Linux – LVM Encrypted Physical Volume versus Encrypted Logical Volume. Am I safe

I'm somehow new to disk encryption techniques in Linux, but I have the basic
notions about encryption. Here my conditions:

I need to have "full disk encryption", including "/", not just "/home".
I don't need /home on a separate partition, I prefer just a single "/" and swap
I need suspend/hibernate to work (yes, I know suspend is not
safe, but I need it to work in rare cases where people won't steal my laptop)
I want to do this using modern Linux distribution installers, so my
option is basically LVM
I know I'll need an unencrypted /boot partition

But the thing is: using distribution installers, I have the option to encrypt the
Physical Volume (PV) but also to encrypt the Logical Volumes (LVs) inside the PV.

Which one is better?
If I just have encrypted Physical Volume, am I safe? Or does it just encrypt
some kind of metadata (like a table containing pointers to the inner
partitions) and not the file systems inside it?
Is there any case where I'll want to have PV encryption + LV encryption? Explain.

LVM has many different abstractions (PV, VG, LV, PE), I'm afraid that by encrypting something I
might be only encrypting some kind of metadata table and not the actual contents
of my files. I tried googling this, but the howtos usually explain how to format
your partitions but not the details I'm asking. I have the feeling that people just want to type some soft of password, even if they don't know what is actually being encrypted. The Linux Distribution installers don't help either (the only one that cares about writing random stuff to the disk before encrypting is Debian!).

What I did:

Using OpenSuse installer, I created a physical partition on my disk and marked
it as "encrypted". Then, I used it to create an LVM Group, and, inside it, I
created unencrypted / and swap. Is this safe?

I'm still waiting the installation to finish. I'll need to discover how to try to break it after.

Thanks in advance.

Best Answer

Which one is better?

They are both using the same technology. If you encrypt the physical volume, then everything inside the LVM will be encrypted. If you need/want somethings to not be encrypted within your LVM volume then you would need to leave setup encryption on the logical volumes.

I'm afraid that by encrypting something I might be only encrypting some kind of metadata table and not the actual contents of my files.

Almost all installers basically setup a DM-Crypt volume using LUKS. This encrypts the contents of the entire partition. Then it is pretty common to setup LVM within the encrypted volume to provide the user the flexibility to adjust partitions as needed.

Is there any case where I'll want to have PV encryption + LV encryption?

I suppose if you were extremely paranoid, you might want to have your standard low-security volume that has the OS and your standard files. Then you might hide your extremely-super-double-plus-good-top-secret files inside a separate encrypted volume that you only mount as-needed. If you were mounting both volumes at boot, then it wouldn't make any sense at all, you would just have overhead of encrypted things twice, and not much real gain. If you did setup something like this, it should be pretty obvious that you would need to establish completely separate keys/passwords for the internal volume.

Best Answer

Related Solutions

Creating a disk image of dm-crypt/LUKS encrypted LVM partition (Linux)

Linux – From GRUB2, boot an ISO in an LVM2 logical volume

Related Question