Mageia forum

Hi,

This message concerns a technical matter.

I wish to install two instances of Mageia on an SSD. But I would use LVM + encryption. If I understood, I have to create a boot partition, an LVM container (for root partition and home partition) and use LUKS to encrypt the container. All of this can be accomplish through the installer of Mageia. But I want that the two instances of the system are encrypted (Must I create two containers LVM + encryption on the two containers ?), And I also want to encrypt a second disc that will contains personal files (HDD).

Do you have any tips for me?

Thanks for your help.

Greetings.

Speaking just for myself, I don't like to encrypt the system. It is more complicated to do and, should there be a problem where a recovery is needed, your problem is a lot more complicated if the system is encrypted. For the same reason, I don't put the system on a logical volume.

Also, I have had some truly unpleasant experiences doing version upgrades with encrypted systems; I have seen the initrd improperly built more often than not.

I do avoid data leaks by encrypting everything else (including swap) and I symlink specific locations in the / filesystem to locations on other volumes in order to keep the data private. On my workstation (which has a bunch of different volumes and is fully encrypted except for /) I have /tmp, /var/cache, /var/lib/mysql, /var/tmp, /var/spool/cron, and /var/www all symlinked to other encrypted volumes.

I also am very careful to keep backups of the MBR and the encrypted filesystem header for each physical disk and each encrypted partition. I keep these on the encrypted volumes, but there are multiple copies so that if any given encrypted volume is inaccessible due to damage or corruption, I can recover it by getting the copy of the keys from a backup on another volume. I do the backup and restores as follows:

Code: Select all

sudo cryptsetup luksHeaderBackup --header-backup-file=sdf1 /dev/sdf1

To restore the crypto data to the drive, use the inverse command:

cryptsetup luksHeaderRestore --header-backup-file=sdf1 /dev/sdf1

All that said, if you must encrypt your systems, you could use one LVM if you wanted to, and just partition the logical volume. Probably safer to set up two logical volumes though.

Dupo wrote:Must I create two containers LVM + encryption on the two containers ?), And I also want to encrypt a second disc that will contains personal files (HDD).

Do you have any tips for me?

Read up on LVM.

No really - how good are you with LVM, how often did you work with it already? Do you understand the basic concepts,
what a physical volume, volume group, logical volume are meant for?

Also, the most important question - do you want the two Mageia versions to use the same encrpytion key,
or should they be separately encrpyted?

Hi,
I know what is LVM, but I never used it on an SSD with encryption. I searched on internet many informations. As I see, I can do it:

Sda is SDD disk.
Sda1 can be the first boot partition for the first Mageia instance
Sda2 can be the second boot partition for the second Mageia instance.
sda3 can be the LUKS container with an LVM volume for root1(for first Mageia instance), root2 (for second mageia instance), home1(for first Mageia instance), home2 (for second Mageia instance). With many memory, I don't think that swap is necessary.
But where can I put grub for each instance ? In the MBR or in each boot partition ?

What do you think about it ? Or have you got an other idea ?

Thanks.

Your proposed architecture will work. There is only one MBR, and it is for the device. You install grub part 1 there. One of your partitions (lets say sda1) will be the boot partition; this is where grub part 1 will look for grub part 2. Then grub will read grub/menu.lst from that partition which will tell it what to do. That menu.lst file will contain the necessary information for booting either linux distro.

Hi,

well, I will take an example, please, tell me what do you think about it.

Here is an example ("simple" case) :

Consider the case of a machine that has 2 hard drives (SSD and HDD mechanical). The SSD used for the system, and the HDD for all personal data (datas) . I want to use LVM + encryption (via the installation of Mageia). First, I will make these 2 disks, 2 physical volumes. Secondly, I have two choices: either I put the physical volumes in a volume group with an encryption container, or, I make two volumes group (one for the first disk (SSD), and one for the second disk (HDD)) with an encryption container for each volume group.
Then for the only volume group, or, for the two volumes group, I create logical volumes for the various partitions with choice of file system.

So, in summary, I see this:

Sda : SSD.
sda1 : boot partition outside the LVM.
sda2 : physical volume (LVM) -> encryption container 1 ?
Sdb: HDD.
sdb1 : physical volume (LVM) -> encryption container 2 ?
Vg0 : Volume group for sda2 and sdb1.
or
Vg0 : Volume group for sda2
Vg1 : Volume group for sdb1

Note: Is the second case is a good choice (if one of the hard disks crashs) ?
Vg0 : only contains all logical volumes for the system partitions, or contains all logical volumes for the system partitions + the logical volume for personal data.
Vg1 : contains the logical volume for all data (personal data).

Grub legacy or Grub2 in MBR.

I hope my explanation is clear. From this example, what are your advice ?

Thanks for your help.

Greetings.

heres a couple of tips, from my own learning of both subjects.

luks : http://www.linuxpc.co.uk/index.php?opti ... &Itemid=54

basic LVM: http://www.linuxpc.co.uk/index.php?opti ... &Itemid=54

regards peter

wintpe wrote:heres a couple of tips, from my own learning of both subjects.

luks : http://www.linuxpc.co.uk/index.php?opti ... &Itemid=54

Thanks for sharing both links. Although for the luks maybe one comment: You can also encrypt on a PV/VG level, that's what Redhat does when you turn on encrpytion during installation. There are some drawbacks if you encrypt LVs separately, but depending on the use case it may also offer advantages.

You may want to look at https://wiki.archlinux.org/index.php/Dm ... VM_on_LUKS and https://wiki.archlinux.org/index.php/Dm ... UKS_on_LVM
Also the cryptsetup/LUKS FAQ is highly recommended, especially related to backup/recovery: https://code.google.com/p/cryptsetup/wi ... dQuestions

this was what was taught on the RH199,i have not experimented further than what was required for the RHCSA/RHCE.

you may well be right that there are advanced ways to do this.

personally i dont use luks , but truecrypt instead.

for full disk encryption i use a 256 bit hw sata encryption, ie enova based products.

regards peter

Hi guys,

thanks for your links. They are very interesting.

What do you think about Diskdrake for create LVM and encryption ? Is it a good solution ? It is more easily to use it than to use the command line.

Greetings.

I got caught out with diskdrake not doing what i expected when i got my first 4TB drive.

said it had partitioned it

disk accepted a mkfs, and mounted OK

moved loads of data onto it , only to find after a reboot it had somehow not used GPT and created me
a partition that no longer existed after a reboot.

I knew 4TB drives needed to be handled differently, was in a hurry, and trusted the tool to do the right thing.

so while this is not necessarily reflective of diskdrake as whole, i always prefer the command line.

you really know where you are once you understand it.

with most gui tools, your more often left successful, but without a clue how you got there, and then when something does not work
your totally fumbling around in the dark .

regards peter

Hi,

I will check it later. For now, I try to use Mageia 4 Rc with my laptop.

Hi,

as the final version of Mageia 4 is out, I will install it on my SSD hard disk. I checked some informations on internet who tell how to install 2 operating systems on LVM. These informations told to create 2 boot partitions,and two volume group (one for each operating system). But it said to create a physical volume for the two volume group. My question is : do you think it is more interesting to create two physical volume for each operating system as below ? :

SSD
-------
/boot1 -> boot partition for the first O.S.
/boot2 -> boot partition for the second O.S.
LVM :
Physical volume 1 -> Volume group 1 -> logical volumes for the first operating system. (encrypted)
Physical volume 2 -> Volume group 2 -> logical volumes for the second operating system. (encrypted).

HDD
-------
Physical volume 3 -> Volume group 3 -> logical volume for datas ?

I'm also be interested to create a Uefi boot partition (with GPT table partition for all disks) for use UEFI available on the PC. Do you think I can create an Uefi boot partition if I want to use LVM with 2 operating systems ?

Thanks.

Greetings.

I'm not that much into linux LVM, but I don't think it's possible or even sensible to create two PVs on one physical storage device.

Apart from that, didn't you ask that question already, will you start the thread again?

Hi,

I preferred to encrypt the entire hard drive during installation as Ubuntu (it is more easy), but it doesn't seem possible in Mageia. We must use LVM + encryption in Mageia.

Else, I continue this discussion.