DEV Community

Mark Caudill
Mark Caudill

Posted on • Edited on • Originally published at mrkc.me

4 2

Encryption with a Funky Partition Layout

Note: to see how I setup LVM with caching, check out my previous post.


I recently ran into some trouble with the system while mucking around and decided to take the opportunity to restructure my partitioning layout and do a full OS reinstall; this time with full disk encryption (except /boot). Suffice it to say, the Fedora installer is fairly flexible, but not nearly enough to support a mix of mdadm, LUKS, and LVM.

Before I tell you–roughly–how I did it, here are the results:

NAME                                              MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                                                 8:0    0 447.1G  0 disk
├─sda1                                              8:1    0   512M  0 part  /boot
└─sda2                                              8:2    0 446.6G  0 part
  ├─vg_SIIIKE-root                                253:0    0  59.6G  0 lvm
  │ └─luks-SIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIKE   253:3    0  59.6G  0 crypt /
  ├─vg_SIIIKE-lv_swap                             253:1    0  14.9G  0 lvm
  │ └─luks-SIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIKE   253:2    0  14.9G  0 crypt [SWAP]
  └─vg_SIIIKE-home                                253:4    0 372.1G  0 lvm
    └─luks-SIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIKE   253:9    0 372.1G  0 crypt /home
sdb                                                 8:16   0 119.2G  0 disk
└─sdb1                                              8:17   0 119.2G  0 part
  ├─vg_SIIIKE-lv_var_cache_cdata                  253:5    0   115G  0 lvm
  │ └─vg_SIIIKE-lv_var                            253:8    0   1.8T  0 lvm
  │   └─luks-SIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIKE 253:10   0   1.8T  0 crypt /var
  └─vg_SIIIKE-lv_var_cache_cmeta                  253:6    0     1G  0 lvm
    └─vg_SIIIKE-lv_var                            253:8    0   1.8T  0 lvm
      └─luks-SIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIKE 253:10   0   1.8T  0 crypt /var
sdc                                                 8:32   0   1.8T  0 disk
└─md0                                               9:0    0   1.8T  0 raid1
  └─vg_SIIIKE-lv_var_corig                        253:7    0   1.8T  0 lvm
    └─vg_SIIIKE-lv_var                            253:8    0   1.8T  0 lvm
      └─luks-SIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIKE 253:10   0   1.8T  0 crypt /var
sdd                                                 8:48   0   1.8T  0 disk
└─md0                                               9:0    0   1.8T  0 raid1
  └─vg_SIIIKE-lv_var_corig                        253:7    0   1.8T  0 lvm
    └─vg_SIIIKE-lv_var                            253:8    0   1.8T  0 lvm
      └─luks-SIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIKE 253:10   0   1.8T  0 crypt /var
Enter fullscreen mode Exit fullscreen mode

To clarify, I have an SSD with /, /home, and swap on it and a software RAID-1 set with an SSD as a caching layer in front of it. The partitions (sda2, sdb1, and md0) are all physical volumes in the same volume group. I simply created logical volumes in that volume group and directed that they reside on certain physical volumes (such a handy feature). Then it was simply a matter of encrypting them with LUKS, configuring crypttab, and configuring fstab.

Unfortunately, you can accomplish very few of these tasks in the Fedora Desktop installer. I initially tried to configure everything outside of the installer hoping that it would get the hint and leave everything alone. The problem there is that the Workstation version doesn't know how to handle software RAID sets properly. I tried using the Server version but it did its own munging of things by making certain assumptions about how I wanted to do LVM.

In the end, since really only /var was going to be special, I decided to install everything on the primary SSD then after the installation configure the /var volumes and migrate the newly installed /var over to its new home. This worked better than expected and other than having to boot single to fix a fat-fingered fstab everything booted right up.

While I don't think the Fedora installers need the ability to generate arbitrary partitioning schemes, it would be nice to have some sort of "I know what I'm doing please leave my partitions alone" mode.

Image of Docusign

🛠️ Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more

Top comments (0)

Sentry image

See why 4M developers consider Sentry, “not bad.”

Fixing code doesn’t have to be the worst part of your day. Learn how Sentry can help.

Learn more

👋 Kindness is contagious

Explore a sea of insights with this enlightening post, highly esteemed within the nurturing DEV Community. Coders of all stripes are invited to participate and contribute to our shared knowledge.

Expressing gratitude with a simple "thank you" can make a big impact. Leave your thanks in the comments!

On DEV, exchanging ideas smooths our way and strengthens our community bonds. Found this useful? A quick note of thanks to the author can mean a lot.

Okay