The things you can do with LVM and device-mapper are jaw dropping, but issuing so many commands that deal directly with disks and partitions and volumes and filesystems makes my ass so tight you couldn't pull a needle out of it. Anyway, I've never tried LUKS, but I did just set up an SSD cache for my 3TB HDD using lvmcache.
LUKS is fairly easy to setup on its own. Everything is done through the cryptsetup tool.
format a device with cryptsetup luksFormat /dev/sdX
open with cryptsetup luksOpen /dev/sdX myContainer
new device is available under /dev/mapper/myContainer
Linux will treat the opened container as a new disk so you can give it a file system or create a lvm device out of it. You can even have an LVM volume contain a LUKS container which contains another LVM volume group, etc.
The hard part about LUKS is getting your system to open it on boot. For that refer to the archwiki.
Right, that makes sense. I've managed to avoid building an initramfs by only using LVM for /home and leaving / as a regular btrfs partition, but you certainly do enter the "keys are locked inside the car" situation when you're trying to load the modules for encrypted filesystems from an encrypted filesystem.
Edit: I just realised that I mixed up the words, yeah I used LUKS2, I just mixed up the names.
I'll edit the original comment.
The things you can do with LVM and device-mapper are jaw dropping, but issuing so many commands that deal directly with disks and partitions and volumes and filesystems makes my ass so tight you couldn't pull a needle out of it. Anyway, I've never tried LUKS, but I did just set up an SSD cache for my 3TB HDD using lvmcache.
LUKS is fairly easy to setup on its own. Everything is done through the
cryptsetup
tool.cryptsetup luksFormat /dev/sdX
cryptsetup luksOpen /dev/sdX myContainer
/dev/mapper/myContainer
Linux will treat the opened container as a new disk so you can give it a file system or create a lvm device out of it. You can even have an LVM volume contain a LUKS container which contains another LVM volume group, etc.
The hard part about LUKS is getting your system to open it on boot. For that refer to the archwiki.
Right, that makes sense. I've managed to avoid building an initramfs by only using LVM for /home and leaving / as a regular btrfs partition, but you certainly do enter the "keys are locked inside the car" situation when you're trying to load the modules for encrypted filesystems from an encrypted filesystem.
Changes to the initramfs are easy and well documented. Just edit
/etc/mikincpio.conf
and runsudo mkinitcpio -p linux
.The hard part is telling your bootloader to use the luks module you added to the initramfs. It changes depending on your bootloader.