Ubuntu Security :: LUKS On LVM And Resizing Partition
May 10, 2010
I have a LVM logical volume, that contains a LUKS encrypted volume, on which is an ext4 filesystem. I shrank the partition to the minimum size. Next step is to luksClose the device, and then to resize the LVM logical volume. I suspect that LUKS has overhead. So if the ext4 filesystem was resized from, say 1TB to 500G, I have the idea that resizing the LVM LV to 500G does not take LUKS overhead into account and this might corrupt data on the end of the FS. So, what's the smart move to take? How do I calculate the safe minimum LV size? Or should I just give the 500G disk a few gigabytes extra to be sure?
View 4 Replies
ADVERTISEMENT
May 9, 2011
if encrypt my root partition with Luksformat on my laptop and the battery suddenly goes out without a proper shutdown, I stand a big chance on corrupting the luks header or key slot?
View 1 Replies
View Related
Feb 22, 2010
I'm trying to have a LUKS encrypted partition mounted at startup and to have GDM ask for my key so it will decrypt. Now I followed [URL] to the letter. Except for now, I have it just mounted into /mnt/cryptohome so I'm not messing with my system. My problem is the one everyone mentions in the comments, ubuntu isn't asking for the LUKS key in the X display, it's asking in the first terminal (Ctrl-Alt-F1). This will not do. I need it to ask to mount my drive before I'm even asked to login, so eventually I can encrypt my /home.
View 9 Replies
View Related
Jul 19, 2010
I'm planning a fresh F13 install, with separate partitions for /boot, /home, /tmp, /, and swap. All but /boot will be logical volumes, and I'd like to encrypt all but boot. If I encrypt the underlying partitions, is there any reason to also encrypt the logical volumes themselves?
my system will be:
HP dv6-3040us Pavillion laptop
AMD Phenon II
4GB DDR3
View 3 Replies
View Related
May 20, 2010
Anyone had any experience with unlocking a LUKS encrypted root partition via ssh? It is ok to leave /boot unencrypted.
There are a few pages from google with the debians variants, archived by putting dropbear into initrd.
I like to do that with my fedora/centos remote servers, but struggle to find any resources specific to it. Anyone has any suggestions and thoughts as to what might be a suitable way forward?
View 2 Replies
View Related
Mar 9, 2011
Has anyone tried encrypting the boot partition to prevent the kernel from being modified. Iv tried following this but I'm running into issues when building. [URL] Im using the source from bzr checkout [URL] Last time I tried I screwed grub and it wouldnt boot.
View 9 Replies
View Related
Jan 21, 2009
I need a FREE solution that can image an entire Luks system encrypted volume and the rest of the used HDD, the MBR and /boot partition. Note: MBR and /boot are not encrypted. Note 2: I want to be able to restore entire drive from image with only a couple of steps. Note 3: Destination HDD space is a factor. Image file must be compressed and the image file must be around 40 to 50 GB or less. The smaller the image the better.
I have used clonezilla live cd before but not for encrypted volumes. I know you can install it in Linux. But, I don't know how to configure it after installation. I would be very happy if someone could tell me how to configure clonezilla in Fedora. How to guides are also welcome. I have one more question. If I image the encrypted volumes and all the stuff I mentioned above while logged in to Fedora, and I restore the drive from the image, will the recovered drive still be encrypted?
View 8 Replies
View Related
May 11, 2010
I need to change my LUKS partition to NTFS as I do not need the boot partition any longer, but I need to keep sdb3 (truecrypted ext3) intact. This is how the disk looks now:
Code:
Disk /dev/sdb: 1000.2 GB, 1000204886016 bytes
255 heads, 63 sectors/track, 121601 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
[code]....
View 2 Replies
View Related
Jan 8, 2010
When 10.04 is released I'll encrypt my /home partition using luks. I've read that xts is good for hard drive encryption and aes is good for cipher encryption. I'm looking for something that is fairly secure without sacrificing a lot of speed.
View 2 Replies
View Related
Jul 29, 2010
I am trying to decide whether or not to use LUKS with LVM install for NAS Box, mysql, postfix, ddns, bind, NFS, sshd, Appletalk, maybe samba. I have decided to give LVMs a try but not sure how LUKS will affect access to services. LAN includes Standalone headless web server(not on LVM, no LUKS). Aren't permissions,iptables and firewalls sufficient? Not sure how services are supose to interract if everything is encrypted especially root?
So far what I have read recommends vgOS /, swap, /var, /tmp encription and vgdata /home encryption but no one tells how they did it. The 2 servers I'm working on only have small /home for admin stuff and considering making NAS headless, except i read somewhere that some gui would make it easier to manage mysql which brings me to the question if I don't install X on NAS can I ssh in with my desktop using its gui? I am experimenting with minimal server tagfiles. LUKS and LVMs are new to me. Decided to use LVMs to seperate OS from data, different data types and resizing flexibility. I have read some material on LUKS just wonder if its more complicated than my needs require. Certainly i don't want to leave myself open to someone just distroying my setup for kicks.
View 6 Replies
View Related
Jan 3, 2010
I'm just wondering - what is the best way to set up your encrypted volumes with dm_crypt and LUKS?
My understanding was that aes-lrw ws better than aes-cbc - and then I stumble upon [url] which says that LRW has some problems, and XTS is better? I dont know enough about encryption theory to be able to say anything, so i'm hoping some folks more enlightened will be able to say something here.
I was previously using aes-lrw-benbi to set up a volume. If xts is truly better - should i be using '-c aes-xts-benbi' then?
View 4 Replies
View Related
Oct 4, 2010
I'm simply interested in a more basic discussion of why one would choose one of these methods over the other. What do they offer that the other does not? I'll start with what I know:
- dm-crypt/LUKS
--- included in a lot of install images already; in other words, perhaps easier to implement on a fresh install
- TrueCrypt
--- multiple encryption algorithms possible
[code]....
For me... I have no need for Windows compatibility, though I do use OS X on a dual booting MacBook. I believe TrueCrypt woks with OS X, so that could be a bonus, though I can simply encrypt my home folder on OS X with it's own FireVault and be fine.My setup (after wiping and starting over) will probably be like so:
- /boot on it's own primary partition
- / on it's own primary partition with logical partitions within
--- /usr, /var, /etc, /opt, and the like on a logical partition
--- /home on a logical partition
/home will surely be encrypted and I'm leaning toward encrypting the rest as well, though perhaps it's not necessary. I'm open to input there as well -- is there anything the leaks from normal application use into /var or /tmp that would make one lean toward just encrypting the whole thing?
I opened up TrueCrypt just to look at it and since I can't encrypt a whole partition without losing data... I pretty much have to encrypt from what? A live CD? This could be a drawback -- I think since TrueCrypt isn't coming on install disks, I'd have to go with an unencrypted (or dm-crypt/LUKS) root partition and then use TrueCrypt to make a container (or partition) for /home only. I can't think of another way to do this since I can't encrypt the whole disk as one entity with my dual booting situation...
View 9 Replies
View Related
Apr 4, 2011
I have a perfectly OK 2.5 inch disk drive from a dead laptop (graphics card failed).
The hard drive is fine. I know the passphrase.
I had installed Ubuntu 10.04 with full fisk encryption using dm-crypt/luks using the alternate install cd.
I'm not exactly sure of the configuration I selected. Just that its full disk encryption with a pre-boot passphrase prompt.
Now my issue is, I have put the drive into a usb drive docking station, and I simply want to mount the partition on my new laptop, so I can copy the files over.
I've tried googling for various things like "mount dm-crypt drive linux" and "how to mount a luks encrypted partition linux", but I get no results.
View 4 Replies
View Related
Jul 22, 2010
Now however its not letting me resize the Windows partition, mounted or unmounted. It currently occupies the whole disk. I would rather not reinstall the whole thing over again, but I will if I have to. Isnt there an easy way to shrink a Windows partition? I swear Ive done this before and it wasnt this hard. Could it be a problem with the Mint installer that now asks me if I want to unmount my disks before it goes into install mode? On this PC I would like to have
Windows XP
Mint
Ubuntu-Studio
Edubuntu
One of the E17 OSs
Puppy Linux (to create a remix)
I am probably going to put most of the linux partitions on the second laptop drive but I want to install files on a non WIndows NTFS partition.
View 6 Replies
View Related
Aug 20, 2011
I need to resize (increase) LUKS partition. I have found a lot of manuals, but they are just for LVM volumes(I dont use LVM and I dont plan to use it). I have HDD splited to the 4 parts:
sda1(/)
sda2(LUKS)
unalocated
swap
I want to increase LUKS partition, by using the part of unalocated space.
BUT I dont want to do the following:
Backup data from LUKS partition
Delete LUKS partition
Create new bigger LUKS partition
Restore data to the LUKS partition
View 1 Replies
View Related
Jun 17, 2010
1.) I am wondering how to enable the lock to an encrypted partition which has been unlocked, using luks? On boot, I am been asked automatically for the pass phrase to unlock my partitions. After doing a back up, I want lock the encrypted partition again, but I don't know the command?! I umounted the partition but after mounting it again, I was not asked for the pass phrase but had access to my data.
2.) How secure is the default fedora version of luks? Is truecrypt better?
View 2 Replies
View Related
Mar 20, 2011
Is LUKS the best data/system encryption? Or is there one that is even better and stronger?
View 1 Replies
View Related
Feb 15, 2010
I want to give Mandriva 2010 a shot, and I want to resize my 500gb /home partition (logical) to make some room. It's an ext4 partition. Do you reckon I'll be safe resizing it from the Mandriva installer? or should I use an Ubuntu LiveCD first?
View 2 Replies
View Related
Apr 1, 2011
I didn't like the fact that Ubuntu allocated like 5gigs of swap with its automatic partitioning / install. So I decided to shrink it with gparted now it doesn't show up when I boot I have to select swap on in gparted to use it.
View 1 Replies
View Related
Jun 30, 2010
I have a really tricky and may be intresting problem with a encrypted disk partition (cryptsetup luks...) which was fine until it accidentally got re-formatted by an instance of Windows 7. Most of the data on that 1TB-disk will probably still exist, only the LUKS header at the very beginning of the partition is - of course - gone.
So when I try to open the container, it gives no verbose, just the return value 234.
I scanned the whole partition for other LUKS headers with hexedit, none there. But, luckyly I have another partition which is encrypted in the exact same way with the exact same passphrase (which I remember very well!), so I had an idea: I copied the LUKS header (592 bytes) from the other LUKS encrypted partition over to the damaged partition.
When I now issue
Code:
Code:
No key available with this passphrase
Here is the command how I created the container:
Code:
How do I get the existing passphrase accepted by LUKS?
View 9 Replies
View Related
May 27, 2010
I'm having a problem auto-mounting a new luks partition. I have crypttab and fstab entries. I already have my primary encrypted partition (root) mounting at boot (from the install), but after creating this one manually, it does not open on boot. It auto-mounts when I run the following command manually after boot: sudo luksOpen /dev/disk/by-uuid/<uuid> mycrypt
/etc/crypttab entry:
personalcrypt /dev/disk/by-uuid/a1af5b7b-db58-4690-b586-b74407795e2c none luks
/etc/fstab entry:
[code]...
View 1 Replies
View Related
Oct 26, 2010
I'm trying to migrate my LVs over to a Luks volume (prompt on password at boot). Unfortunately, as soon as I add my luks-encrypted physical volume to my volume group, I'm no longer able to update my grub configuration. I've detailed my steps below:
I've created and unlocked my encrypted partition with the following:
Code:
sudo cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sdb1
sudo cryptsetup luksOpen /dev/sdb1 crypto_agilityssd
My /etc/crypttab looks like this:
[Code].....
View 2 Replies
View Related
Aug 18, 2010
I run fedora 13 on my laptop (dual boot with Windows 7) and I just created a new partion to hold sensible data, encrypted with LUKS. I followed this tutorial for creating it.Now, everything went well and the new partition works well. But I needed something a little different from what the tutorial suggested, because I don't want the partition to be mounted on the system each time it boots, but I would (unlock and) mount it manually when I need it.
To do so I just didn't follow the Tutorial steps from 7 to 13, thinking that without the changes to crypttab and fstab the partition wouldn't be even touched by the start up process. And that's partially true: the partition isn't mapped nor mounted in the system when I boot, but the problem is that it however keeps asking for the passphrase to unlock it even if it doesn't get mounted or mapped.It just asks for it before the system loads all it's parts (udev, filesystems, etc) and I can't understand why, what it uses it for if it doesn't unlock it.So my question is: why does it ask for the passphrase to unlock luks if I haven't set crypttab and fstab to mount the partition on start up?
View 2 Replies
View Related
Jun 20, 2010
I'd like to know if there's a simple way to create a LUKS encryption drive with different passwords? A real one that leads to one set of data, and another that leads to a whole different set of data. Is this even possible with LUKS?
View 1 Replies
View Related
Apr 25, 2010
Recently, I started protecting all user-accessible filesystems on my Sidux desktop machine with LUKS. Before that, I would regularly erase traces of deleted data, and I wonder if this is still necessary.
It would be most valuable to me to be pointed towards a good introductory article on the underlying mechanics of LUKS and cryptsetup, as there are a few more minor questions to be answered. Unfortunately, I lack the necessary mathematic and cryptographic background to understand scientific papers.
View 2 Replies
View Related
Mar 11, 2010
Today I was messing around with my partitions, and I decided to shrink my main partition that had Windows on it, so that I would could have one big storage partition and then a Windows 7 one and a Ubuntu one. Well, it didn't really work so I decided just to wait for Lucid to come out and start with a fresh install. So I went into EASEUS Partition Manager and resized my main Windows 7 partition back to its normal size. It had to reboot and did its stuff, and then when I restarted my computer, grub was showing the grub rescue> thing. So I went into the Windows 7 recovery disk, and tried all the BootRec.exe options. None of those worked. So I decided to go to the extreme and just delete Ubuntu completely.
I deleted the entire partition with GParted and then resized the main partition all the way. Then I booted into a Ubuntu live usb and re-installed Ubuntu. I thought it would just reinstall Grub and I would be able to get to both Ubuntu and Windows 7. It did install Grub, but now I can only boot into Ubuntu. It's really weird, because I can boot into windows, it just says starting windows and does the loading thing. And then EASEUS Partition Manager comes and says that all resize operations were complete successfully(because I hadn't booted into windows since I resized stuff with it) and then the screen just stays black for a long time. I don't know what to do. If I wait long enough, my computer just reboots...
View 3 Replies
View Related
Aug 4, 2010
Are there any bad effects of resizing a partition? (like loss of data).
View 6 Replies
View Related
Dec 16, 2010
I know there are probably alot of threads about lvm however they aren't addressing my problem. I want to extend the PEs available in a VG. This VG already has LVs and those are active and mounted. From what I read from the manpages of pvresize this should be perfectly possible.
Code:
pvresize resizes PhysicalVolume which may already be in a volume group and have active logical volumes allocated on it.
I did the following steps and wonder if anyone has the same issue. THe machine where I am talking about is an ESX VM.
1. Resized the vmdk in ESX (+1G)
2. Let the kernel reread the device geometry: echo 1 > /sys/block/sdc/device/rescan
3. fdisk shows me the new size... so far so good
4. I resize the partition using fdisk (remove, recreate) and gave it the 8e type (lvm)
5. wrote config to disk
6. executed partprobe
7. pvresize /dev/sdc
Here it goes wrong! Pvresize says in the verbose output it sees the same size however at the end it says the pv has been resized. I have seen when I put volumes "offline" using vgchange -a n vg on a test machine, and then try pvresize it seems to work ok. This is against what is in the manual as it says pvresize should work on online mounted volumes.
View 5 Replies
View Related
Feb 1, 2016
I have two basically identical harddrives that are encrypted with LUKS containing a complete debian installation:
Code: Select allroot@x200s:/home/b# lsblk --fs
NAME FSTYPE LABEL UUID MOUNTPOINT
sda
├─sda1 ext2 0b851969-281e-4db2-8a5b-3798e801711b /boot
├─sda2
└─sda5 crypto_LUKS cfcf63ef-448a-4f72-9f58-8f7731cf3dfc
└─sda5_crypt LVM2_member 21CS3f-SQeQ-XcMr-kyDs-OPtR-egmT-HkvJAu
[Code] ....
sda is what I currently run to write this text, sdb is my former harddrive, connected via USB.
I want to access the root partition on sdb.
The problem is:
Code: Select allcryptsetup luksOpen /dev/sdb5 oldhd
Enter passphrase for /dev/sdb5:
root@x200s:/home/b# ls /dev/mapper/
control oldhd sda5_crypt x200s--vg-root x200s--vg-swap_1
root@x200s:/home/b# mount /dev/mapper/oldhd /mnt/
[b]mount: unknown filesystem type 'LVM2_member'[/b]
[Code] ..
Before all this, both sda and sdb where in the same volume group. I renamed the volume group of sdb to "oldDisk"
using
Code: Select allvgrename <UUID> oldDisk
How I can access the data on the root filesystem of my sdb..
View 2 Replies
View Related
Nov 8, 2009
I need to access /etc/modprobe.d on an encrypted LVM LUKS partition. I m not sure how to go about it though. Mount usually handles my mounting needs, do I need to decrypt the physical volume first? LIst of commands need would make my day.
View 1 Replies
View Related