Comments on Encrypted Root LVM
Encrypted Root LVM This tutorial deals only with how to add an extra encrypted physical volume to a volume group pool containing other encrypted physical volumes. This is typical scenario if, at first, you have set up your encryption at a physical partition level (/dev/sdaX where X is the a number of your partition), then you setup your LVM on top of the encrypted partition. If at some later time you want to add another partition in your volume group, you will also want to have it encrypted in order to maintain the same level of security.
4 Comment(s)
Comments
With the Debian / Ubuntu alternate installer (text), you can select the options of Use whole disk, Use whole disk / lvm, Use whole disk with crypto.
With the last option, it sets up all the encryption - no fuss, no problem, at install.
Much easier than that old Ubuntu Tutorial.
This was really helpful to me, and I succeeded in adding an encrypted physical volume while running under Ubuntu 10.04. However, there are a few things I would like to contribute that might help the next person reading this article. The arguments "lvm=vg0-root,lvm=vg0" from the line added to cryptroot do not seem to be correct as far as I can tell. The correct syntax is "lvm=/dev/mapper/vgname-lvname" where vgname is the volume group name and lvname is the logical volume name. In the scenario described above you only need ONE per line, not TWO. Eg Give "lvm=XXX", not "lvm=XXX,lvm=YYY" on a single line of cryptroot. Since I couldn't find the syntax of cryptroot documented anywhere, I went to the source to figure out the syntax: /usr/share/initramfs-tools/scripts/local-top. [Developers can read methods activate_vg(), setup_mapping(), and parse_options() for details ] The target variable contains the name of the device file created in /dev/mapper that is associated with the decrypted physical volume. So "target=pvcrypt0" results in the file /dev/mapper/pvcrypt0, which you can then use in a command such as "vgextend vg0 /dev/mapper/pvcrypt0". The source variable can also be used with UUIDs: "source=UUID=ENTER_YOUR_UUID_VALUE_HERE" You might want to create a backup of your initrd files prior to running "update-initramfs" if you aren't 100% sure of what you're doing. Backup the files returned by "ls /boot/initrd.img-*". Note that the file /etc/initramfs-tools/conf.d/cryptroot may not already exist, so just create it.
Holy grail! Those f*cking diagrams you made above helped me to finish with my 2 days trying to install debian in a hard disk with windows on it and encrypting the different partitions (root, home and swap) with only one keypassphrase.
Thank you so much dude! I owe you a beer! ;-)
It really helped me, there exist a lot of mess around there on internet about root partition encryption, a mix of grub, crypttab, initram, etc. Thanks!