Howdy,
I thought I had done this before but it appears I have not. I want to replace a 8TB drive with a 10TB drive and then remove the 8TB drive when
done but these drives are encrypted with cryptsetup on top of LVM. I
looked through my how tos and can't find one for encrypted drives. I
did find them for regular LVM and have done that in the past. While I
have fresh backups, I don't want to test them if not needed. Does this
work just like with LVM or does the encryption change how this is done
or even if it can be done?
I googled and can't really find a good how to. Does anyone have a link
to a 'how to' to do this with encrypted stuff, have notes with the
sequence of commands that I can go by or is this not doable when it is encrypted?
Thanks.
Dale
:-) :-)
Now to replace my /home drive which is also close to full. It's not encrypted tho. The biggest difference in this and plain LVM, resizing
with cryptsetup or close and reopen. Keep in mind, while I did all
this, LUKS, cryptsetup, whatever was open. I'm not sure about this
being done while closed. I did find one mention that it had to be open
at certain points.
Now to replace my /home drive which is also close to full. It's not encrypted tho. The biggest difference in this and plain LVM, resizing
with cryptsetup or close and reopen. Keep in mind, while I did all
this, LUKS, cryptsetup, whatever was open.
On Wed, Sep 14, 2022 at 1:40 AM Dale <rdalek1967@gmail.com> wrote:
Now to replace my /home drive which is also close to full. It's notIf you want to do operations on a DM volume, then it needs to exist,
encrypted tho. The biggest difference in this and plain LVM, resizing
with cryptsetup or close and reopen. Keep in mind, while I did all
this, LUKS, cryptsetup, whatever was open. I'm not sure about this
being done while closed. I did find one mention that it had to be open
at certain points.
which in the cryptsetup world means "open."
Most of the details of how to do an operation like moving around
encrypted volumes depends on the layers you're using (LUKS, LVM,
mdadm, whatever), and how they're stacked. If you're running LVM on
top of LUKS then you create new LUKS volumes and add them to LVM and
move stuff around. If you're running LUKS on top of LVM then you add unencrypted volumes to LVM, extend the LV underlying LUKS, and then
resize the LUKS volume. Last comes resizing whatever filesystems are
on top if desired.
When you want to get advice around these kinds of operations it is
usually necessary to detail exactly how things are set up, because to
Linux they're just layers and you can stack them however you want. A
script that adds a hard drive to your setup will look different if
you're running mdadm on the bottom vs LUKS vs LVM and so on.
Plus if you do things in the wrong order there is actually a chance
that it will work and leave you with half your filesystem on an
encrypted drive and half of it on an unencrypted one, or whatever. DM doesn't care - it just shuffles around blocks and transforms them as
told, and as long as you stack things up the same way every time it
should still work. It just won't necessarily be doing what you want
it to...
I see the point but wasn't aware there was more than one way to do it
with cryptsetup. It seems there is several options for this. I was
pretty sure LVM was on bottom and mentioned it in my original post.
After reading your post, I got to wondering, did I do this the right
way?
So, I started looking to see how to tell for sure. I used several
LVM type commands but didn't see anything that I recognized anyway.
Keep in mind, I'm not real sure what I'm looking for either. Then I ran
lsblk -f and found a clue that I've never noticed before.
sdd
└─sdd1 LVM2_member LVM2 001 pVnP2i-sj48-3co9-nJpa-9tQr-08pa-9JqASR
└─crypt-crypt crypto_LUKS 2 6e884aae-9377-49ef-a602-e13cba89a377
└─crypt ext4 1.0 crypt
76653316-329f-4747-8fed-fc9b1723bd14 3.5T 79% /home/dale/Desktop/Crypt
I know that is going to be line wrapped and mess up things
but the part I noticed was the drive partition "sdd1" and "LVM2 member".
On top of that is crypto. So, LVM is on bottom. If that is the case, my pvmove command should be moving what I think you call "raw data", doesn't matter if it is encrypted or not, right?
Just in case it matters, could I have done everything but the file system resize while it was closed? It seems it is basically encrypted on the
layer just below the file system to me.
Am Wed, Sep 14, 2022 at 08:55:26AM -0500 schrieb Dale:
I see the point but wasn't aware there was more than one way to do itIndeed you did and it confused me at first. Then I gave it some thought and concluded: why not?
with cryptsetup. It seems there is several options for this. I was
pretty sure LVM was on bottom and mentioned it in my original post.
You do it like so:
Block device --,
Block device --+-- LVM --- LUKS --- File system
Block device --'
After reading your post, I got to wondering, did I do this the rightYour advantage: only one LUKS header to take care of. That means no extra crypt management when adding or removing disks, except for resizing the
way?
crypt volume. And there is only a single place of storage for your keys (in case you ever need to change them).
I’m not sure whether it’s the right™ way. It is *one* way. Perhaps there are
drawbacks that I can’t think of right now.
I would typically have done:like this one. ;-)
Block device --- LUKS --,
Block device --- LUKS --+-- LVM --- File system
Block device --- LUKS --'
That’s how my NAS works at the moment (with ZFS instead of LVM + filesystem).
But that’s because ZFS didn’t have built-in encryption when I set it up some
years ago. These days I would do:
Block device --,
Block device --+-- ZFS
Block device --'
That’s it. :D Encryption, disk arrays and file system all in one shop.
So, I started looking to see how to tell for sure. I used severalYou could have redacted the long UUIDs which aren’t relavant anyways. I write my mail in mutt and vim, thus I can rewrap paragraphs individually and at will. That way I can paint ASCII art, paste over-long console output or write one-line paragraphs
LVM type commands but didn't see anything that I recognized anyway.
Keep in mind, I'm not real sure what I'm looking for either. Then I ran
lsblk -f and found a clue that I've never noticed before.
sdd
└─sdd1 LVM2_member LVM2 001 >> pVnP2i-sj48-3co9-nJpa-9tQr-08pa-9JqASR
└─crypt-crypt crypto_LUKS 2 >> 6e884aae-9377-49ef-a602-e13cba89a377
└─crypt ext4 1.0 crypt
76653316-329f-4747-8fed-fc9b1723bd14 3.5T 79%
/home/dale/Desktop/Crypt
I know that is going to be line wrapped and mess up things
but the part I noticed was the drive partition "sdd1" and "LVM2 member". >> On top of that is crypto. So, LVM is on bottom. If that is the case, my >> pvmove command should be moving what I think you call "raw data", doesn'tYup. This kind of layering is one of the big beauty of Linux for me. It’s all interchangable and layer X doesn’t care what layer X+1 is doing and vice
matter if it is encrypted or not, right?
versa.
Just in case it matters, could I have done everything but the file systemI think so, yes.
resize while it was closed? It seems it is basically encrypted on the
layer just below the file system to me.
PS.: All your LVM threads made me embrace LVM on my PC when I recently switched it from SATA to NVMe. And because after many years of ignorance, I finally had an actual use case: my laptop’s root partition became too small and I had to give it some space from the data partition. In my early Gentoo years I didn’t use an initrd and didn’t want to, so LVM was never an option.
But when I set up the (then brand-new) laptop, I used Sakaki’s howto for full-disk encryption, which used an initrd + LVM anyways. This saved the
SSD from a full reformat and rewrite.
I see the point but wasn't aware there was more than one way to do it
with cryptsetup. It seems there is several options for this. I was
pretty sure LVM was on bottom and mentioned it in my original post.
After reading your post, I got to wondering, did I do this the right
way? So, I started looking to see how to tell for sure. I used several LVM type commands but didn't see anything that I recognized anyway.
Keep in mind, I'm not real sure what I'm looking for either. Then I ran
lsblk -f and found a clue that I've never noticed before.
By the way, if someone wants to take this and make a how to out of itIf you want, you can slap it into your personal page on the wiki and then it will show up in searches when people go looking for how to do things with LVM and/or cryptsetup.
somewhere, I think it would be great. This is doable. I even rebooted
and even tho the drives changed SATA ports, it worked fine. So, I guess
I did it right, even if no one thought it could be done. lol
I really hope this helps someone else. My brain hurts a little. :/
Dale
:-) :-)
LMP
By the way, if someone wants to take this and make a how to out of itIf you want, you can slap it into your personal page on the wiki and then it will show up in searches when people go looking for how to do things with LVM and/or cryptsetup.
somewhere, I think it would be great. This is doable. I even rebooted
and even tho the drives changed SATA ports, it worked fine. So, I guess
I did it right, even if no one thought it could be done. lol
I really hope this helps someone else. My brain hurts a little. :/
Dale
:-) :-)
LMP
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 303 |
Nodes: | 16 (2 / 14) |
Uptime: | 73:26:25 |
Calls: | 6,805 |
Calls today: | 1 |
Files: | 12,325 |
Messages: | 5,399,883 |