[dm-crypt] help mounting partitions in an encrypted disk after first reboot

Carl-Daniel Hailfinger c-d.hailfinger.devel.2006 at gmx.net
Sun Jun 18 17:25:41 CEST 2017

On 18.06.2017 09:25, Michael Kjörling wrote:
> On 18 Jun 2017 08:49 +0200, from julio.gago at metempsy.com (Julio Gago):
>> cryptsetup luksFormat --cipher aes-xts /dev/sdc
>> cryptsetup luksOpen /dev/sdc sdc
>> fdisk /dev/mapper/sdc
>> (created partitions manually)
>> mkfs.ext4 /dev/mapper/sdc1
>> mkfs.ext4 /dev/mapper/sdc2
>> mount /dev/mapper/sdc1 /part1_dmcrypt
>> mount /dev/mapper/sdc2 /part2_dmcrypt
> What you have done here is to sub-partition a LUKS container using MBR
> partitions.
> [...]
> A typical setup would more likely be to partition the disk, then set
> up a separate LUKS container (possibly with derived keys, which would
> allow you to open all LUKS containers by opening just one) on each
> partition. An alternative typical setup would be to create a LUKS
> container over the whole disk and use that container as a single file
> system, with no partitioning (in the sense of MBR or GPT) involved.
> If you have your heart set on sub-partitioning the LUKS container (in
> order to conceal the fact that the LUKS container is divided into
> distinct portions), I suppose you could create a LVM container within
> the LUKS container, then create logical volumes within the LVM
> container, then file systems on those, for an end result of something
> like:
> Physical storage
>     LUKS
>         LVM
>             LV
>                 FS
>             LV
>                 FS
>             LV
>                 FS
>             ...
> That would probably have better chances of working reliably than what
> you have now. You'd open the LUKS container, then import the LVM
> container, which will import the LVs within it and make the file
> systems within those available for mounting. The LVM metadata would be
> encrypted on disk by virtue of the LVM container existing fully within
> the LUKS container, so the data security properties should be very
> similar to those you'd get with your proposed partitions-within-LUKS
> scheme.

That (LVM inside a LUKS container) is the standard scheme proposed by
Ubuntu for an encrypted installation. It works out of the box (needs
just a single click in the Ubuntu installer), is well-tested and
supports resizing the encrypted logical volumes at a later date.

If you don't need an unencrypted boot partition on that disk and if you
want to do all of this manually instead of trusting the installer, you
can try these commands which pretty much exactly replicate what Ubuntu
does by default.

cfdisk /dev/sdc
(create a single partition spanning the whole disk)
cryptsetup luksFormat --cipher aes-xts /dev/sdc1
cryptsetup luksOpen /dev/sdc1 sdc1_crypt
pvcreate /dev/mapper/sdc1_crypt
vgcreate encryptedvolumegroup /dev/mapper/sdc1_crypt
lvcreate --size 500G --name backups encryptedvolumegroup
lvcreate --size 100G --name documents encryptedvolumegroup
lvcreate --size 50G --name email encryptedvolumegroup
mkfs.xfs /dev/mapper/encryptedvolumegroup-backups
mkfs.ext3 /dev/mapper/encryptedvolumegroup-documents
mkfs.reiserfs /dev/mapper/encryptedvolumegroup-email
mount /dev/mapper/encryptedvolumegroup-backups /backups
mount /dev/mapper/encryptedvolumegroup-documents /documents
mount /dev/mapper/encryptedvolumegroup-email /email


More information about the dm-crypt mailing list