16

I recently installed Fedora 20. I don't recall what exact options I chose for encrypting the disk/LVM during installation. It installed fine and I can log in etc. Here is the situation I have:

I booted up with LiveCD and tried the following: (I have installed Fedora20 to /dev/sda3' partition).

  1. If I run cryptsetup open /dev/sda3 fedo I get an error saying it is not a LUKS device.
  2. I I run cryptsetup luksDump /dev/sda3 I get an error saying it is not a LUKS device
  3. If I run cryptsetup open --type plain /dev/sda3 fedo, it prompts for password and it opens the device fine.

So, obviously, that is a plain-text encrypted (without LUKS header) partition.

Now, when I try to run mount /dev/mapper/fedo /mnt/fedora, it says unknown crypto_LUKS filesystem.

I do have LVM on top of it, so, I can run pvdisplay, vgdisplay, lvdisplay and it shows information. I have a VG called fedora and two LVs, viz 00 for swap partition and 01 for / partition.

Now, if I do a cryptsetup luksDump /dev/fedora/01 I can see LUKS headers etc. And, I can mount by running mount /dev/fedora/00 /mnt/fedora, no password prompt.

So, do I have a LUKS-over-LVM-over-(plain-text)-encrypted partition?

Here is my output of lsblk:

 # lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 37.3G 0 disk |-sda3 8:3 0 17.4G 0 part |-fedora-00 253:0 0 2.5G 0 lvm | |-luks-XXXXX 253:3 0 2.5G 0 crypt [SWAP] |-fedora-01 253:1 0 15G 0 lvm |-luks-XXXXX 253:2 0 15G 0 crypt /

So, the question is, how to figure out whether I have LVM-over-LUKS or LUKS-over-LVM, or some other combination thereof (LUKS over LVM over LUKS etc)? To make my question clear, I know I have LVM and LUKS, I want to figure out the order of them.

Improve this question

4 Answers 4

Reset to default
17

cryptsetup luksDump /dev/fedora/01 shows the LVM logical volume to be a LUKS encrypted volume. The output of pvs or pvdisplay would show the partition /dev/sda3 to be a physical volume. Thus you have LUKS over LVM. At a lower level, you have LVM over PC partition.

The output of lsblk confirms this: sda is a disk, sda3 is a partition (which contains an LVM physical volume), fedora-00 and fedora-01 are logical volumes, and each logical volume contains a LUKS encrypted volume.

Improve this answer
1
  • Perfect answer and confirms my tests. I can't vote for your answer though as I am a newbie here and don't have high enough reputation :-( Commented Oct 9, 2014 at 0:35
10

It's very odd to have a LUKS inside a plain crypt. Why encrypt twice?

Once your filesystems are mounted, lsblk will show you what's what.

NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 59.6G 0 disk └─sda1 8:1 0 59.6G 0 part └─md0 9:0 0 59.6G 0 raid1 └─luksSSD1 253:9 0 59.6G 0 crypt ├─SSD-home 253:0 0 36G 0 lvm /home └─SSD-root 253:10 0 16G 0 lvm /

This is LVM (/home and / with type lvm) on LUKS (type crypt, luksSSD1) on RAID1 (md0, type raid1) on a regular partition (sda1) on the disk sda.

Improve this answer
5
  • Yes, it is weird. I added output of 'lsblk' to my question. Commented Oct 8, 2014 at 19:16
  • @NotSuperMan: well, that looks fine. disk, partition, lvm, and each LV is encrypted. It's a common setup. Your description sounded different somehow. I think your mistake was using cryptsetup --plain on sda3; sda3 is an LVM device, not crypt. Commented Oct 8, 2014 at 22:27
  • Thanks for your help. But, without cryptsetup --type plain, I could not even mount the partition. So, it was not clear to me. May be instead of mounting partition first, I should mount the LV using the LUKS-UUID directly? (I will give that a shot) When I ran fdisk -l /dev/sda it says /dev/sda3 is Id is 8e and Type is Linux LVM. Commented Oct 8, 2014 at 23:14
  • OK. Instead of trying to 'cryptsetup open' the partition first, I just used the cryptsetup open /dev/disk/by-uuid/UUID-of-LV SomeName command to open the the LV directly and it asked for passowrd etc., and subsequently, I was able to mount the mapped device fine. This explains a lot to me. I think the key is the order of 'crypt and 'lvm' TYPEs in the output of lsblk command. So, I think my setup is a LUKS-over-LVM. And, from the output you showed, I conclude yours is a LVM-over-LUKS setup. So, I conclude that I should not 'cryptsetup open' a 'Linux LVM' partition. Commented Oct 8, 2014 at 23:48
  • Your comments helped me clear my understandings. Unfortunately, I am unable to vote for your answer as I am a newbie here and don't have high enough "reputation" :-( and so the stackexchange doesn't let me vote for your answer. Commented Oct 9, 2014 at 0:37
4

You can see what you have like so:

$ sudo blkid | grep crypto_LUKS /dev/mapper/fedora-home: UUID="XXXXXXXXXXXXXXXXX" TYPE="crypto_LUKS"

That's a LVM logical volume with crypto LUKS on it. When I mount that volume it's mounted like this under Fedora 20:

$ mount | grep home /dev/mapper/luks-XXXXX on /home type ext4 (rw,relatime,seclabel,data=ordered)

If you did a standard installation you'll have the same thing.

Manually decrypting

I believe you can do the following if you want to do things manually. First to see if something is LUKS or not:

$ sudo cryptsetup isLuks /dev/mapper/fedora-home $ echo $? 0 $ sudo cryptsetup isLuks /dev/mapper/fedora-root $ echo $? 1

NOTE: A zero denotes that it is LUKS, a 1 means it's not.

So then to decrypt it:

$ sudo cryptsetup luksOpen /dev/mapper/fedora-home crypthome

NOTE: You have to enter the passphrase to decrypt the partition. Feel free to change the mapping name crypthome to whatever you want. The mapped partition is now available in /dev/mapper/crypthome but it isn’t mounted. The last step is create a mount point and to mount the mapped partition:

Manually mounting

$ sudo -Es $ mkdir /mnt/crypthome && mount /dev/mapper/crypthome /mnt/crypthome

What crypted partitions do I have?

You can check in the file /etc/crypttab to see what LUKS you have setup too.

$ more /etc/crypttab luks-XXXXXXXX UUID=XXXXXXXX none

Dumping the device

You can also use luksDump like so:

$ sudo cryptsetup luksDump /dev/mapper/fedora-home LUKS header information for /dev/mapper/fedora-home Version: 1 Cipher name: aes Cipher mode: xts-plain64 Hash spec: sha1 Payload offset: 4096 MK bits: 512 MK digest: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX MK salt: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX MK iterations: 50625 UUID: XXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX Key Slot 0: ENABLED Iterations: 202852 Salt: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX Key material offset: 8 AF stripes: 4000 Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED

If it's not a LUKS device then it'll get reported like so:

$ sudo cryptsetup luksDump /dev/mapper/fedora-root Device /dev/mapper/fedora-root is not a valid LUKS device.

References

Improve this answer
0
1

I think the key to find out whether it is a LVM-over-LUKS, or the other way around, is the order of crypt and lvm TYPEs in the output of lsblk command. Based on that reasoning, I conclude my setup is a LUKS-over-LVM. For the lsblk output for a LVM-over-LUKS type of setup, look at output showed by @frostschultz below.

In my case, since /dev/sda3 is a "Linux LVM" system partition (partition Id 8e), I think instead of trying to cryptsetup open --type plain /dev/sda3 SomeName first, I should have mapped the LVM directly by running the command cryptsetup open /dev/disk/by-uuid/UUID-of-LV SomeName command to open the the LV directly. I tried this and it works as I expected.

Thanks to all the folks who contributed to help me understand this.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.