-
Notifications
You must be signed in to change notification settings - Fork 3
Linux: Encrypted LVM
Putting some old hard drives back to work streaming music. Using LVM in Linux to create one volume spanning multiple devices; then using cryptsetup on top of that to encrypt everything. LVM does not offer any redundancy like a RAID would provide, but LVM does allow for devices of different sizes and RAID does not.
- Mediasonic ProBox
- Four old hard drives
parted was used to partition each drive with a GPT setup. The process is basically the same as using fdisk for MBR partitions; except more portable as MBR partitions max at 2TB. GPT goes to infinite and beyond -- or close enough for now.
In my case the drives were a mix of 2TB and 1TB capacities.
$ sudo parted /dev/sdg (parted) unit TB (parted) mklabel gpt (parted) mkpart primary 0 1TB (parted) set lvm 1 on (parted) print Model: ST310003 33AS (scsi) Disk /dev/sdg: 1.00TB Sector size (logical/physical): 512B/512B Partition Table: gpt Disk Flags: Number Start End Size File system Name Flags 1 0.00TB 1.00TB 1.00TB primary lvm (parted) quit
The quit command causes parted to save the changes. Use rm 1 inside of parted to remove the new partition. Repeat the partitioning steps for each drive specifying the appropriate capacity.
The LVM setup has three components:
- PV - The actual devices belonging to the group (Physical Volume).
- VG - The collection of abstracted partitions (Volume Group).
- LV - The set of volume groups presented as one device interface (Logical Volume).
Partitions were at /dev/sdg1, /dev/sdl1, /dev/sdm1, and /dev/sdn1. I don't know why they skipped [h-j]. First step was to create the PV.
$ sudo pvcreate /dev/sdg1 /dev/sdl1 /dev/sdm1 /dev/sdn1
Confirm the setup using pvdisplay:
$ sudo pvdisplay --- Physical volume --- PV Name /dev/sdg1 VG Name vg1 PV Size 931.51 GiB / not usable 4.00 MiB Allocatable yes (but full) PE Size 4.00 MiB Total PE 238466 Free PE 0 Allocated PE 238466 PV UUID uFyvem-e4Fa-VePc-8gLp-dsa1-XLnC-3oa7Lo --- Physical volume --- PV Name /dev/sdl1 VG Name vg1 PV Size 1.82 TiB / not usable 4.00 MiB Allocatable yes (but full) PE Size 4.00 MiB Total PE 476931 Free PE 0 Allocated PE 476931 PV UUID bCeDuG-ZhNX-Fa5i-3b76-29EC-VQ3s-qRc1RY --- Physical volume --- PV Name /dev/sdm1 VG Name vg1 PV Size 1.82 TiB / not usable 4.00 MiB Allocatable yes (but full) PE Size 4.00 MiB Total PE 476931 Free PE 0 Allocated PE 476931 PV UUID qWJHU3-k2Rs-AYwy-cVF8-gQ6F-iKTD-2h04tV --- Physical volume --- PV Name /dev/sdn1 VG Name vg1 PV Size 1.82 TiB / not usable 4.00 MiB Allocatable yes (but full) PE Size 4.00 MiB Total PE 476931 Free PE 0 Allocated PE 476931 PV UUID wkKvPR-Fm6E-gPRp-GL8L-F3pp-yTzp-d6nGI7
A volume group was then created by adding the PV devices.
sudo vgcreate vg0 /dev/sdg1 /dev/sdl1 /dev/sdm1 /dev/sdn1
Again the setup can be confirmed with vgdisplay:
$ sudo vgdisplay --- Volume group --- VG Name vg0 System ID Format lvm2 Metadata Areas 4 Metadata Sequence No 2 VG Access read/write VG Status resizable MAX LV 0 Cur LV 1 Open LV 1 Max PV 0 Cur PV 4 Act PV 4 VG Size 6.37 TiB PE Size 4.00 MiB Total PE 1669259 Alloc PE / Size 1669259 / 6.37 TiB Free PE / Size 0 / 0 VG UUID 8csErD-prs8-ONYg-O8MC-65N8-Sc31-C8uuan
Lastly the logical volume was created using lvcreate.
$ sudo lvcreate -l 100%FREE -n lv0 vg0
Again the setup can be confirmed with lvdisplay:
$ sudo lvdisplay --- Logical volume --- LV Path /dev/vg0/lv0 LV Name lv0 VG Name vg0 LV UUID dqxwni-DmyM-pE2z-GGls-UvMV-eQFX-K4Zjq3 LV Write Access read/write LV Creation host, time server, 2015-10-05 13:10:57 -0700 LV Status available # open 1 LV Size 6.37 TiB Current LE 1669259 Segments 4 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 253:3
The LVM interface was now available via /dev/vg0/lv0. Encryption is straightforward with cryptsetup, first using the luksFormat command then the open command.
$ sudo cryptsetup luksFormat -h sha512 -c aes-xts-plain -s 512 /dev/vg0/lv0 $ sudo cryptsetup open -h sha512 -c aes-xts-plain -s 512 /dev/vg0/lv0 music-crypt
The decrypted LVM was now exposed via /dev/mapper/music-crypt, which can be considered to be about the same as a regular storage device liked /dev/sda1. The last steps are to format, mount, and sync the content.
Everything is in place, the device just needs a filesystem and some content.
$ sudo mkfs.ext4 /dev/mapper/music-crypt $ sudo mkdir /mnt/music $ sudo mount /dev/mapper/music-crypt /mnt/music $ sudo rsync -avzhP --append /files/media/music/ /mnt/music/
Once syncing was completed, streaming can be accomplished with your personal streaming app of choice. Or the device could be mounted remotely via network share like SSHFS or SMB. Alternately, the Mediasonic box could just be plugged up to another Linux system and mounted locally. Don't forget to umount /mnt/music when needed.
Pretty straightforward process creating an encrypted JBOD setup with LVM. The age of the drives doesn't inspire confidence but fortunately new devices can be added into the LVM fairly easily, and the use of rsync should hopefully save some time syncing content after future failures.