[dm-crypt] gpt over luks - entire data disk encryption

Milan Broz gmazyland at gmail.com
Thu Jul 19 10:43:02 CEST 2012

On 07/19/2012 10:24 AM, Milan Broz wrote:
> On 07/18/2012 11:46 PM, Two Spirit wrote:
> /dev/mapper/raid51p1 is created by kpartx (or some internal code somewhere) and it should _not_ be there,
> MD can handle partitions in kernel since 2.6.38 kernel.
> I see that problem on Fedora 17 as well. I will back to this later, not a LUKS problem but IMHO it is bug.
> I guess you can "dmsetup remove raid51p1" to get rid of this before shutdown, but it is wrong.
> For me, it even doesn't set DM-UUID (someone wrongly copied code from kpartx seems :-)

and it is parted & partprobe...

If you move parted out of the way (I uninstalled parted just for test), the correct activation chain is:
- mdadm -A /dev/md0 [devs...] (or autoactivation)
- cryptsetup luksOpen /dev/md0 md0_crypt  (open LUKS over whole device)
- kpartx -a /dev/mapper/md0_crypt (to create partitions mapping)
(- mount fs etc)

now you should see something like

# lsblk /dev/md0
md0                     9:0    0 446.7G  0 raid5 
└─md0_crypt (dm-0)    253:0    0 446.7G  0 crypt 
  └─md0_crypt1 (dm-1) 253:1    0  33.4G  0 part  

Deactivation is reverse
(-umount fs)
- kpartx -d /dev/mapper/md0_crypt (delete part mapping)
- cryptsetup luksClose md0_crypt
- mdadm --stop /dev/md0

Parted create kpartx devices wrongly seems, so kpartx -d doesn't work for them...

IMHO it is better for you to use LVM here, it will get you more flexibility here.
(Create PV over LUKS mapping and just create LVs according to needs, no part table at all.)


More information about the dm-crypt mailing list