[dm-crypt] help mounting partitions in an encrypted disk after first reboot

Michael Kjörling michael at kjorling.se
Sun Jun 18 09:25:28 CEST 2017


On 18 Jun 2017 08:49 +0200, from julio.gago at metempsy.com (Julio Gago):
> cryptsetup luksFormat --cipher aes-xts /dev/sdc
> cryptsetup luksOpen /dev/sdc sdc
> fdisk /dev/mapper/sdc
> (created partitions manually)
> mkfs.ext4 /dev/mapper/sdc1
> mkfs.ext4 /dev/mapper/sdc2
> mount /dev/mapper/sdc1 /part1_dmcrypt
> mount /dev/mapper/sdc2 /part2_dmcrypt

What you have done here is to sub-partition a LUKS container using MBR
partitions.

You can do that, _technically_ (as you have found out), but I dare say
that it's not a typical setup. You are therefore likely to run into
edge cases that have seen relatively little testing, and some things
that might just be plain difficult to get to work reliably. I suspect
that what you are seeing here is more the latter than the former.

A typical setup would more likely be to partition the disk, then set
up a separate LUKS container (possibly with derived keys, which would
allow you to open all LUKS containers by opening just one) on each
partition. An alternative typical setup would be to create a LUKS
container over the whole disk and use that container as a single file
system, with no partitioning (in the sense of MBR or GPT) involved.

If you have your heart set on sub-partitioning the LUKS container (in
order to conceal the fact that the LUKS container is divided into
distinct portions), I suppose you could create a LVM container within
the LUKS container, then create logical volumes within the LVM
container, then file systems on those, for an end result of something
like:

Physical storage
    LUKS
        LVM
            LV
                FS
            LV
                FS
            LV
                FS
            ...

That would probably have better chances of working reliably than what
you have now. You'd open the LUKS container, then import the LVM
container, which will import the LVs within it and make the file
systems within those available for mounting. The LVM metadata would be
encrypted on disk by virtue of the LVM container existing fully within
the LUKS container, so the data security properties should be very
similar to those you'd get with your proposed partitions-within-LUKS
scheme.

-- 
Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)


More information about the dm-crypt mailing list