Ubuntu – Clarifications on encrypted LVM in Ubuntu, RAID1, and headless server


I’ve pondered about encrypting my hard disk on my laptop and server for quite some time, but never got around to it since I don’t think I understand how encryption affects my day to day usage and the complication in setup and management. I hope to get some clarifications to my questions before I proceed with the tutorial outlined here.

  1. Is encrypting the LVM equivalent to having a full disk encryption? I'm confused because Ubuntu has the option to do LVM encryption and encrypting the home directory.

  2. Once I boot into the OS, are the files I have access to equivalent to files from an unencrypted LVM? That is, can I copy files to usb disks, transfer them through ssh, rsync folders, etc, and have the data that are transferred make sense on their new location (unencrypted)? Or do I have to do anything special to use those files at the new location?

  3. On my server, I currently have two 1.5tb disks set up using hardware RAID1. This is actually the first time I’m playing with RAID as well. Does using RAID1 with an encrypted LVM complicate things? That is, do these instructions appy?

  4. My server is remote (at school) and I don’t always have physical access to it. However, if I reboot remotely I would have to enter in the passphrase before the OS can boot. Have you dealt with this? This post suggests early-ssh.

  5. I plan to add two 2tb disks to the server via hardware RAID1 in the near future. Of course, I would also want the content of the new disks be encrypted. How complicated would it be to add in the new disks and how would one go about doing so? Would it be possible to keep these two mirror disks as “separate” from the original disks? That is, would it be possible to unplug these disks and mount them on another computer? How would I access the encrypted content?

I look forward to hearing from you! Thanks!

Note that I did ask these same questions on the tutorial's comments, but I figure I'd get more responses and explanations here.

Best Answer

  • 1 - When using encrypted LVM on Debian/Ubuntu a partition is created. DM-CRYPT is setup on that partition, and then a LVM volume is created within the encrypted DM-CRYPT volume. If you use it for all your partitions, then it basically is full disk encryption.

  • 2 - Using the encrypted LVM, once the system is booted and the volumes are mounted everything after that is transparent. This does mean that if someone is able to remotely compromise your system while it is turned on and the drives are mounted, then they simply don't know or care about the encryption.

  • 3 - Using software RAID with DM-CRYPT and LVM is easy. I have it setup on half a dozen boxes. Setup the RAID, then Setup an Encrypted volume on the RAID, then Setup LVM on the Encrypted Volume.

  • 4 - I haven't found a good solution to this. I guess one thing you could do is come up with a IP-based KVM. That early SSH tool does look like it should work.

  • 5

    • Yes you can add them, it is pretty easy.
    • Setup the RAID, run cryptsetup, create the LVM volume group. Update crypttab/fstab if you want things automatically mounted
    • Moving a volume to another system is Linux system should be as easy as moving the physical drives and mounting them.

Just take some time to read the following docs. It is all pretty easy.

Related Topic