===== Creating an encrypted LVM mirror setup ====== ==== LVM ==== === Creating the physical volumes (PVs) === * ''pvcreate ///dev/sdb//'' * ''pvcreate ///dev/sda//'' === Creating the volume group (VG) and logical volume (LV) === * ''vgcreate //webster /dev/sda /dev/sdb//'' * ''lvcreate -l 99%FREE -m1 -n //websterlv webster//'' * Note: The 99% value is helpful if you have to replace one member of the member with another disk. The new disk may have the same specified capacity, but might actually be ever so slightly smaller (or larger), which would make this impossible without reducing the logical volume and file system size first. * Another example: 3-disk RAID 5 mirror: ''%%lvcreate --type raid5 -i 2 -l 99%FREE yoko -n yoko%%'' ==== Encryption ==== === Creating and opening the encrypted container === * ''cryptsetup luksFormat ///dev/mapper/webster-websterlv//'' * ''cryptsetup luksOpen ///dev/mapper/webster-websterlv webstercrypt//'' ==== Filesystem ==== == Creating the filesystem == e.g. * ''mkfs.xfs ///dev/mapper/webstercrypt//'' * ''mkfs.ext4 ///dev/mapper/webstercrypt//'' * or whatever you like == Mounting the filesystem == * ''mount ///dev/mapper/webstercrypt /mnt/webster//'' or an fstab entry: * ''/dev/mapper/webstercrypt /mnt/webster xfs defaults,rw,noauto 0 0'' * Note: noauto would be important, because the luks container has to be unlocked first. Note: At this point, there are now several abstraction levels: ^ Description ^ Path ^ | the physical devices | ''/dev/sda'' \\ ''/dev/sdb'' | | the volume group | //(no path in file system)// | | the logical volume | ''/dev/mapper/webster-websterlv'' | | the unlocked cryptsetup container | ''/dev/mapper/webstercrypt'' | | the file system, once mounted | ''/mnt/webster'' | ==== Integration ==== To mount the volume on the next boot, you'll have to follow these steps: - ''cryptsetup luksOpen /dev/mapper/webster-websterlv webstercrypt'' - ''mount /dev/mapper/webstercrypt /mnt/webster'' One way to semi-automatically mount the encrypted volume after each boot is described in [[luks-volumes_per_systemd_einbinden|this article]]. In this scenario, you can issue a single command after booting, enter the password and systemd will take care of the unlocking, mounting and starting the services depending on that data. ==== Removing a missing mirror ==== - ''vgreduce --removemissing --mirrorsonly --force megacherry'' ==== "Device /dev/mapper/x does not exist or access denied when opening" ==== - There is no device node in /dev/mapper. Re-activate the volume group: \\ ''vgchange -ay x''