[dm-crypt] (More) Questions about LUKS / LVM

Milan Broz mbroz at redhat.com
Tue Sep 20 15:13:24 CEST 2011


On 09/20/2011 01:47 PM, Arno Wagner wrote:
> The encryption can be established as long as the header and
> at least on ekeyslot are intact. If you cut the power just in the
> microsecond while a keyslot is written you would damage that
> keyslot. If it was your only one and you do not have a header backup,
> then you would have total data loss. That is the only scenario
> I can think of. In normal operation, the header is not written.

Yes, for open and normal activation/deactivation nothing is written
to LUKS header.

And all keyslot operation are done through sync|direct io path
(avoids cache) so it should hit hw immediately.

> Keep in mind that LVM adds to the complexity when you have to do
> data recovery when something went wrong. Other that that it sounds
> like a good approach.

You can say that the same for MD.

Btw LVM has much better recovery abilities than other systems.
Just people are not so familiar with them.

I tried to show it some time ago in some talk,
you can check how easy is to recover complete disaster
(slides are not perfect, missing most of the comments)
http://mbroz.fedorapeople.org/talks/LinuxAlt2009_2/ 

But use of lvm2 is completely optional.
What is complex is incredible complicated lvm2 user interface (CLI),
here I fully agree. But even for notebook, pvmove or online resize
is useful sometimes.

>> (I keep daily backups of $HOME and of essential system settings, the
>> rest can be reinstalled if needed, but I'd prefer not to have to spend a
>> few days recovering everything if I had a hard reset or something like
>> that.)
> 
> You will not damage the encrypted data in normal operation.
> All the header-damages reported were done during installation,
> repartitioning, moving partitions, etc. 

These days is my favorite to LUKS damage bad MD resync
(usually mistake in partition change or MD metadata format change).
(No idea why such problems come in batches to lists :)

Milan


More information about the dm-crypt mailing list