Keith C. Perry on 20 Apr 2015 07:26:51 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Help with encrypted SSD


Additionally, you shouldn't have any problems running VM's on top of software encryption.  Most of my hosted deployments do exactly that.

If you have to redo this, I would recommend not using DM-crypt and just use LUKS (i.e. use cryptsetup) to manage your encrypted disks (e.g. sdb), partitions (e.g. sdb2) or containers (e.g. a file that is loop mounted).  What can do is setup LUKS first on the disk and then create the LVM inside the VM.  That way increasing the space is nothing more than booting the VM with another disk file (and doing the LVM management inside the VM).  The guest knows nothing the encryption.

You still have to worry about the host's data pool but the concept is the same.  Create your logical volume (e.g. /dev/mapper/data/clients) and then setup LUKS against that device.  You can resize with LUKS as well but I haven't had to do that since I generally use encrypted containers.

I've used various LUKS implementations with LVM and DRBD- no observable performance issues but more importantly you get an agnostic solution that allows you to add encryption and maintain data storage flexibility.


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 
Keith C. Perry, MS E.E. 
Owner, DAO Technologies LLC 
(O) +1.215.525.4165 x2033 
(M) +1.215.432.5167 
www.daotechnologies.com

----- Original Message -----
From: "Rich Freeman" <r-plug@thefreemanclan.net>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Sent: Sunday, April 19, 2015 6:37:37 PM
Subject: Re: [PLUG] Help with encrypted SSD

On Sun, Apr 19, 2015 at 5:09 PM, Lee H. Marzke <lee@marzke.net> wrote:
> If I can get the drive unlocked,  I'll try  that.

You may need to do it on a different computer.  I have no idea what
your BIOS is doing, but the BIOS is just a program, and programs do
whatever they were designed to do.  They could make it refuse to work
on the second Tuesday of the month if they wanted to.  Maybe it is
supposed to be a feature linking the BIOS password and the drive
password.  I guess you're hosed if you install two drives with
different passwords in the same machine.

fdisk definitely won't work if the drive is locked, because it reads
the drive.  You would need to use hdparm to see what is going on.
hdparm -I /dev/sda will tell you at the bottom what the security
status of the drive is.  If it is frozen then you have to stick it in
a PC that has a BIOS that won't freeze the drive.  Maybe you could
unplug it and plug it back in again while the PC is powered in AHCI
mode.

But, you may need a vendor-specific command to unlock it if it doesn't
response to a secure erase without a password.

>
> The problem is LVM is inside DM-crypt,  so DM needs to be expanded
> first.     The installer has a script to do this but it only does
> 100% of the drive as DM-crypt/LVM,  and I want part reserved for
> VM's which don't do as well running inside an encrypted partition.

Does DM-crypt actually store metadata including the volume length?  I
thought it was just a passthrough.  If it is then all you have to do
is partition the new drive with two 500GB partitions, dd the old
partitions over them, and then mount them.  DM-crypt will just unlock
each partition as 250GB of whatever was on there before followed by
250GB of random data.  Then you can expand your lvm volumes and/or
filesystems over that space.

If DM-crypt does store the volume length in some kind of metadata,
then there should be some tool to expand the volume.  You just have to
start at the bottom layer and work your way up.

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug