This document belongs to Manual Full System Encryption (with Extras).

1. Description

LVM (Logical Volume Manager) places an abstraction (a layer) between the physical hardware and the required partitions. It has a number of benefits, which include the following. (Newbies: You don't have to know this.)

  • A logical partition can span drives
  • A snapshot can be taken of a logical partition, allowing risky upgrades to take place with an easy way to roll back
  • A single physical partition can contain several logical partitions
  • A partition can be grown (in some cases while the system is running) even if the available space is non-contiguous or indeed on a different physical drive.
  • A partition can be shrunk.
  • The system can be mirrored for increased security.
  • A partition can be moved from one location to another, in some cases while the system running.

We use LVM primarily for the fact that a single physical partition can contain several logical partitions. Without LVM, you would have to type two or more passphrases when booting, in addition to your account password to log in. With LVM, there is one system passphrase and one account password (that's per user).

LVM has the further benefit that your partitioning system is hidden (via LUKS) from someone with physical access to your computer but your not passphrase or password.

2. What does LVM do?

You can split a physical partition into several virtual ("logical") partitions; and you can combine several partitions into a single logical one. The way we use here it is illustrated by the following diagrams.

2.1. A normal system

In the diagram, we have a system with four partitions. The first one, called the ESP (EFI System Partition), cannot be encrypted because the computer has to have something to work with when trying to boot, and the ESP is it. (On the other hand, the hardware watches for changes to the ESP. Although it's possible to add malware to the ESP, it's difficult.)

We want the other three partitions to be encrypted.

LVM-normal-partitions.png

2.2. The system with LVM, ignoring encryption

Here, you see our intended structure, but before LUKS has been added. The three partitions to be encrypted are combined physically into a single partition. To any application, though, they appear to be three separate partitions.

LVM-combined-partitions.png

2.3. The system with both LUKS and LVM

We have added LUKS to encrypt the entire system (apart from the ESP). When the partition is locked, no one can tell that there are multiple partitions or that LVM is in use, much less view the contents.

Any application, though, does not know that the partitions are logical or that the entire underlying structure is encrypted.

LUKS-LVM-partitions.png

3. Extra resources for LVM

If you prefer a GUI to the command line, there is an app called Logical Volume Management. Install system-config-lvm from your favourite package manager.

The GUI is not required, and we won't use it during the installation.

ManualFullSystemEncryption/BasicsLVM (last edited 2018-08-21 15:11:37 by paddy-landau)