enrypting partions within encrypted lvm?
Hi, Once again I have a problem in understanding. I am setting up a new laptop, completely encrypted. I chose an LVM volume group in which I will have partions "/", "/home/" and "swap". I have encrypted the volume group, it shows in the partinioner as encrypted under "harddisks" (PV of group). Now when I add the said partitions to this volume group, Yast again asks me, if I want to encrypt them. This confuses me. Question: do I have to encrypt those partions, too, or are they already encrypted because of being in the encrypted volume group? Thanks for clarification! Daniel -- Daniel Bauer photographer Basel Málaga Twitter: @Marsfotografo (often explicit nudes) https://www.patreon.com/danielbauer https://www.daniel-bauer.com (nudes)
On 14.06.2024 16:57, Daniel Bauer wrote:
Hi,
Once again I have a problem in understanding. I am setting up a new laptop, completely encrypted.
I chose an LVM volume group in which I will have partions "/", "/home/" and "swap".
They are not partitions, they are logical volumes.
I have encrypted the volume group,
You cannot encrypt the volume group. You can create PV from an encrypted device which can be partition of a physical disk and add this PV to a volume group.
it shows in the partinioner as encrypted under "harddisks" (PV of group).
Now when I add the said partitions to this volume group, Yast again asks me, if I want to encrypt them. This confuses me.
Question:
do I have to encrypt those partions, too, or are they already encrypted because of being in the encrypted volume group?
We do not see what you see. At the very least, show the screenshot of the YaST you are talking about.
On 2024-06-14 15:57, Daniel Bauer wrote:
Hi,
Once again I have a problem in understanding. I am setting up a new laptop, completely encrypted.
I chose an LVM volume group in which I will have partions "/", "/home/" and "swap". I have encrypted the volume group, it shows in the partinioner as encrypted under "harddisks" (PV of group).
Now when I add the said partitions to this volume group, Yast again asks me, if I want to encrypt them. This confuses me.
Question:
do I have to encrypt those partions, too, or are they already encrypted because of being in the encrypted volume group?
run: lsblk --output NAME,KNAME,RA,RM,RO,PARTFLAGS,SIZE,TYPE,FSTYPE,LABEL,PARTLABEL,PTTYPE,MOUNTPOINT,UUID,PARTUUID,WWN,MODEL,ALIGNMENT > somefile.txt and attach the "somefile.txt" to the reply email here. Do NOT PASTE it here because Thunderbird will want to wrap the lines to size, making it very difficult to read. That information should help to interpret the situation. -- Cheers / Saludos, Carlos E. R. (from 15.5 x86_64 at Telcontar)
Am 14.06.24 um 19:35 schrieb Carlos E. R.:
On 2024-06-14 15:57, Daniel Bauer wrote:
Hi,
Once again I have a problem in understanding. I am setting up a new laptop, completely encrypted.
I chose an LVM volume group in which I will have partions "/", "/home/" and "swap". I have encrypted the volume group, it shows in the partinioner as encrypted under "harddisks" (PV of group).
Now when I add the said partitions to this volume group, Yast again asks me, if I want to encrypt them. This confuses me.
Question:
do I have to encrypt those partions, too, or are they already encrypted because of being in the encrypted volume group?
run:
lsblk --output NAME,KNAME,RA,RM,RO,PARTFLAGS,SIZE,TYPE,FSTYPE,LABEL,PARTLABEL,PTTYPE,MOUNTPOINT,UUID,PARTUUID,WWN,MODEL,ALIGNMENT > somefile.txt
and attach the "somefile.txt" to the reply email here. Do NOT PASTE it here because Thunderbird will want to wrap the lines to size, making it very difficult to read.
That information should help to interpret the situation.
Here's the file... -- Daniel Bauer photographer Basel Málaga Twitter: @Marsfotografo (often explicit nudes) https://www.patreon.com/danielbauer https://www.daniel-bauer.com (nudes)
On 2024-06-14 20:25, Daniel Bauer wrote:
Am 14.06.24 um 19:35 schrieb Carlos E. R.:
On 2024-06-14 15:57, Daniel Bauer wrote:
run:
lsblk --output NAME,KNAME,RA,RM,RO,PARTFLAGS,SIZE,TYPE,FSTYPE,LABEL,PARTLABEL,PTTYPE,MOUNTPOINT,UUID,PARTUUID,WWN,MODEL,ALIGNMENT > somefile.txt
and attach the "somefile.txt" to the reply email here. Do NOT PASTE it here because Thunderbird will want to wrap the lines to size, making it very difficult to read.
That information should help to interpret the situation.
Here's the file...
Tks. There is /boot partition #1, non encrypted. There is ESP, #3, non encrypted. There is partition #3, encrypted. Inside there is an LVM "whatever", that contains three "spaces", "/", "/home" (both ext4) and "swap". I don't name the lvm parts because I'm not an lvm connoisseur, so personally I avoid using it. -- Cheers / Saludos, Carlos E. R. (from 15.5 x86_64 at Telcontar)
Am 14.06.24 um 21:57 schrieb Carlos E. R.:
On 2024-06-14 20:25, Daniel Bauer wrote:
Am 14.06.24 um 19:35 schrieb Carlos E. R.:
On 2024-06-14 15:57, Daniel Bauer wrote:
run:
lsblk --output NAME,KNAME,RA,RM,RO,PARTFLAGS,SIZE,TYPE,FSTYPE,LABEL,PARTLABEL,PTTYPE,MOUNTPOINT,UUID,PARTUUID,WWN,MODEL,ALIGNMENT > somefile.txt
and attach the "somefile.txt" to the reply email here. Do NOT PASTE it here because Thunderbird will want to wrap the lines to size, making it very difficult to read.
That information should help to interpret the situation.
Here's the file...
Tks.
There is /boot partition #1, non encrypted. There is ESP, #3, non encrypted. There is partition #3, encrypted. Inside there is an LVM "whatever", that contains three "spaces", "/", "/home" (both ext4) and "swap".
Yes, the question is if those three "spaces" are fully encrypted because the "container" is, or not. Googling I didn't find a clear answer, but tending to yes :-) Still, if somebody knows, I'd like to know, too...
I don't name the lvm parts because I'm not an lvm connoisseur, so personally I avoid using it.
I only use LVM because the installer proposes it for encrypted systems with only one passphrase entry. In (much) earlier versions of OS I used to encrypt each partition manually with LUKS and it always worked, but somewhen something changed. So now I use LVM, and I don't actually care :-) -- Daniel Bauer photographer Basel Málaga Twitter: @Marsfotografo (often explicit nudes) https://www.patreon.com/danielbauer https://www.daniel-bauer.com (nudes)
On 2024-06-14 22:40, Daniel Bauer wrote:
Am 14.06.24 um 21:57 schrieb Carlos E. R.:
On 2024-06-14 20:25, Daniel Bauer wrote:
Am 14.06.24 um 19:35 schrieb Carlos E. R.:
On 2024-06-14 15:57, Daniel Bauer wrote:
Here's the file...
Tks.
There is /boot partition #1, non encrypted. There is ESP, #3, non encrypted. There is partition #3, encrypted. Inside there is an LVM "whatever", that contains three "spaces", "/", "/home" (both ext4) and "swap".
Yes, the question is if those three "spaces" are fully encrypted because the "container" is, or not.
Yes.
Googling I didn't find a clear answer, but tending to yes :-)
Still, if somebody knows, I'd like to know, too...
I would say "yes, absolutely", but computers tend to surprise one, so... let's say 95% sure ;-)
I don't name the lvm parts because I'm not an lvm connoisseur, so personally I avoid using it.
I only use LVM because the installer proposes it for encrypted systems with only one passphrase entry. In (much) earlier versions of OS I used to encrypt each partition manually with LUKS and it always worked, but somewhen something changed. So now I use LVM, and I don't actually care :-)
There are currently two full machine encryption methods; I think both are supported by YaST. The traditional one, using an LVM, and a new one (since 15.4 or 15.3, I think) with separate encrypted partitions. With some manual steps to be done by the admin, like having care they use the same password, and adding a key file. I think there is a wiki page explaining the method (sorry, I must locate my notes somewhere). As installed by YaST, the second method makes you type twice the password (with the help of Plymouth). It can be adapted to single entry, but takes a bit of work. It is my preferred method. Apparently, not using the same password on each partition is something that people do, but surprised me. -- Cheers / Saludos, Carlos E. R. (from 15.5 x86_64 at Telcontar)
participants (3)
-
Andrei Borzenkov -
Carlos E. R. -
Daniel Bauer