I recently worked with Raju Chauhan to setup encrypted storage for a database and related files. He brought up an interesting requirement to see if the encrypted storage could grow with the data as needed. I hadn't dealt with that specific requirement in the past so I figured I'd see what my options were. Thanks for that requirement Raju; I don't think I would've thought of doing this were it not for that :-)
After preliminary performance testing in which LUKS barely edged out TrueCrypt, I chose LUKS for the setup since it's integrated into the Linux kernel and seemed to be a better choice for larger filesystems. For those who don't know, LUKS is a disk-encryption specification that is implemented using cryptsetup and the dm_crypt module in modern Linux kernels.
My solution: LVM on a bunch of LUKS devices to get the encryption and dynamic growth working together. Here is how to play with that on your own machines if you have about 5G of space to work with and want to see how it looks.
Pre-requisite Packages
I did this on an Ubuntu system so the following pre-requisite package installation instructions are for that. You'll need to ensure the appropriate packages for your distribution are installed before proceeding.
aptitude install cryptsetup-luks lvm2
Creating LVM over LUKS Setup
Create 4 1G files corresponding to physical volumes:- for i in 0 1 2 3; do dd if=/dev/zero of=/pv0$i.luks bs=1M count=0 seek=1000; done
- ls -l /pv*.luks
- for i in 0 1 2 3; do losetup /dev/loop$i /pv0$i.luks; done
- losetup -a
- for i in 0 1 2 3; do cryptsetup luksFormat /dev/loop$i; done
- for i in 0 1 2 3; do cryptsetup luksOpen /dev/loop$i pv0$i.luks.device; done
- for i in 0 1 2 3; do pvcreate /dev/mapper/pv0$i.luks.device; done
- pvdisplay
- vgcreate vg0 `for i in 0 1 2 3; do echo /dev/mapper/pv0$i.luks.device; done`
- vgdisplay
- lvcreate --size 3000M --name demolv vg0
- lvdisplay
At this time you have a LVM volume group named demolv that is sitting on top of two encrypted physical volumes that is each part of a single LUKS volume. You can give each LUKS volume different passwords to increase security or you can give them all the same password to increase convenience.
Format and Mount Logical Volume
Format and mount the demolv Logical Volume with whatever filesystem you choose:- mkfs.ext4 /dev/vg0/demolv
- mkdir /demo
- mount /dev/vg0/demolv /demo
Unmount and Detach
Once you're done playing with it (or when you're ready to shut down your system) you can run the following commands to unmount and detach everything. These steps assume you followed the steps in this tutorial to the letter without changing any names. If you changed names, you should change the corresponding names in the commands below:
- for lv in /dev/vg0/*; do lvchange -an $lv; done
- vgchange -an /dev/vg0
- for i in 0 1 2 3; do cryptsetup luksClose pv0$i.luks.device; done
- for i in 0 1 2 3; do losetup -d /dev/loop$i; done
No comments:
Post a Comment