Upgrading F11 to F15 I've decided to encrypt the disk. Anaconda appears to have limited support for custom disk partitions (mine is dual boot). The result of my second install attempt was a PV boot and LVM VG with home, root, and swap. The problem is these LVs each have their own encryption! The Fedora documentation only gives instructions for encrypting during Anaconda install process and after a system is installed.
From research and discussions I uncovered an alternative where the the VG is only encrypted "bit" of the partitioned drive. Then I can install Fedora using a spin disk or the 4G iso with Anaconda. This would make an encrypted Fedora system with a single unencrypt passphrase. What I am not clear on is the step to create the LVs.
Reading cryptsetup docs and the above examples I conclude LuksOpen and LuksClose commands "bookend" the LVM linux commands pvcreate, vgcreate, and lvcreate. Then I won't need to use gparted the graphical disk partitioning tool, yes?
Since I will be deleting my system, I need do all of this from a liveCD like gparted, or a Fedora spin liveCD. And this disk needs to have the LVM commands pvcreate, vgcreate, lvcreate, and cryptsetup-luks, and dm-crypt packages?
Once the VG is encrypted and the LVs are added then I can launch the Fedora spin CDROM or Anaconda DVD to complete the install?
Does this sound correct? Am I missing anything? Is there an easier way to do this? (^_^)
Best Answer
LVM is a container for volumes ("logical" volumes, as it were). After your volume groups are enabled, these volumes are exposed at
/dev/mapperand function like block devices (/dev/sda, etc). You can format them, then mount them, etc. If the underlying real devices are disconnected, the exposed "device(s)" at/dev/mapperfails to work.In summary,
LVM can use any block device as a physical volume, including anything in
/dev/mappersuch as an encrypted LUKS volumecryptsetupexposes there.cryptsetupcan use any block device as an encrypted volume, including anything in/dev/mapper, such as a logical volume setup by LVM.You have to tear things down in the reverse order you set them up. Therefore, if you have an LVM, and then an encrypted volume "in" it, you need to dismount the encrypted volume before disabling the logical volume.
(Yes, you can have an absolutely insane stack of LV's and encrypted volumes, and LV's in encrypted volumes in other LV's, etc. Gets better when you throw in network block devices, iSCSI targets, etc.)