Yesterday I received a mail message from a Debian user called Ekrem Erdem about my previous post, proposing a different partitioning schema that I found interesting.
The basic idea is to swap the order of the technologies, that is, use LVM on top of an encrypted partition instead of encrypting logical volumes.
I never thought about this schema because I always use LVM on servers and that is one of the fist things I setup (just after software RAID-1, if the machine has two hard drives); when I was evaluating how to setup my system for encryption I started with the LVM setup and never looked back.
The advantage of this setup is that there is only one pass phrase (the one used
to unlock the encrypted partition, sda4
in my case), eliminating the need of
derived keys (i. e. my swap setup) or key files (I use them to mount snapshots
of the encrypted partition non interactively).
On the negative side I believe that this setup looses some flexibility:
On my original model crypted and unencrypted partitions can coexist on the same volume group, while the new setup requires a different volume group for unencrypted volumes.
If the user wants to have multiple partitions each one can use a different pass phrase or key file.
If a logical volume is expanded through multiple physical volumes the new setup requires a key for each physical volume, while the original setup only needs one key.
Anyway if the plan is to encrypt all the file systems on a laptop the proposed setup is simpler and, IMHO, as safe as my configuration (remember that my keys are related).
I'm not going to change my setup now (it works great), but I'll probably try this one in the future if I need an encrypted setup on a different machine.