[LUKS over LVM] or [LVM over LUKS]?

[x220tux]

Scenario:

• I have two free partitions say sda2 and sda5 between which there are other NTFS partitions in use wiht important data.

Goal:

• Combine these two partitioins together like a single partition;

• Install Gentoo on this new combined single partition;

• Gentoo system is encrypted.

My current idea:

• First, cryptsetup (LUKS) to encrypt sda2 and sda5 with different keyfile;

• Then create a single volume group (VG) on top those two paritions;

• After that, create LVM partitions like root, swap and home;

Problem:

• I cannot generate a correct genkernel initramfs to decrypt those two partitions at boot.

Ask for help:

• Should I first create volume group; then cryptsetup with LUKS?

• Or any ideas how to orgranize the two partitions to install fully encrypt Gentoo

[frostschutz]

Personally, I'm using LVM on LUKS. That is because I wish to be able to use 'lvcreate' and have the new LV automatically encrypted because the entire disk already is encrypted.

Basically I'm using full disk encryption with a flexible LVM on top so I don't have to worry that there may be unencrypted parts anywhere.

With LUKS on top of LVM, you have to remember to create a new LUKS container for each LV you create, and you have to find a way to open all of them when you need them. Of course it also gives you the choice of leaving some LV unencrypted.

In the end there is no solution better than the other, it all depends on taste and how you like to set things up.

Although from your description I would suggest you merge those two free partitions into one instead in order to achieve a less complicated setup. If you want some suggestions in that direction you should show us your current partition table (using `parted /dev/disk unit s print free` or similar).

[x220tux]

Personally, I'm using LVM on LUKS. That is because I wish to be able to use 'lvcreate' and have the new LV automatically encrypted because the entire disk already is encrypted.

Basically I'm using full disk encryption with a flexible LVM on top so I don't have to worry that there may be unencrypted parts anywhere.

With LUKS on top of LVM, you have to remember to create a new LUKS container for each LV you create, and you have to find a way to open all of them when you need them. Of course it also gives you the choice of leaving some LV unencrypted.

In the end there is no solution better than the other, it all depends on taste and how you like to set things up.

Although from your description I would suggest you merge those two free partitions into one instead in order to achieve a less complicated setup. If you want some suggestions in that direction you should show us your current partition table (using `parted /dev/disk unit s print free` or similar).

frostschutz, many thanks.

Basically my two free partitions to be used are separated by other partitions in use. This is `parted -a optimal /dev/sda unit s print free`:

Code: Select all

livecd ~ # parted -a optimal /dev/sda unit s print free
Model: ATA HITACHI HTS72323 (scsi)
Disk /dev/sda: 625142448s
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start       End         Size        File system  Name                          Flags
        34s         2047s       2014s       Free Space
 1      2048s       616447s     614400s     ntfs         Basic data partition          hidden, diag
 2      616448s     821247s     204800s     fat32        EFI system partition          boot
 3      821248s     1083391s    262144s                  Microsoft reserved partition  msftres
 4      1083392s    174082047s  172998656s  ntfs         Basic data partition
        174082048s  236675071s  62593024s   Free Space
 5      236675072s  420995071s  184320000s  ntfs         Basic data partition
 6      420995072s  605315071s  184320000s  ntfs         Basic data partition
        605315072s  625142414s  19827343s   Free Space

You can see that the free space after partition '4, (Windows8.1)' and after '5, 6 (NTFS data)', on which I want to install Gentoo with 'full disk LUKS'. The other partitions '1, 2 (EFI partition), and 3' are for Windows as well. I have done a full backup of NTFS data. Up to now, I have collected some ideas:

1. Remove partition 5 and 6 to get large continuous free space, so I can to create partitions for NTFS and Gentoo. But that will consume me lots of time for copying data back to newly created NTFS partitions. It is not a smart scheme.
2. As you suggested, I might be able to merge those free space, and achieve 'LVM over LUKS'. I don't know how to do that.
3. First use LVM to merge free space and get 'a logical single partition'; use LUKS to encrypt the logical partition. I can achieve 'LUKS over LVM'. As you mentioned, LVM partitions cannot be changed latter on.

I would like to follow your direction, namely the 2nd idea. So could you help how to get to that?

[x220tux]

Personally, I'm using LVM on LUKS. That is because I wish to be able to use 'lvcreate' and have the new LV automatically encrypted because the entire disk already is encrypted.

Basically I'm using full disk encryption with a flexible LVM on top so I don't have to worry that there may be unencrypted parts anywhere.

With LUKS on top of LVM, you have to remember to create a new LUKS container for each LV you create, and you have to find a way to open all of them when you need them. Of course it also gives you the choice of leaving some LV unencrypted.

In the end there is no solution better than the other, it all depends on taste and how you like to set things up.

Although from your description I would suggest you merge those two free partitions into one instead in order to achieve a less complicated setup. If you want some suggestions in that direction you should show us your current partition table (using `parted /dev/disk unit s print free` or similar).

frostschutz, by 'LUKS over LVM', I have to create separate LUKS container for each newly created logical volume like root, swap, home etc? Can not I just create a single LUKS container for the whole logical partition (as logical volume group)?