luks and lvm

Support for security such as Firewalls and securing linux
Post Reply
ixeous
Posts: 113
Joined: 2005/07/07 13:01:59

luks and lvm

Post by ixeous » 2015/04/30 20:34:38

I recently moved to CentOS 7 from CentOS 6. I noticed that the default drive encryption moved from lvm over luks to luks over lvm. The difference can be seen via the lsblk command where C6 would have

sda 8:0 0 931.5G 0 disk
├─sda1 8:1 0 1G 0 part /boot
└─sda2 8:2 0 930.5G 0 part
└─luks-{long-string} (dm-0) 253:0 0 930.5G 0 crypt
├─VGsys-LVroot (dm-1) 253:1 0 4G 0 lvm /
├─VGsys-LVswap (dm-2) 253:2 0 8G 0 lvm [SWAP]
├─VGsys-LVtmp (dm-3) 253:3 0 4G 0 lvm /tmp
├─VGsys-LVhome (dm-4) 253:4 0 400G 0 lvm /home
├─VGsys-LVusr (dm-5) 253:5 0 40G 0 lvm /usr
└─VGsys-LVvar (dm-6) 253:6 0 200G 0 lvm /var

and C7 has

sda 8:0 0 465.8G 0 disk
├─sda1 8:1 0 2G 0 part /boot
└─sda2 8:2 0 310G 0 part
├─VGsys-LVswap 253:0 0 8G 0 lvm
│ └─luks-{long-string} 253:5 0 8G 0 crypt [SWAP]
├─VGsys-LVroot 253:1 0 2G 0 lvm
│ └─luks-{long-string} 253:3 0 2G 0 crypt /
├─VGsys-LVusr 253:2 0 40G 0 lvm
│ └─luks-{long-string} 253:4 0 40G 0 crypt /usr
├─VGsys-LVvar 253:6 0 8G 0 lvm
│ └─luks-{long-string} 253:9 0 8G 0 crypt /var
├─VGsys-LVhome 253:7 0 244.1G 0 lvm
│ └─luks-{long-string} 253:10 0 244.1G 0 crypt /home
└─VGsys-LVtmp 253:8 0 2G 0 lvm
└─luks-{long-string} 253:11 0 2G 0 crypt /tmp


What are the advantages of luks over lvm vs lvm over luks?

ixeous
Posts: 113
Joined: 2005/07/07 13:01:59

Re: luks and lvm

Post by ixeous » 2016/08/08 19:33:06

First, I apologize for resurrecting such an old thread. The LUKS over LVM vs
LVM over LUKS issue has just cropped back up for me. I just wanted to share
and document how I performed a LVM over LUKS install rather than the default
LUKS over LVM in CentOS 7.

**** DISCLAIMER: I prefer LVM over LUKS. If you do not understand the
differences and impact of this configuration stick with the default
configuration.


https://www.linux.com/blog/how-full-enc ... m-lvm-luks has most
of the steps required for creating a LVM over LUKS scheme. These instructions
take that information and tweek it to fit the installation of CentOS 7.

Summary:
1. Switch from the installer GUI to the CLI
2. Create partitions on the hard drive for /boot and everything else
3. Use cryptsetup to configure encryption
4. Create LVM volumes in the encrypted partitions
5. Close the LUKS device
6. Return to the GUI and refresh the drives
7. Select the volumes created in the CLI and reformat them.


Detail:
1. Boot to the installation image. I clicked through the language selection.
Press CTRL-ALT-F2 to get to the Bash shell prompt
2. Use fdisk to create sda1 and sda2. sda1 will be the /boot partition and
remain unencrypted. sda2 will be encrypted and hold the LVM volumes
3. Create the encrypted device
a. Use cryptsetup benchmark to see the various options and performance.
The output will look something like

# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1 296207 iterations per second
PBKDF2-sha256 165494 iterations per second
PBKDF2-sha512 106045 iterations per second
PBKDF2-ripemd160 232809 iterations per second
PBKDF2-whirlpool 109959 iterations per second
# Algorithm | Key | Encryption | Decryption
aes-cbc 128b 103.7 MiB/s 122.6 MiB/s
serpent-cbc 128b 38.9 MiB/s 148.4 MiB/s
twofish-cbc 128b 99.2 MiB/s 137.9 MiB/s
aes-cbc 256b 83.1 MiB/s 92.9 MiB/s
serpent-cbc 256b 42.5 MiB/s 150.8 MiB/s
twofish-cbc 256b 104.2 MiB/s 136.8 MiB/s
aes-xts 256b 120.9 MiB/s 122.7 MiB/s
serpent-xts 256b 133.1 MiB/s 142.1 MiB/s
twofish-xts 256b 124.8 MiB/s 128.7 MiB/s
aes-xts 512b 92.6 MiB/s 93.3 MiB/s
serpent-xts 512b 134.9 MiB/s 141.5 MiB/s
twofish-xts 512b 127.8 MiB/s 128.8 MiB/s


b. Create the LUKS partition. You will be prompted to enter the password
to access the device twice
# cryptsetup luksFormat --hash=sha512 --key-size=512
--cipher=aes-xts-plain64 --verify-passphrase /dev/sda2

c. Open the new LUKS device and randomize the data
# cryptsetup luksOpen /dev/sda2 sda2_crypt
# dd if=/dev/zero of=/dev/mapper/sda2_crypt

4. Create the LVM within the device
# pvcreate /dev/mapper/sda2_crypt
# vgcreate VGname /dev/mapper/sda2_crypt
# lvcreate -n LVroot -L 4G VGname
# lvcreate -n LVusr -L 40G VGname
# lvcreate -n LVvar -L 4G VGname
# lvcreate -n LVswap -L 8G VGname
(etc until all required volumes are created)

5. Close the LUKS device so the GUI installer can access it
# vgchange -an (removes the LVM devices so the encrypted device can be
closed)
# cryptsetup luksClose sda2_crypt

6. Press CTRL-ALT-F6 to return to the GUI. You may need to rescan the drives
in order for them to show up. You should then be able to select the drive.
When you access the encrypted partition, the GUI will ask for the passphrase to
unlock the drive. It will then see the LVM volumes created earlier.

7. Select the previously configured /boot partition and LVM volumes for the
various mount points. Check Reformat and choose the filesystem to use. The
default for CentOS 7 is now XFS.

FranekW
Posts: 36
Joined: 2017/05/11 21:19:21

Re: luks and lvm

Post by FranekW » 2018/05/12 12:47:42

OK.

I'll ressurect this post again to say thank you :) It helped me to encrypt a disk with LVM and avoid using LUKS on LVM which I'd rather want to avaoid.

There were only two slight problems
I had to reboot computer and restart installer after re-configuring and repartitionaning SSD with fdisk. For some reason, the drive was locked by kernel and I could not create and format any encrypted partitions: `cryptsetup luksFormat` was not successful. After the restart it was ok.
The second. The command: `lvcreate -n LVroot -L 4G VGname` did not work in this form. I exchanged parameter positions after reading a manual:

Code: Select all

lvcreate -L 32G -n lv-root VGname
Also there is another option `-l` which helps to create the last lv partition that is oging to cover the entire free space left:

Code: Select all

lvcreate -l 100%FREE -n lv-home VGname

Post Reply