Because /boot is unencrypted, the system can boot itself.

                  Comment


                    #10
                    Nice writeup (Post #1), tomcloyd. A good idea for complicated issues. I know how much time you spent doing it (not insignificant, done that nicely).
                    An intellectual says a simple thing in a hard way. An artist says a hard thing in a simple way. Charles Bukowski

                    Comment


                      #11
                      Thanks, Qqmike! I appreciate that. I do a lot of writing, in my own field, and much of it is summaries of complex material. My writeup above was done fast, of necessity, and doesn't really give much information, but does point to where it is, in good part because of the great help I got here - as always. After years of participation, this forum is one of my very favorite places on the web). I just wanted to leave info. for the next visitor, since I myself looked for it, to begin with, and found nothing at all.

                      And I have to say that I'm VERY pleased now that I have a LVM encrypted hard drive. For the first time ever, I think my data is truly secure. In my field (psychotherapy, there is a legal issue to be addressed about that - being "HIPPA compliant" in our data management. This meets one of the major requirements - secure storage. And I do NOT see an perceptive slowing of my system use - and this is on an already slow HP netbook.

                      Comment


                        #12
                        Thanks, Steve. And that Arch wiki article is simply fantastic. Very very helpful for folks like me. Am so grateful for your help. I've added it to my "update" above.

                        Comment


                          #13
                          The Arch wiki is a great source of information even for those who don't use Arch.

                          Comment


                            #14
                            Again, thanks for the tip. I'll definitely add this to my reference library. Coming from you, the recommendation means a lot.

                            Comment

                            Working...
                            X