Open Source

Use encrypted filesystems with Linux Logical Volume Manager

Vincent Danen favors the Logical Volume Manager (LVM) for easy partitioning in Linux and tells you how to take advantage of its volume encryption feature.

On all recent Red Hat and Fedora installs, the default partitioning scheme involves using LVM (Logical Volume Manager) for Linux. LVM allows you to resize partitions with ease; you can create a number of volumes at arbitrary sizes within the LVM partition, leaving some space as unassigned. If you find a volume starting to get full, simply resize it using the unallocated space and your volume grows in a non-destructive way. No need to create extra mount points, shuffle data around, or create and remove partitions. LVM makes managing filesystems in Linux extremely simple.

Another nice feature of LVM is the ability to encrypt volumes. You can opt to encrypt the entire LVM partition, resulting in everything being encrypted, or you can encrypt certain volumes alone. For anyone using a laptop, encrypting the /home volume makes sense as it keeps your confidential data secure in the case of loss or theft.

During the install of Fedora, Red Hat Enterprise Linux, CentOS (and possibly other distributions), when creating the initial hard drive partitioning, you can select whether or not to encrypt the volumes.

With the Anaconda installer, you can select Remove All Partitions On Selected Drives And Create Default Layout, and then tick the Encrypt System option to do so. To make sure it is doing what you want, be sure to check the Review And Modify Partitioning Layout on the same screen. As well, if you do not want to encrypt the LVM partition itself, but just certain volumes within it, be sure that you do not check the Encrypt System option.

On the partitioning screen, you will be able to easily identify which partitions or volumes are encrypted as they show the lock symbol in the Format field. On this screen, you can also add or remove volumes within the LVM group, and when selecting the volume and clicking the Edit button, you can then select whether or not a particular volume will be encrypted (if you opted to not encrypt the entire LVM partition).

You will be asked for a passphrase to unlock the volumes and/or partitions at boot. Ensure it is a good passphrase, and one you will remember.

On the next reboot, the boot process will be interrupted with a password prompt. Put the passphrase you used to encrypt the LVM volume here, and the boot will continue.

From a functional standpoint, the system will act no differently (other than the initial password prompt) than if it were using regular partitions or volumes. The mount point, however, rather than being a partition like /dev/sda2 or an LVM volume like /dev/mapper/VolGroup00-LogVol01, will show up as /dev/mapper/luks-b4707e41-e97c-4fb8-aacf-277101197885 (or something equally strange). Looking at that, you can tell which volumes are encrypted and which are not.

Finally, an encrypted volume is just as resizable as a normal one. And because the encryption system used is LUKS (Linux Unified Key Setup), you can mount these volumes in other systems using different Linux distributions (provided they have LUKS support), and even on Windows with the FreeOTFE program.

Get the PDF version of this tip here.

Delivered each Tuesday, TechRepublic's free Linux and Open Source newsletter provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

Editor's Picks