Re: Make fully encrypted disk without LVM during install



Hi Jon,

The system on which you might want to read the disk will need to know
how to decrypt it. Do you anticipate hot-plugging it to a running
machine, or trying to boot from it?

In this situation I will have a disk which is used to boot one machine, but
does contain data that will be needed on another machine. That machine will
definitely not use this disk to boot from, but just as a data disk.

I know I could move the data around as an encrypted archive, but my customer
wants a solution where the data is only stored on one disk. And yes, they are
aware of the potential risks that brings with it. Still, that's how the want
it.

The convenience-partitioning-scheme offered by d-i which uses LVM and
encryption also creates a non-encrypted, non-LVM /boot partition, within
which the kernel and initramfs are stored. These are set up to
understand how to interpret both the encryption and LVM. I'm having
trouble seeing why LVM would be much more pain than encryption already
brings you, from a portable POV. (I suppose it's one fewer command to
type!)

Ever tried to put a fully encrypted disk with LVM in another machine, without
booting from it? If you boot from it there's almost no hassle at all. I know
it is possible to mount such a disk. I've used the scenario described at
http://canonical.org/~kragen/crypted-disk.html often enough. However, for this
sitation I need something a bit more userfriendly. Preferably a scenario where
my customer only needs to enter his password when mounting. That's why I
thought of leaving LVM out of the picture altogether. In this situation it has
no purpose at all, so why use it then?

Thanks for trying to help.

Grx HdV


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
Archive: http://lists.debian.org/201204041937.31311.hdv.jadev@xxxxxxxxx



Relevant Pages

  • RE: [Full-Disclosure] harddisk encryption
    ... > boot process and may be broken by anything that changes the system boot ... In the event of disk crash or emergency, unless a tool is provided to ... > i'm evaluating a software that performs harddisk encryption for deploying ...
    (Full-Disclosure)
  • Re: New laptop - resize win partition?
    ... Torfinn> Only one small snag - the disk is encrypted (with ... which means that I'll have to boot ... having both the encrypted Windows volume and an unencrypted FreeBSD ... talk the client CISO into letting me install the disk encryption ...
    (comp.unix.bsd.freebsd.misc)
  • RE: [Full-Disclosure] harddisk encryption
    ... If the encryptor encrypts your boot disk, it has to be involved early in the ... boot process and may be broken by anything that changes the system boot sequence. ... normally when the encryption keys had been entered. ... registry controls that allow the swap file to be wiped on shutdown. ...
    (Full-Disclosure)
  • Re: undo LVM
    ... vgreduce command will do on my disk. ... As my main problem is the LVM and not the encryption, ... normally use this encrypted partition again. ...
    (Ubuntu)
  • Re: undo LVM
    ... I have a 1TB Data disk that is encrypted with luks and I ... On the partition screen I accidentally added the encrypted partition ... Now I have the problem how to revert the LVM part that I can decrypt ... And I don't know anything about encryption. ...
    (Ubuntu)