Linux

Use encrypted filesystems with Linux Logical Volume Manager

Vincent Danen favors the Logical Volume Manager (LVM) for easy partitioning in Linux and tells you how to take advantage of its volume encryption feature.

On all recent Red Hat and Fedora installs, the default partitioning scheme involves using LVM (Logical Volume Manager) for Linux. LVM allows you to resize partitions with ease; you can create a number of volumes at arbitrary sizes within the LVM partition, leaving some space as unassigned. If you find a volume starting to get full, simply resize it using the unallocated space and your volume grows in a non-destructive way. No need to create extra mount points, shuffle data around, or create and remove partitions. LVM makes managing filesystems in Linux extremely simple.

Another nice feature of LVM is the ability to encrypt volumes. You can opt to encrypt the entire LVM partition, resulting in everything being encrypted, or you can encrypt certain volumes alone. For anyone using a laptop, encrypting the /home volume makes sense as it keeps your confidential data secure in the case of loss or theft.

During the install of Fedora, Red Hat Enterprise Linux, CentOS (and possibly other distributions), when creating the initial hard drive partitioning, you can select whether or not to encrypt the volumes.

With the Anaconda installer, you can select Remove All Partitions On Selected Drives And Create Default Layout, and then tick the Encrypt System option to do so. To make sure it is doing what you want, be sure to check the Review And Modify Partitioning Layout on the same screen. As well, if you do not want to encrypt the LVM partition itself, but just certain volumes within it, be sure that you do not check the Encrypt System option.

On the partitioning screen, you will be able to easily identify which partitions or volumes are encrypted as they show the lock symbol in the Format field. On this screen, you can also add or remove volumes within the LVM group, and when selecting the volume and clicking the Edit button, you can then select whether or not a particular volume will be encrypted (if you opted to not encrypt the entire LVM partition).

You will be asked for a passphrase to unlock the volumes and/or partitions at boot. Ensure it is a good passphrase, and one you will remember.

On the next reboot, the boot process will be interrupted with a password prompt. Put the passphrase you used to encrypt the LVM volume here, and the boot will continue.

From a functional standpoint, the system will act no differently (other than the initial password prompt) than if it were using regular partitions or volumes. The mount point, however, rather than being a partition like /dev/sda2 or an LVM volume like /dev/mapper/VolGroup00-LogVol01, will show up as /dev/mapper/luks-b4707e41-e97c-4fb8-aacf-277101197885 (or something equally strange). Looking at that, you can tell which volumes are encrypted and which are not.

Finally, an encrypted volume is just as resizable as a normal one. And because the encryption system used is LUKS (Linux Unified Key Setup), you can mount these volumes in other systems using different Linux distributions (provided they have LUKS support), and even on Windows with the FreeOTFE program.

Get the PDF version of this tip here.

Delivered each Tuesday, TechRepublic's free Linux and Open Source newsletter provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

12 comments
Photogenic Memory
Photogenic Memory

http://www.engadget.com/2008/02/21/cold-boot-disk-encryption-attack-is-shockingly-effective/ To be honest; this is going further than I've ever attempted to do before. I wonder if it'll work on LUKS LVM encryption. I hate to think this is the only way I could ever get to my lost information. I guess I could figuratively "rinse, lather, and repeat" to get it right as long as the memory module hangs in there, LOL! I'm at a loss. I guess in the end I'd have to save my information in multiple secure places to prevent accidents. What a caveat!

Photogenic Memory
Photogenic Memory

I am attempting to find a method of decrypting the LVM to regain access to the information. In my research; I found this link: http://lists.opensuse.org/opensuse/2008-04/msg02199.html The author talks about modifying the /etc/crypttab file to make single password access to the system instead of putting in a pass-phrase. I thought it was interesting enough to share. I might try this myself in the near future.

Photogenic Memory
Photogenic Memory

I'm like everyone else. I forget sometimes to write or memorize things. It happens. However; in this case, how can I recover the password or gain access to the newly encrypted volume if I've forgotten the password? If I have local asscess to the box; can I root it and regain access to the volume? Or do I have to take extra steps to decrypt LUKS some way some how? People are going to be asking these questions? I'd like to know how to rescue a system and it's info in case problems arise. Thanks in advance.

Tony K
Tony K

While LVM does provide a wealth of benefits, few are used outside of a server environment. A person using a laptop, for example, is going to have no need of the ability to expand a volume. For those folks, using Truecrypt's ability to encrypt an entire volume might be a better solution.

utusen
utusen

LVM brings lot of advantages, however what if RAID is intended to use with software based configuration rather than hardware configuration? As far as I remember, using LVM encrypted method causes some problem when RAID (software based) is used. In addition, I read an article sometime ago, it was saying that using LVM encrypted method may cause slowness on the system.

techrepublic@
techrepublic@

"How can I recover the password?" You can't. There is no easy way to recover a password, for obvious reasons. Hopefully, not even a difficult way. "Can I root it and regain access to the volume?" No. "Or do I have to take extra steps to decrypt LUKS some way some how?" No, there is no alternate way to unlock LUKS volumes. With LUKS you can setup several passwords. One way you can use this feature is to setup two password. The first is the password you memorize and normally use. The second is your backup password. This could be a section of a book and you would only have to remember what book and what section. Alternatively, you could write down the password and keep it in a very safe and very secret place, just in case your memory fails.

vdanen
vdanen

Well, you could use TrueCrypt... that is another option. And no, if you used a laptop with one or two partitions you probably wouldn't need to resize it (I, for one, don't do that so LVM is nice for me). Also, you can create a full LVM volume... you don't *have* to make use of the resizing features. I have to plead ignorance to how TrueCrypt handles encrypting volumes, but I like LVM's flexibility in allowing me to encrypt only certain partitions or the entire volume so that everything from /boot to /tmp is encrypted (in fact, the latter is a requirement for the laptop I'm using it on).

kmdennis
kmdennis

I am not a Linux power user at all. In fact I can install and configure it a little. However I remember trying to set up a Web server using MySQL and always had to provide the passphrase when making a connection to the db and that appeared to be a result of the volume encryption. Anyways, what is point of encrypting the volume on the server? If the encryption is for security of data in the even of the volume being stolen, what are the chances that the server will be stolen? If that is the case, then you have the Physical security issue to deal with in the first place.

techrepublic@
techrepublic@

I have a system with the following setup: Two equal ATA disks associated in a RAID-1 array block device named md0. md0 is encrypted resulting in a block device named cy0. cy0 contains a LVM physical volume and is split in to several logical volumes with corresponding devices. I use this setup to backup all my personal systems. On a CPU idle system, the throughput difference (dd if=/dev/??? of=/dev/null and dd if=/dev/zero of=/dev/???) between the ATA disks and the final logical volumes is less than 5%. If the CPU is under heavy loaded then the encryption will have to compete for the CPU, resulting in decrease throughput.

Photogenic Memory
Photogenic Memory

Wow. That's some security. I guess if your going to decide on implementing encryption; your pretty much stuck with it. There's no going back. Decisions decisions. I guess some serious preparation is really in order here. Thanks for responding.

Tony K
Tony K

Trucrypt encrypts entire partitions. You can also encrypt the partition with the OS on it. When I boot my laptop, I'm greeted by the TrueCrypt bootloader. The bootloader gives no indication what's on the box (no list of OSes, for example), just a prompt for a password. An interesting item I haven't tried is their concept of a "hidden" OS. You install an OS into one partition and put no sensitive files in there. You then put another instance of this OS on another partition. Encrypt both with different passwords. Then, if you're being pressured to give the password, you enter the one for the non-sensitive partition. TC will then try to decrypt each partition and boots the OS that decrypts. If someone examines the drive, all they'll find is what appears to be random data on the remaining drive space.

vdanen
vdanen

I'm not sure what the benefits of encrypting a volume that has mysql on it would be. I'm not sure why you would be asked for the passphrase everytime there was a database connection opened. If it was a filesystem-level encryption, you should only have to enter the password once: when you mount the filesystem. It would then be transparent to users after that.

Editor's Picks