Fedora – How to identify LVM-over-LUKS or LUKS-over-LVM

encryptionfedoralukslvm

I recently installed Fedora 20. I don't recall what exact options I chose for encrypting the disk/LVM during installation. It installed fine and I can log in etc. Here is the situation I have:

I booted up with LiveCD and tried the following: (I have installed Fedora20 to /dev/sda3' partition).

If I run cryptsetup open /dev/sda3 fedo I get an error saying it is not a LUKS device.
I I run cryptsetup luksDump /dev/sda3 I get an error saying it is not a LUKS device
If I run cryptsetup open --type plain /dev/sda3 fedo, it prompts for password and it opens the device fine.

So, obviously, that is a plain-text encrypted (without LUKS header) partition.

Now, when I try to run mount /dev/mapper/fedo /mnt/fedora, it says unknown crypto_LUKS filesystem.

I do have LVM on top of it, so, I can run pvdisplay, vgdisplay, lvdisplay and it shows information. I have a VG called fedora and two LVs, viz 00 for swap partition and 01 for / partition.

Now, if I do a cryptsetup luksDump /dev/fedora/01 I can see LUKS headers etc. And, I can mount by running mount /dev/fedora/00 /mnt/fedora, no password prompt.

So, do I have a LUKS-over-LVM-over-(plain-text)-encrypted partition?

Here is my output of lsblk:

# lsblk
NAME                                            MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
sda                                               8:0    0 37.3G  0 disk
|-sda3                                            8:3    0 17.4G  0 part
  |-fedora-00                                   253:0    0  2.5G  0 lvm
  | |-luks-XXXXX                                253:3    0  2.5G  0 crypt [SWAP]
  |-fedora-01                                   253:1    0   15G  0 lvm
    |-luks-XXXXX                                253:2    0   15G  0 crypt /

So, the question is, how to figure out whether I have LVM-over-LUKS or LUKS-over-LVM, or some other combination thereof (LUKS over LVM over LUKS etc)? To make my question clear, I know I have LVM and LUKS, I want to figure out the order of them.

Best Answer

cryptsetup luksDump /dev/fedora/01 shows the LVM logical volume to be a LUKS encrypted volume. The output of pvs or pvdisplay would show the partition /dev/sda3 to be a physical volume. Thus you have LUKS over LVM. At a lower level, you have LVM over PC partition.

The output of lsblk confirms this: sda is a disk, sda3 is a partition (which contains an LVM physical volume), fedora-00 and fedora-01 are logical volumes, and each logical volume contains a LUKS encrypted volume.

Related Solutions

Why is the LUKS partition mounted without asking for a passphrase

Depends on what the init script that asks the password of you is doing with it.

If it's systemd, it might just be a feature. systemd-ask-password comes with a cache functionality that might be responsible.

https://www.freedesktop.org/software/systemd/man/systemd-ask-password.html

--accept-cached

    If passed, accept cached passwords, i.e. passwords previously entered.

--multiple

    When used in conjunction with --accept-cached accept multiple passwords.
    This will output one password per line.

In this fashion it would first try the passwords you already entered, and only ask for another passwords if that didn't work.

The downside of such an idea is that checking a password takes 1 second of CPU time with LUKS, so if you had a lot of LUKS containers, these attempts might slow you down. But most people have only one or two and it's actually not uncommon for them to use the same passphrase.

I actually couldn't locate the source code specifically responsible for this, so the above is only conjecture and I have no idea if this is a feature you could choose to disable somehow.

Found what seems to be the responsible code, see it here on Github.

There's a for loop that starts with tries = 0 and increments tries by one each iteration.

This loop calls get_password() with bool accept_cached set to true if tries == 0 && !arg_verify. So if there are already passwords cached in the first iteration of the loop, it will just return the cached passwords. If those don't work, next iteration with tries == 1 sets accept_cached to false and only then it will ask you to provide another passphrase to try with.

The list of passwords is passed on to attach_luks_or_plain(). This will be the previously cached password(s) in the first iteration, and the single new password in all following ones, so it won't re-try previously tried passwords (unless perhaps if you keep typing in the same one).

As for keeping passwords plaintext in memory, the list of passwords is declared as a _cleanup_strv_free_erase_ char **passwords = NULL; so that at least makes it sounds like cleanup will be taken care of properly at some point.

Keys are always in memory somewhere, that much can't be helped, crypt needs masterkey to work, as long as the container is open, you can always see it with dmsetup table --showkeys.

It seems like you normally have arg_tries = 3 three attempts to enter a working passphrase, but if you have multiple containers and the cached passwords didn't work, it will only give you two tries to enter the passphrase, since the cached password attempt already counts as the first try. I have no encrypted systemd machine to test if this is true or I'm just misreading the code somewhere.

Linux LUKS – How to Resize a LUKS Device, Revisited

You still have to resize the filesystem using the resized block device. The precise method and possible limitations depend on each filesystem.

Here are two examples to resize the filesystems to the whole available size for EXT4 and XFS. An other filesystem will require an other specific command.

An EXT4 filesystem can be enlarged online or offline (and can also be shrunk, but only offline).
```
resize2fs /dev/mapper/cryptdevice
```
An XFS filesystem can only be enlarged, and online (can't be shrunk back once done).

The filesystem must be mounted to be grown. The command requires the mountpoint rather than the block device.
```
mount -t xfs /dev/mapper/cryptdevice /mnt

xfs_growfs /mnt
```

You actually missed this step twice from the links:

Resize LUKS Volume(s)

in the question:
```
# Step 5: Resize encrypted volume (Trying to give it some space)
> resize2fs -p /dev/CryptVolumeGroup/root 101G
```
but in the answer:

Enlarge the rootfs logical volume. No need to un-mount since ext4 and be enlarged while mounted: lvresize -r -L +100G archvg/home

lvresize -r resizes automatically the underlying filesystem, hence no specific command in the answer. Resizing the filesystem for your specific case not using LVM wasn't present in this answer.

Increase the size of a LUKS encrypted partition

As a final step, the file-system needs to be expanded to the new size. With the resize2fs(8) command the file-system is extended to the new size of the LUKS volume.
$ sudo resize2fs /dev/mapper/sdb1_crypt
resize2fs 1.42.13 (17-May-2015)
Filesystem at /dev/mapper/sdb1_crypt is mounted on /media/gerhard/Daten; on-line resizing required
old_desc_blocks = 2, new_desc_blocks = 4
The filesystem on /dev/mapper/sdb1_crypt is now 14647925 (4k) blocks long.

Resizing LVM-on-LUKS
Resizing the encrypted volume

Now we are going to resize the encrypted volume itself. By taking in account the total size of the logical volume minus some safety space:
```
# resize2fs -p /dev/CryptVolumeGroup/Home 208G
```

Best Answer

Related Solutions

Why is the LUKS partition mounted without asking for a passphrase

Linux LUKS – How to Resize a LUKS Device, Revisited

Related Question