LVM: How to access a foreign volume group

Xen list at xenhideout.nl
Sat Dec 9 21:08:54 UTC 2017 

Volker Wysk schreef op 04-12-2017 2:03:
> Hi!
> 
> I'm about to set up an LVM cache (for my encrypted root file system).

Also I assume you will also encrypt your cache volumes?

This is not easy.

I don't think the initrd by default opens non-root encrypted thingies.

So you would need these steps:

1) create second container on cache disk (SSD)
2) open it
3) pvcreate
4) vgextend
5) create your cache pool

6) add a key to the container
7) add the container to /etc/crypttab including its key
8) create another hook in /etc/initramfs-tools/hooks for copying the key 
into the initrd
9) create a script in /etc/initramfs-tools/scripts/local-top that will 
explicitly open the container because I don't think it happens 
otherwise.

10) cause this script to also activate the cache volumes (maybe)

11) create a copy of /usr/share/initramfs-tools/scripts/local-top/lvm2 
in /etc/initramfs-tools/scripts/local-top

12) edit this to have your new "cache_unlock" script as prereq

13) rerun update-initramfstools -u

You really need all that to have an encrypted cache.

Here are some of the steps.


1) cryptsetup luksFormat /dev/sdb1   (assuming sdb is your SSD)
2) cryptsetup open /dev/sdb1 cache_crypt
3) pvcreate /dev/mapper/cache_crypt
4) vgextend kubuntu-vg /dev/mapper/cache_crypt
5) lvcreate kubuntu-vg --cache-pool bla bla bla   
/dev/mapper/cache_crypt

6) dd if=/dev/random of=/root/cache.key bs=1M count=1
6) cryptsetup luksAddKey /dev/sdb1 /root/cache.key

7) echo "cache_crypt /dev/disk/by-uuid/$(blkid /dev/sdb1 -s UUID o 
value) /cache.key luks,keyscript=/bin/cat" >> /etc/crypttab

8) cat > /etc/initramfs-tools/hooks/cachekey << EOF
#!/bin/sh

if [ "$1" = "prereqs" ]; then
     exit 0
fi

cp /root/cache.key $DESTDIR
EOF

8) chmod +x /etc/initramfs-tools/hooks/cachekey
8) update-initramfs -u

The rest would have to wait.

This is the only way to (automatically) open a 2nd container containing 
the encrypted cache volumes for your cached root.

Buuh.

It doesn't become easier does it.

More information about the ubuntu-users mailing list