Discussion:
gpt over luks - entire data disk encryption
Two Spirit
2012-07-18 21:46:44 UTC
Permalink
Hello,

After some corruptions to my luks environment, I get an opportunity to make
some upgrades to my setup.
I need some help. I'm testing a raid5+1 environment, and would like to do
whole data disk encryptions
with GPT. once I partition the disk using GPT, I can't run the "cryptsetup
luksClose". I've done
whole disk encryption without a partition table with no problems, and I
also have done luks encryption
on a GPT partition without problems.

The only way I have found to be able to run luksClose is to blow away the
partition table(which is not
acceptable solution). I suspect that udevadm (running ubuntu-12.04) is
involved as a /dev/mapper/raid51p1
exists. When I get rid of the /dev/mapper/raid51p1, and only the
/dev/mapper/raid51 exists, I can then run "luksClose".

Is there anyway to have udevadm drop control or other workaround so I can
cleanly close my LUKS drive
for a clean shutdown procedure.

fyi: With the new 4TB drives in my raid, I have the luxury of some extra
disk space and want the option of later
creating additional partitions and possibly remove them later. I don't want
to have to encrypt each partition
separately.
Milan Broz
2012-07-19 08:24:43 UTC
Permalink
After some corruptions to my luks environment, I get an opportunity to make some upgrades to my setup.
I need some help. I'm testing a raid5+1 environment, and would like to do whole data disk encryptions
with GPT. once I partition the disk using GPT, I can't run the "cryptsetup luksClose". I've done
whole disk encryption without a partition table with no problems, and I also have done luks encryption
on a GPT partition without problems.
What's the exact dvice stack here? (paste lsblk output?)

(You have GPT over LUKS device, not directly on /dev/mraid51, correct?
The only way I have found to be able to run luksClose is to blow away the partition table(which is not
acceptable solution). I suspect that udevadm (running ubuntu-12.04) is involved as a /dev/mapper/raid51p1
exists. When I get rid of the /dev/mapper/raid51p1, and only the /dev/mapper/raid51 exists, I can then run "luksClose".
Someone is running kpartx automatically...

/dev/mapper/raid51p1 is created by kpartx (or some internal code somewhere) and it should _not_ be there,
MD can handle partitions in kernel since 2.6.38 kernel.

I see that problem on Fedora 17 as well. I will back to this later, not a LUKS problem but IMHO it is bug.

I guess you can "dmsetup remove raid51p1" to get rid of this before shutdown, but it is wrong.
For me, it even doesn't set DM-UUID (someone wrongly copied code from kpartx seems :-)

Milan
Milan Broz
2012-07-19 08:43:02 UTC
Permalink
Post by Milan Broz
/dev/mapper/raid51p1 is created by kpartx (or some internal code somewhere) and it should _not_ be there,
MD can handle partitions in kernel since 2.6.38 kernel.
I see that problem on Fedora 17 as well. I will back to this later, not a LUKS problem but IMHO it is bug.
I guess you can "dmsetup remove raid51p1" to get rid of this before shutdown, but it is wrong.
For me, it even doesn't set DM-UUID (someone wrongly copied code from kpartx seems :-)
and it is parted & partprobe...

If you move parted out of the way (I uninstalled parted just for test), the correct activation chain is:
- mdadm -A /dev/md0 [devs...] (or autoactivation)
- cryptsetup luksOpen /dev/md0 md0_crypt (open LUKS over whole device)
- kpartx -a /dev/mapper/md0_crypt (to create partitions mapping)
(- mount fs etc)

now you should see something like

# lsblk /dev/md0
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
md0 9:0 0 446.7G 0 raid5
└─md0_crypt (dm-0) 253:0 0 446.7G 0 crypt
└─md0_crypt1 (dm-1) 253:1 0 33.4G 0 part

Deactivation is reverse
(-umount fs)
- kpartx -d /dev/mapper/md0_crypt (delete part mapping)
- cryptsetup luksClose md0_crypt
- mdadm --stop /dev/md0

Parted create kpartx devices wrongly seems, so kpartx -d doesn't work for them...

IMHO it is better for you to use LVM here, it will get you more flexibility here.
(Create PV over LUKS mapping and just create LVs according to needs, no part table at all.)

Milan
Milan Broz
2012-07-19 11:07:18 UTC
Permalink
After some corruptions to my luks environment, I get an opportunity to make some upgrades to my setup.
I need some help. I'm testing a raid5+1 environment, and would like to do whole data disk encryptions
with GPT. once I partition the disk using GPT, I can't run the "cryptsetup luksClose". I've done
whole disk encryption without a partition table with no problems, and I also have done luks encryption
on a GPT partition without problems.
The only way I have found to be able to run luksClose is to blow away the partition table(which is not
acceptable solution). I suspect that udevadm (running ubuntu-12.04) is involved as a /dev/mapper/raid51p1
exists. When I get rid of the /dev/mapper/raid51p1, and only the /dev/mapper/raid51 exists, I can then run "luksClose".
For now, use
kpartx -d -pp /dev/mapper/raid51
before you try to luksClose (kpart is part of multipath-tools if not packaged separately)

Milan

Loading...