Just completed an installation of 12.04 using the standard installer to configure LUKS/LVM full disk encryption and noticed something that doesn't look right...
While verifying that the selected encryption is actually being encrypted I noticed that the 12.04 configuration script is mounting swap on a separate dm-crypt device mapper encrypted mount point, with the underlying device being one of the two virtual LVM partitions that are ALREADY ENCRYPTED INSIDE THE MAIN LUKS/LVM 'full disk' Volume!
For my 'tux_test' test user there the 12.04 installer created FOUR /dev/mapper virtually mapped devices.
(which Looks to be one too many).
"sudo dmsetup ls" lists 4 mapped devices (pretty sure there should only be three)
sda5_crypt - the main LUKS encrypted master volume which contains the master LVM partition.
tux-root - one of two LVM sub-partitions made available by the LVM device mapper inside sda5_crypt
tux-swap - the second of two sub-partitions made available by the LVM device mapper inside sda5_crypt
cryptswap1 - ANOTHER (second) encryption of swap created by mounting the already encrypted tux-swap in /etc/crypt using a random session password from /dev/urandom
I understand that the boot partition is NOT encrypted (due to the limitations of the crappy GRUB2 boot loader) but doubly encrypting swap to make up for that is not really necessary.
Even singly encrypted swap makes the system noticeably slower, and doubly encrypting REALLY SLOWS THINGS DOWN.
I'm pretty sure that I just went with the defaults for the LUKS/LVM setup during installation, so I'm not sure how this happened.
Any thoughts how this happened??? :confused:
While verifying that the selected encryption is actually being encrypted I noticed that the 12.04 configuration script is mounting swap on a separate dm-crypt device mapper encrypted mount point, with the underlying device being one of the two virtual LVM partitions that are ALREADY ENCRYPTED INSIDE THE MAIN LUKS/LVM 'full disk' Volume!
For my 'tux_test' test user there the 12.04 installer created FOUR /dev/mapper virtually mapped devices.
(which Looks to be one too many).
"sudo dmsetup ls" lists 4 mapped devices (pretty sure there should only be three)
sda5_crypt - the main LUKS encrypted master volume which contains the master LVM partition.
tux-root - one of two LVM sub-partitions made available by the LVM device mapper inside sda5_crypt
tux-swap - the second of two sub-partitions made available by the LVM device mapper inside sda5_crypt
cryptswap1 - ANOTHER (second) encryption of swap created by mounting the already encrypted tux-swap in /etc/crypt using a random session password from /dev/urandom
I understand that the boot partition is NOT encrypted (due to the limitations of the crappy GRUB2 boot loader) but doubly encrypting swap to make up for that is not really necessary.
Even singly encrypted swap makes the system noticeably slower, and doubly encrypting REALLY SLOWS THINGS DOWN.
I'm pretty sure that I just went with the defaults for the LUKS/LVM setup during installation, so I'm not sure how this happened.
Any thoughts how this happened??? :confused: