[dm-crypt] help mounting partitions in an encrypted disk after first reboot

Julio Gago julio.gago at metempsy.com
Sun Jun 18 10:30:09 CEST 2017


 ---- On Sun, 18 Jun 2017 09:25:28 +0200 Michael Kjörling <michael at kjorling.se> wrote ---- 

 > What you have done here is to sub-partition a LUKS container using MBR
 > partitions.
 > 
 > You can do that, _technically_ (as you have found out), but I dare say
 > that it's not a typical setup. You are therefore likely to run into
 > edge cases that have seen relatively little testing, and some things
 > that might just be plain difficult to get to work reliably. I suspect
 > that what you are seeing here is more the latter than the former.
 > 
 > A typical setup would more likely be to partition the disk, then set
 > up a separate LUKS container (possibly with derived keys, which would
 > allow you to open all LUKS containers by opening just one) on each
 > partition. An alternative typical setup would be to create a LUKS
 > container over the whole disk and use that container as a single file
 > system, with no partitioning (in the sense of MBR or GPT) involved.
 > 
 > If you have your heart set on sub-partitioning the LUKS container [...]

Well, I din't have a strong opinion between encrypting first or partitioning first. Because I was going to encrypt all partitions inside the disk, it just seemed natural to encrypt once and then partition, as opposed to partition and encrypting several times. Less containers and less operations looked better :). In retrospective, and re-reading the FAQ, I can now see clearly that I cornered myself into one alternative that was not listed in there. I have really no intentions to enter the LVM world, I really just wanted some security with encryption :).

For what you say, I assume there is no easy path to go to a more typical setup without reformatting the volumes, hence I will need to schedule some downtime for that. I will stay with the trick to keep the partitions alive via the loop trick until then.

Is that reasonable or do you think I am going to hit reliability issues too?

Thanks a lot for your help,
Julio.



More information about the dm-crypt mailing list