On 01/12/10 05:58, Matthias Scheler wrote:
This is interesting. I've been going over this issue in my head for a while now. I understand both points but was wondering if you are someone could clear something up for me. If LVM is used on top of CGD it would seem the partitions would have to be already fixed, thus eliminating the ability to repartition except in the case of adding a new storage medium. For example how could I resize /home to add more space from the current disk? On the other hand if we use CGD on top of LVM, we can resize partitions to accommodate new space requirements for partitions on the same disk. Since CGD sits on top of the logical volume everything would still remain encrypted. Does this make sense?On Tue, Jan 12, 2010 at 11:12:30AM +0100, Adam Hamsik wrote:If it cause problem to configure CGD on top of LVM it should be fixed. Because that is the right way how it should be done IMHO. Because this way you have flexibility of lvm with cgd encryption on top of it.I would argue that you should use LVM on top of CGD because you want to hide the fact which logical volumes with what sizes exist on your system. Kind regards
If it has not already been done I'd like to come up with a straight forward technique for using lvm + cgd to accomplish full disk encryption or minimally /home encryption such that the user does not have to 'guess' what size partitions he/she should create. I especially would find this useful on my laptop. There are a number of issues with this idea. The first of which is the kernel and other startup data would have to be moved out of / and into a separate partition (/boot) so that it can remain unencrypted and essentially decrypt the rest of the encrypted drive. Popular linux setups allow /boot unencrypted and then encrypt the rest of the disk which is placed in an lvm. Another scenario and the one that I find particularly useful is Ubuntus per user home encryption. I'm not sure how the internals work but basically instead of requiring a password to decrypt the partition, it uses the user's password as a key and transparently encrypts/decrypts the home directory when the login is successful. This of course protects most of the private data someone would have without encrypting things like common libraries that may slow down the system.
I'm not sure if any of this work has already been done or if anyone has any information regarding it. I've went over the LVM and CGD chapters in the guide but haven't seen anything directly related. This is important functionality to me so if it does not exist I'm going to try to accomplish it and provide results if I'm successful. Any input would be greatly appreciated.
Charlie