- Unlock Linux Unified Key Setup (LUKS) encrypted partitions with TPM 2.0 - Tue, Nov 28 2023
- Install Secure Boot in Linux - Wed, Nov 22 2023
- Encrypt Linux LVM with Linux Unified Key Setup (LUKS) using Cockpit - Tue, Nov 14 2023
Warning: You should experiment first with something you don't care about losing data on, such as a USB drive or virtual machine, before implementing it in a production environment. Modifying partitions or encryption settings on a system can result in permanent data loss, so make sure you have (working) backups.
Understanding logical volume management (LVM)
LVM is a robust storage management system that provides various useful features, such as volume resizing, snapshots, and data security features, such as RAID and encryption. It simplifies the storage management of Linux systems by abstracting physical storage devices into logical volumes.
The following are crucial concepts with regard to encrypting LVMS:
- Logical volumes: Virtual partitions created from the pool of storage made available in the LVM. They function like traditional disk partitions but have the added benefit of flexibility. Unlike traditional partitions, logical volumes can span multiple physical disks and can be resized (either increased or decreased) on the fly without the need to unmount the filesystem or cause downtime.
- Volume groups: Logical volumes are created within a volume group (VG). One or more physical volumes (any block device, such as a disk, LUN, or partition) can be put into a VG. This VG can be configured to provide redundancy (allowing for various types of software RAID).
- Linux Unified Key Setup (LUKS): LUKS is a disk encryption specification. It is not unique to LVM, but rather can manage encryption on any type of disk. In this article, we will be configuring "LUKS on LVM," which is shorthand to describe encrypting at the logical volume (LV) level. As a result, the encrypted LV will be visible to the system but can only be opened after entering a key. This is useful if you want a per-user volume, for example, to provide encrypted home directories. The other option is LVM on LUKS, which indicates that the entire block device is first encrypted with LUKS, and LVM resides on top of it after being unlocked.
Install Cockpit and its storage plugins
For most distributions, both LUKS and LVM support is built in to the kernel and the necessary tools installed as part of the base packages, so no additional software needs to be installed. I will be installing tools to help me configure these systems using a web-based graphical user interface (GUI) named Cockpit. Cockpit, LVM2, and Trusted Platform Module (TPM) 2.0 tools come standard on Red Hat Enterprise Linux but may need to be installed on Ubuntu or other distributions.
To install Cockpit, the storage plugin for Cockpit, and the LVM2 plugin for udisks2 on a Debian-style system, do this as an administrative user:
sudo apt install cockpit cockpit-storaged udisks2-lvm2
Udisks2 provides an application interface for storage-related operations, such as formatting, detaching, or notifying apps about disk changes.
Once Cockpit is installed, it should be reachable at your Linux machine's IP address on port 9090 (if you're on the same machine, it’s https://localhost:9090/). You may have to open a firewall, depending on your setup. Note that your browser will give a warning, as the SSL certificate is self-signed. Log in using any account with admin privileges.
Creating an LVM configuration on a blank disk
If you want to use a volume group that is already installed, you may skip the first few steps. I will create a simple LVM setup on an empty (attached) disk using Cockpit. After logging in to Cockpit, click Turn on administrative access and type in your account password.
Go to the Storage tab, and then on the right-hand side, you should see Devices and Drives. Drives represents the physical hardware, and Devices represents the virtual block systems, which can be a software RAID volume, or in my case, the boot drive's LVM2 Volume Group.
For the purposes of this article, I have added a second drive that is just 25 GB, since I don't want to modify my boot system. Make sure to use the correct drive for your use case and that the drive is empty. Click the disk to see and delete any existing data partitions.
Alternatively, use the command line wipefs -a /dev/vdb which will wipe the vdb device entirely (find the correct name for your device in the Cockpit interface). Once you have a blank disk, click the blue button with the three lines (hamburger) in Devices. Note that it doesn't need to be formatted, but you can do so and create regular partitions if necessary in the Drives interface.
Next, select Create LVM2 volume group.
Once selected, a form will pop up. You can give the volume group a name (default vgroup0 is fine) and select the disk/partition you want to use. If you have not created partitions, it will use the entire disk space for the volume group (VG). Once created, the VG will now be shown in the Devices list. Click it to open it.
If you wanted to perform LVM on (top of) LUKS, you would first format the partition or drive you want the LVM volume group to reside on using LUKS, unlock it, and then create the LVM volume group on top of that; however, in this case, we are going with LUKS (on top of) LVM, as this will be the basis for our full-disk encryption configuration in a future article.
Subsequently, we will add a logical volume (LV) in much the same way: click the button and give it a name. As indicated above, a volume group (VG) can span multiple devices and provision block devices (like regular fixed partitions) or become a pool for thin-provisioned volumes. A VG can have multiple LVs, so you can mix them according to your needs (e.g., reserve a volume of space for the operating system in one LV and later add a thin provisioning pool for VMs).
For the purposes of this article, I will provision a thin volume. An LV may have options such as Grow. If you grow the underlying volume group (by adding more disks or provisioning more storage to a VM/cloud server), or if you didn't use all the space when creating your LV, you can grow it at any time (if there is space available).
Once you have created a few volumes, you will notice that various other features, such as snapshots, growing, and shrinking, become available. You may notice that each of the LVs also becomes available as a block device so that if you simply wanted a raw storage device, you could point your application to /dev/vgroup0/lvol1, lvol2 etc.
For our purposes, I simply want to make one of the unformatted volumes available as a formatted and encrypted LUKS partition with the data at mount point /mnt/my_encrypted_vol (LUKS on LVM).
So, I click the Format button, give it a name, and enter the mount point and filesystem type. I must also enter a passphrase for my encrypted space. You may want to select Never mount at boot because the system doesn't know your passphrase and can't continue to mount the disk until you enter a passphrase manually. However, if your applications (such as a database) depend on that data, you will need to mount it at boot time, and an administrator will need to be nearby every time the system reboots.
We will discuss key management, multiple keys, and TPM2 in a future article. For now, when I unmount the file system, or if I reboot, I will need to manually mount the file system by using my passphrase and clicking the Mount button.
Subscribe to 4sysops newsletter!
In this article, you've learned what LVM is all about and a simple way of creating volume groups, logical volumes, and some of the features of LVM. In the following article, we discuss how to automatically decrypt the volume using a TPM2 device to store the key.