LVM and encrypted Logical Volumes

I have been playing with the Logical Volume Manager (LVM) on my recent Debian installs. Instead of creating a traditional partition layout on a hard drive, LVM adds a layer of abstraction over physical storage that allows the creation of "virtual" partitions.

For my netbook home server setup I used the Debian installer's manual partitioning tools to assign a partition to LVM, create a Volume Group (VG) and Logical Volumes (LVs), with plenty of storage space to spare. [1] After a successful first boot I configure an encrypted container for data storage that is manually mounted by a non-root user. I don't want an unattended server halting in the boot process waiting for a passphrase or any necessary boot mountpoints to reside on an encrypted partition.

Let's go!

Scan my netbook for devices visible to LVM ...

# lvmdiskscan
/dev/vg/root              [      14.90 GiB]
/dev/sda1                 [     487.00 MiB]
/dev/vg/swap              [     952.00 MiB]
/dev/sda2                 [     465.28 GiB] LVM physical volume
/dev/mapper/vg-swap_crypt [     952.00 MiB]
3 disks
1 partition
0 LVM physical volume whole disks
1 LVM physical volume

Check for free space in the volume group ...

# vgdisplay
[...]
Free  PE / Size       115060 / 449.45 GiB
[...]

0. Create

I create a 400GB data logical volume in the volume group ...

# lvcreate --size 400G vg --name data

Information about the LVs can be displayed with the lvdisplay command.

1. Encrypt

Configure LUKS encryption on the newly-created LV ...

# cryptsetup luksFormat /dev/vg/data

Open LV data under vg-data_crypt, format with a filesystem, and mount ... [2]

# cryptsetup open /dev/vg/data vg-data_crypt
# mkfs.ext4 -m 1 /dev/mapper/vg-data_crypt
# mount /dev/mapper/vg-data_crypt /mnt

When finished, unmount the filesystem and close the encrypted LV ...

# umount /mnt
# cryptsetup close /dev/mapper/vg-data_crypt

2. Mountpoint

I create a dedicated mountpoint for the LV in /media ...

# mkdir /media/crypt_data

Modify /etc/fstab and allow mounting by a non-root user ...

/dev/mapper/vg-data_crypt /media/crypt_data        ext4    relatime,noauto,user       0       0

Open the LV and mount ...

# cryptsetup open /dev/vg/data vg-data_crypt
$ mount /media/crypt_data

Happy hacking!

Notes

[1]For setting up LVM from the beginning and learning about its tools the LVM entries on wiki.debian.org and wiki.archlinux.org are very helpful!
[2]Reserved blocks can be used by privileged system processes to write to disk - useful if a full filesystem blocks users from writing - and reduce disk fragmentation. On large non-root partitions extra space can be gained by reducing the default 5% reserve to 1% with option -m <percent>.

More • lvmcryptolinux