Encryption with a Funky Partition Layout
Published: 2016-01-18
I recently ran into some trouble with the system while mucking around and decided to take the opportunity to restructure my partitioning layout and do a full OS reinstall; this time with full disk encryption (except /boot
). Suffice it to say, the Fedora installer is fairly flexible, but not nearly enough to support a mix of mdadm, LUKS, and LVM.
Before I tell you–roughly–how I did it, here are the results:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 447.1G 0 disk
├─sda1 8:1 0 512M 0 part /boot
└─sda2 8:2 0 446.6G 0 part
├─vg_SIIIKE-root 253:0 0 59.6G 0 lvm
│ └─luks-SIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIKE 253:3 0 59.6G 0 crypt /
├─vg_SIIIKE-lv_swap 253:1 0 14.9G 0 lvm
│ └─luks-SIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIKE 253:2 0 14.9G 0 crypt [SWAP]
└─vg_SIIIKE-home 253:4 0 372.1G 0 lvm
└─luks-SIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIKE 253:9 0 372.1G 0 crypt /home
sdb 8:16 0 119.2G 0 disk
└─sdb1 8:17 0 119.2G 0 part
├─vg_SIIIKE-lv_var_cache_cdata 253:5 0 115G 0 lvm
│ └─vg_SIIIKE-lv_var 253:8 0 1.8T 0 lvm
│ └─luks-SIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIKE 253:10 0 1.8T 0 crypt /var
└─vg_SIIIKE-lv_var_cache_cmeta 253:6 0 1G 0 lvm
└─vg_SIIIKE-lv_var 253:8 0 1.8T 0 lvm
└─luks-SIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIKE 253:10 0 1.8T 0 crypt /var
sdc 8:32 0 1.8T 0 disk
└─md0 9:0 0 1.8T 0 raid1
└─vg_SIIIKE-lv_var_corig 253:7 0 1.8T 0 lvm
└─vg_SIIIKE-lv_var 253:8 0 1.8T 0 lvm
└─luks-SIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIKE 253:10 0 1.8T 0 crypt /var
sdd 8:48 0 1.8T 0 disk
└─md0 9:0 0 1.8T 0 raid1
└─vg_SIIIKE-lv_var_corig 253:7 0 1.8T 0 lvm
└─vg_SIIIKE-lv_var 253:8 0 1.8T 0 lvm
└─luks-SIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIKE 253:10 0 1.8T 0 crypt /var
To clarify, I have an SSD with /
, /home
, and swap
on it and a software RAID-1 set with an SSD as a caching layer in front of it. The partitions (sda2
, sdb1
, and md0
) are all physical volumes in the same volume group. I simply created logical volumes in that volume group and directed that they reside on certain physical volumes (such a handy feature). Then it was simply a matter of encrypting them with LUKS, configuring crypttab
, and configuring fstab
.
Unfortunately, you can accomplish very few of these tasks in the Fedora Desktop installer. I initially tried to configure everything outside of the installer hoping that it would get the hint and leave everything alone. The problem there is that the Workstation version doesn't know how to handle software RAID sets properly. I tried using the Server version but it did its own munging of things by making certain assumptions about how I wanted to do LVM.
In the end, since really only /var
was going to be a special snowflake, I decided to install everything on the primary SSD then after the installation configure the /var
volumes and migrate the newly installed /var
over to its new home. This worked better than expected and other than having to boot single
to fix a fat-fingered fstab
everything booted right up.
While I don't think the Fedora installers need the ability to generate arbitrary partitioning schemes, it would be nice to have some sort of "I know what I'm doing please leave my partitions alone" mode.