[dm-crypt] Expanding a LUKS partition to a second drive.

[dm-crypt] Expanding a LUKS partition to a second drive.

[James Dehnert]

[-- Attachment #1: Type: text/plain, Size: 1379 bytes --]

Greetings dm-crypt group,

I have a situation where I have an existing LUKS encrypted partition (root)
and the user wants to expand that partition onto a second drive.

The existing partition was created at configuration as part of the Ubuntu
preseed setup.

I know how to do this with LVM, but I'm not sure if this can be done
without backing up all the data, and then rebuilding the system from
scratch.

I'm not sure where the LUKS volume is created in respect to LVM.  I
can't tell if its created directly on the physical volume, on the volume
group, or on the logical volume, so I'm noy sure where I should be looking
to expand the substrate.  Or if this is even possible.

Any assistance would be greatly appreciated, even if its just "It can't be
done".

—
Thanks,    James "Zeke" Dehnert

  Zeke Dehnert
  Senior Linux IT Engineer
  Cruise LLC
  zeke.dehnert@getcruise.com

-- 


*Confidentiality Note:* We care about protecting our proprietary 
information, confidential material, and trade secrets. This message may 
contain some or all of those things. Cruise will suffer material harm if 
anyone other than the intended recipient disseminates or takes any action 
based on this message. If you have received this message (including any 
attachments) in error, please delete it immediately and notify the sender 
promptly.

[-- Attachment #2: Type: text/html, Size: 2384 bytes --]

Re: [dm-crypt] Expanding a LUKS partition to a second drive.

[Ondrej Kozina]

Hi,

On 2/11/20 8:21 PM, James Dehnert wrote:
> Greetings dm-crypt group,
> 
> I have a situation where I have an existing LUKS encrypted partition 
> (root) and the user wants to expand that partition onto a second drive.
> 
> The existing partition was created at configuration as part of the 
> Ubuntu preseed setup.
> 
> I know how to do this with LVM, but I'm not sure if this can be done 
> without backing up all the data, and then rebuilding the system from 
> scratch.

If you have encrypted LV (LUKS on top of LV) you can extend that LV over 
another PV (block device or partition) and just call cryptsetup resize.
This will work and you can do it even without taking LUKS device 
offline. In fact I've added support for it into fsadm script and you 
would just need to call "lvextend -r" and it would resize active crypt 
device for you automatically.

> 
> I'm not sure where the LUKS volume is created in respect to LVM.  I 
> can't tell if its created directly on the physical volume, on the volume 
> group, or on the logical volume, so I'm noy sure where I should be 
> looking to expand the substrate.  Or if this is even possible.

See lsblk output with said active LUKS device. That should give you a hint.

If the PV is encrypted (LUKS on top of /dev/sdx and PV on top of LUKS) 
there's no way how to extend one LUKS device over two devices or 
partitions. We don't want cryptsetup to became yet another logical 
volume management:)

Regards O.

Re: [dm-crypt] Expanding a LUKS partition to a second drive.

[Robert Nichols]

On 2/12/20 4:45 AM, Ondrej Kozina wrote:
> On 2/11/20 8:21 PM, James Dehnert wrote:
>>
>> I'm not sure where the LUKS volume is created in respect to LVM.  I can't tell if its created directly on the physical volume, on the volume group, or on the logical volume, so I'm noy sure where I should be looking to expand the substrate.  Or if this is even possible.
> 
> See lsblk output with said active LUKS device. That should give you a hint.
> 
> If the PV is encrypted (LUKS on top of /dev/sdx and PV on top of LUKS) there's no way how to extend one LUKS device over two devices or partitions. We don't want cryptsetup to became yet another logical volume management:)

True, but it's simple enough to create a second LUKS volume and extend an existing LVM VG into that LUKS volume.

The output from "lsblk -f" would be most helpful here.

The real problem comes when there is currently no LVM involved at all. Converting an existing system to LVM is a fairly convoluted process where the slightest error can be unrecoverable.

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.

Re: [dm-crypt] Expanding a LUKS partition to a second drive.

[Ondrej Kozina]

On 2/12/20 3:29 PM, Robert Nichols wrote:
> On 2/12/20 4:45 AM, Ondrej Kozina wrote:
>> On 2/11/20 8:21 PM, James Dehnert wrote:
>>>
>>> I'm not sure where the LUKS volume is created in respect to LVM.  I can't tell if its created directly on the physical volume, on the volume group, or on the logical volume, so I'm noy sure where I should be looking to expand the substrate.  Or if this is even possible.
>>
>> See lsblk output with said active LUKS device. That should give you a hint.
>>
>> If the PV is encrypted (LUKS on top of /dev/sdx and PV on top of LUKS) there's no way how to extend one LUKS device over two devices or partitions. We don't want cryptsetup to became yet another logical volume management:)
> 
> True, but it's simple enough to create a second LUKS volume and extend an existing LVM VG into that LUKS volume.

Sure, but "having multiple LUKS devices" vs "having one LUKS (logical) 
device managing multiple physical devices" are two completely different 
problems. Although I agree with you that having two LUKS encrypted PVs 
would solve this specific problem.

What I'm saying is that cryptsetup will not support managing multiple 
data devices. I'm inclined to add "ever" to last sentence, but I'm not 
upstream maintainer:)

O.

Re: [dm-crypt] Expanding a LUKS partition to a second drive.

[Arno Wagner]

Hi James,

to be safe, you need to do this with a full backup of the data 
in the LUKS container anyways.
Hence easisest is probably 

backup->make new partition->restore.

The LUKS container itself has no size information, it will 
fill the new parition. For the filesystem, you need to either
backup the LUKS container as ibinary mage and extend the 
filesystem in it after restore, or backup on file-level and 
create a new LUKS container and filesystem in it.

Luks does nto care whther the partition is native or LVM
(or NBD, or whatever).

Regards,
Arno

On Tue, Feb 11, 2020 at 20:21:55 CET, James Dehnert wrote:
>    Greetings dm-crypt group,
>    I have a situation where I have an existing LUKS encrypted partition
>    (root) and the user wants to expand that partition onto a second drive.
>    The existing partition was created at configuration as part of the
>    Ubuntu preseed setup.
>    I know how to do this with LVM, but I'm not sure if this can be done
>    without backing up all the data, and then rebuilding the system from
>    scratch.
>    I'm not sure where the LUKS volume is created in respect to LVM.  I
>    can't tell if its created directly on the physical volume, on the
>    volume group, or on the logical volume, so I'm noy sure where I should
>    be looking to expand the substrate.  Or if this is even possible.
>    Any assistance would be greatly appreciated, even if its just "It can't
>    be done".
>    —
>    Thanks,
    James "Zeke" Dehnert
>      Zeke Dehnert
>      Senior Linux IT Engineer
>      Cruise LLC
>      [1]zeke.dehnert@getcruise.com
> 
>    Confidentiality Note: We care about protecting our proprietary
>    information, confidential material, and trade secrets. This message may
>    contain some or all of those things. Cruise will suffer material harm
>    if anyone other than the intended recipient disseminates or takes any
>    action based on this message. If you have received this message
>    (including any attachments) in error, please delete it immediately and
>    notify the sender promptly.
> 
> References
> 
>    1. mailto:zeke.dehnert@getcruise.com

> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt


-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

Re: [dm-crypt] Expanding a LUKS partition to a second drive.

[Robert Nichols]

On 2/12/20 9:01 AM, Ondrej Kozina wrote:
> On 2/12/20 3:29 PM, Robert Nichols wrote:
>> On 2/12/20 4:45 AM, Ondrej Kozina wrote:
>>> On 2/11/20 8:21 PM, James Dehnert wrote:
>>>>
>>>> I'm not sure where the LUKS volume is created in respect to LVM.  I can't tell if its created directly on the physical volume, on the volume group, or on the logical volume, so I'm noy sure where I should be looking to expand the substrate.  Or if this is even possible.
>>>
>>> See lsblk output with said active LUKS device. That should give you a hint.
>>>
>>> If the PV is encrypted (LUKS on top of /dev/sdx and PV on top of LUKS) there's no way how to extend one LUKS device over two devices or partitions. We don't want cryptsetup to became yet another logical volume management:)
>>
>> True, but it's simple enough to create a second LUKS volume and extend an existing LVM VG into that LUKS volume.
> 
> Sure, but "having multiple LUKS devices" vs "having one LUKS (logical) device managing multiple physical devices" are two completely different problems. Although I agree with you that having two LUKS encrypted PVs would solve this specific problem.
> 
> What I'm saying is that cryptsetup will not support managing multiple data devices. I'm inclined to add "ever" to last sentence, but I'm not upstream maintainer:)

I agree 100%. My suggestion was just addressing the current problem.

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.