Adding a drive to LVM/LUKS encrypted Slackware.

by Jchase2

My Slackware server is configured with full disk LVM / Luks encryption, as outlined in my full disk encryption tutorial. I’ve had an empty drive sitting in my server for over a year, and I’ve finally gotten around to encrypting it, and getting it to decrypt on boot. A problem arises due to the fact that Slackware’s crypttab is processed in it’s rc.S script very early on.

That means I couldn’t just follow the same steps I did in my encryption guide and create an encrypted physical device, I had to do things a bit differently. Turns out, you can’t decrypt two physical volumes on boot, but you can decrypt the primary physical drive, and then a logical volume via crypttab later. Here’s how I did it:

1.) Create a physical volume.

pvcreate /dev/sdbX

Replace sdbx with the location of the new drive. You can find out where this is by running lsblk.

2.) Extend the original group to include that physical volume.

vgextend cryptvg /dev/sdbX

cryptvg is the LVM group I created in the guide linked above for my primary hard drive.

3.) Next, we have to generate a new logical volume underneath of the physical volume.

lvcreate -l 100%FREE -n data cryptvg 

This will generate a new lvm called “data” taking up the entire new drive.

4.) Now, we want to encrypt the lvm we just created:

cryptsetup -s 256 -y luksFormat /dev/cryptvg/data

5.) Next, we decrypt and open it.

cryptsetup luksOpen /dev/cryptvg/data data

6.) Right now, we have a physical volume, a logical volume on that, and an encrypted volume on that. On this encrypted volume, we need a file system.

 mkfs.ext4 /dev/mapper/data

I like ext4, but you can choose whatever you prefer.

7.) Next, we should make sure everything is detected:

vgscan --mknodes && vgchange -ay

8.) At this point, everything is basically set up. We have a new encrypted filesystem in our LVM hierarchy. In order for it to boot, we have to edit the crypttab file and include the encrypted lvm. Edit /etc/crypttab and include something like this:

data      /dev/cryptvg/data  /root/keyfile

We’ll create the keyfile next.

9.) The keyfile is the decryption password the system will use to decrypt the drive on boot. We’ll store it in /root so only someone who gains root access to the base system will be able to access the password. (If it’s compromised, you’re basically already done for, so compromising the extra drive is kind of expected and would happen in most other setups too.)

Generate a key however you like, preferably a long one, and store it in /root/keyfile or some other file you specified in crypttab. Next, run:

cryptsetup luksAddKey /dev/cryptvg/data /root/keyfile

This will add the key to the accepted decryption passwords for the drive.

10.) Next, we’ll need to edit /etc/fstab to include something like:

/dev/mapper/data /data           ext4        defaults         1   2

This will mount the lvm after it’s decrypted into a data directory. Note that you have to create the /data directory beforehand:

mkdir /data

11.) Next, we’ll want to update our mkinird. Just run:

mkinitrd

12.) Update lilo, run:

lilo

And reboot. You should now have your extra hard drive automatically mounting on /data or wherever you specified.

My lsblk output:

Some useful test commands:

lsblk # display hierarchy of devices / volumes

vgdisplay # display volume group

pvdisplay # display physical volumes

lvdisplay # display logical volumes

mount -a # remount everything to see if it’ll mount.

Comments

                                              
                          ,,    ,,            
  mm                      db  `7MM            
  MM                            MM            
mmMMmm ,pW"Wq.  ,pP"Ybd `7MM    MM `7M'   `MF'
  MM  6W'   `Wb 8I   `"   MM    MM   VA   ,V  
  MM  8M     M8 `YMMMa.   MM    MM    VA ,V   
  MM  YA.   ,A9 L.   I8   MM    MM     VVV    
  `Mbmo`Ybmd9'  M9mmmP' .JMML..JMML.   ,V     
                                      ,V      
                                   OOb"