Encrypted disk filesystem compatibilities

bootencryptionext4filesystemszfs

On my Debian Linux system during the install I decided to use disk encryption (the one offered during a regulard Debian install). When the system boots up I need to enter a password and then the "real" boot begins.

Could someone explain how this encryption is performed? Does it happen before or after the filesystem's laid out? Can I use any filesystem available for Linux with the disk encryption?

The /etc/mtab/ is more complicated than what I was used with Linux and I take it it's related to disk encryption but I'm really not sure. Here's (what I think is) the relevant bits from my /etc/mtab:

/dev/sda1 /boot ext2 rw,relatime,errors=continue 0 
/dev/mapper/archon-root / ext4 rw,noatime,errors=remount-ro,user_xattr,commit=300,barrier=1,data=ordered 0 0
rootfs / rootfs rw 0 0

I don't really understand why /boot is ext2 and why / is ext-4 and using a /dev/mapper.

Could /boot be itself using ext4?

Could / be using, say, ZFS and yet still offer encryption?

Best Answer

/boot is not encrypted (the BIOS would have no way to decrypt it...). It could be ext4, but there really isn't any need for it to be. It usually doesn't get written to. The BIOS reads GRUB from the MBR, then GRUB reads the rest of itself, the kernel, and the initramfs from /boot. The initramfs prompts you for the passphrase. (Assumably, its using cryptsetup and LUKS headers.).

The encryption is performed at a layer below the filesystem. You're using something called dm-crypt (that's the low-level in-kernel backend that cryptsetup uses), where "dm" means "Device Mapper". You appear to also be using LVM, which is also implemented by the kernel Device Mapper layer. Basically, you have a storage stack that looks something like this:

1. /dev/sda2              (guessing it's 2, could be any partition other than 1)
2. /dev/mapper/sda2_crypt (dm-crypt layer; used as a PV for VG archon)
3. LVM (volume group archon)
4. /dev/mapper/archon-root (logical volume in group archon)
5. ext4

You can find all this out with the dmsetup command. E.g., dmsetup ls will tell you the Device Mapper devices in list. dmsetup info will give some details, and dmsetup table will give technical details of the translation the mapping layer is doing.

The way it works is that the dm-crypt layer (#2, above) "maps" the data by performing crypto. So anything written to /dev/mapper/sda2_crypt is encrypted before being passed to /dev/sda2 (the actual hard disk). Anything coming from /dev/sda2 is decrypted before being passed out of /dev/mapper/sda2_crypt.

So any upper layers use that encryption, transparently. The upper layer you have using it first is LVM. You're using LVM to carve up the disk into multiple logical volumes. You've got (at least) one, called root, used for the root filesystem. It's a plain block device, so you can use it just like any other—you can put any filesystem you'd like there, or even raw data. The data gets passed down, so it will be encrypted.

Things to learn about (check manpages, etc.):

/etc/crypttab
LVM (some important commands: lvs, pvs, lvcreate, lvextend)
cryptsetup

lsof

The only way I can think to gain access to a mount such as this would be to mount it as you did before using Nautilus or whatever file browser, and then using a tool such as lsof to see what files/devices are opened by Nautilus.

$ lsof -p $(pgrep nautilus)

But if you're having to connect to your phone via gphoto2 then you're likely not mounting the device a a mass storage device but rather a PTP - Picture Transfer Protocol. There's a Linux FUSE implementation for PTP too.

gvfs?

I would also look in your $HOME directory for a sub-directory called .gvfs. Usually when GNOME or Nautilus are doing the mounting this directory is created as a convenience.

In newer versions of GNOME (3+) this directory has moved and is now here, /run/user/$UID/gvfs.

Example

$ ls -l /run/user/$UID/gvfs/smb-share\:server\=tank\,share\=t 
total 2
drwx------. 1 saml saml    0 Oct 31 09:16 Development
drwx------. 1 saml saml    0 Nov 18 14:52 home
drwx------. 1 saml saml    0 May 14  2013 incoming
...

NOTE: That's a environment variable $UID that is often set in Bash on most modern systems. If it isn't set you can find your user's ID like so:

$ id
uid=1000(saml) gid=1000(saml) groups=1000(saml),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Ubuntu – ext4 filesystems frequently corrupting

All three data journaling modes should leave the filesystem itself fully intact after a power failure. So it should always mount without errors. The difference is only in the data in your files; data=writeback mode may leave stale data (i.e., what was stored in the disk sectors before the writes your app did). data=ordered and data=journaled should not do this.

Most likely what you're seeing is that I/O barriers aren't working on your setup. First, make sure you're not mounting with barrier=0/nobarrier. That boosts performance, but will cause corruption on power failure.

If I/O barriers are on, it's also possible you're passing through a storage layer that doesn't support them. On older releases, LVM didn't and various mdraid levels didn't. (This was fixed in Linux 2.6.33; so only if you're running Lucid still.)

Finally, it's possible your disks are telling lies. Disks have write caches. Especially with NCQ, they're supposed to only tell the OS they've written data when they've actually done so, but they've been known to tell the OS its written when its only in the disk's write cache. Increases performance. At least as long as the power stays on. You can try disabling the write cache on the disks, though you'll take a performance hit for this.

Note also that flash-memory disks have a lot of work to do under the hood, and many of them don't handle power failure well. (For example, wear leveling sometimes requires that a full flash block of data be moved. If the power fails in the middle, bad things happen on some flash disks.)

Finally... have you considered an UPS?

Best Answer

Related Solutions

How to mount a filesystem from a given USB bus:device

lsof

gvfs?

Example

Ubuntu – ext4 filesystems frequently corrupting

Related Question