0

Trying to decipher my notes from the last time I installed LVM on Luks, I have a note to create three "primary" partitions for a Dual-Boot installation. The trouble is, after I install Windows, but before I install Linux--when I'm setting up the Luks/LVM Linux partition and get to the lvcreate step, I receive the error: Incorrect metadata area header checksum on /dev/sdb3 at offset 4096. (I keep Windows just for testing purposes and so its not encrypted)

From research I've learned this results from the partition id 83 Linux that should be 8e LVM instead. I've confirmed the same with fsisk output generated from my last successful installation.

I've tried to create an "extended" partition instead of a "primary" partition (in step 3), but this partition is unrecognized by the pvcreate step. I can't figure out when I made the 8e change to the parition. My steps are as follows:

4) Create physical volume on Linux partition.    
   # pvcreate /dev/sda3    
5) Create volume group 
   # vgcreate cryptVG /dev/sda3 
6) Gain access to the unmounted root volume.    
   # lvm vgchange -a y 
7.1) Create the encrypted container for the LVM,    
   # cryptsetup -y -c aes-xts-plain -s 512 luksFormat /dev/sda3    
7.2) Open the crypt container for installation,
   # cryptsetup luksOpen    /dev/sda3 cryptVG
8) # pvcreate /dev/mapper/cryptVG
9) # vgcreate cryptVG /dev/mapper/cryptVG 
10) # lvcreate -n root -L 15.5G cryptVG

Step 9 is also giving me a problem. Error says cryptVG was already created, but doesn't the LVM volume need to be set up inside the encrypted steps? (It may have been a later edit to my list of steps when I installed Arch on top of the original Luks crypt I made for Fedora, or not). Help me edit my notes to make the correct partition id by explaining when the extended volume is created in the above steps.

Improve this question

1 Answer 1

Reset to default
0

The problem you're seeing is because you're encrypting the raw disk partition rather than the volume group (step 7). So you're overwriting the LVM information with the crypto headers.

Your next question is going to be "Ok, so how do I do this?" For that I'm going to suggest Google... Conceptually there are a few ways it can be done, it just depends on what you're trying to protect / hide.

For example, you could create the lUKS container and protect everything on the partition, including the metadata. Or, you encrypt each logical volume individually with different keys. There are benefits and problems with each approach.

Improve this answer
3
  • I've accidentally encrypted each LV before. Its definitely not the goal. Here, the rub is if I don't create the PV, then I can't create the VG. And if I don't create the VG, then I don't have something to open in step 7.2. The steps in this checklist worked before. I may have added 8 & 9 for non Luks (which is the mystery referred to in my post). Otherwise these steps by themselves plus whatever I did in Gparted in step 3, do the trick... So I guess I'm not clear what is your answer--what is the code you suggest to replace step 7?
    – xtian
    Commented Dec 15, 2013 at 2:51
  • @xtian: This will get you past encrypting the physical volume and overwriting the volume group: Add 6.2: lvcreate -n encryptedLV -L20G Change 7.1 to: cryptsetup -y -c aes-xts-plain -s 512 luksFormat /dev/cryptVG/encryptedLV
    – kronenpj
    Commented Dec 16, 2013 at 0:56
  • Then to mount the filesystem automatically on boot, it will depend on the specific OS you're running. You'll need to arrange for cryptsetup luksOpen /dev/cryptVG/encryptedLV encryptedData to be run. Then mount /dev/mapper/encryptedData /somewhere/you/want or something in /etc/fstab...
    – kronenpj
    Commented Dec 16, 2013 at 1:13

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .