I’m setting up FDE and wonders which one is better. “LVM over LUKS” or “LUKS over LVM”? Or something else? Does one is definitely better then the other? What are your preference?
Thanks.
It depends where you want your encryption. If you want all of your LVM volumes to be encrypted at once then you want LVM over LUKS. If you want volumes with different encryption, or no encryption, then you want LUKS over LVM. You can also do LUKS over LVM over LUKS if you must but that’s kinda dumb.
LVM over LUKS is more common as generally people want to encrypt everything.
I use ZFS native encryption, so I guess that’s closer to LUKS over LVM for personal preference.
Should the LVM partition layout considered as metadata leak in LUKS over LVM?
Yes
Should I worried about it?
Probably not. The metadata it leaks will be the name of the volumes, their sizes and possibly used space on them.
It really depends on your use case. If you’re only using one key, I’d put LVM on top of LUKS just for the simplicity. Otherwise it becomes a threat model analysis: if someone steals your computer or drive, do you care that they know you have 5 volumes on them and roughly how much data is on there?
I need my desktop to boot unattended, and it’s got 5 drives in it, so it made sense for me to have separate encryption. It boots and does its NAS duties on its own, then when I log in a dedicated dataset gets mounted for me with all my data on it. From there I might unlock some volumes for work by getting their key from an AWS Secrets Manager endpoint. My laptop is plain f2fs over LUKS.
I’m planning FDE on my laptop which have 2 drives. I originally plan to use LUKS on LVM as I can use LVM to join two drives into one. But now I wonders if my choice is right.
That works too, if you have a use case go for it. There’s so many valid ways to arrange your disks.
LUKS over LVM over 2 disks is as valid as LVM over 2x LUKS which is as valid as LVM over LUKS over RAID1. Although with multiple disks I’d probably go with filesystem mirroring with btrfs or ZFS, and give it the two LUKS volumes. That way you get per file chunk checksums and self healing if your drives start to drift off (RAID won’t tell you if either disk returns garbage, and has no way of telling which disk has the correct data).
But really, I wouldn’t worry about LVM metadata unless you’re holding some seriously sensitive and valuable data. I can’t think of a use case where LVM metadata would be bad but not LUKS headers. Like the only information really leaking is the name of the volume and how big it is, so unless you happen to have a dedicated volume full of secret documents of a known size and that can be used as evidence of you being in possession based on the size alone, it’s kinda eh.
So you mean BTRFS over LUKS? I will have a try on a VM later, plus the ZFS too. Thanks for the advice.
i prefer just luck, ie good luck using my crappy credit for anything if you steal my machine 😹.
for real though, i had a family member pass away and getting their crypto keys was problematic despite good planning on their part. Does anyone else have a plan for passing on access to encrypted data?
