On my primary desktop machine at home, I have several volumes encrypted using dm-crypt/luks and mounted as part of my login thanks to pam-mount. On one hard drive is my main home directory and some small supplementary filesystems. On another hard drive I have several crypted volumes used for backing up my home partition but also other devices.

This setup is largely transparent to me: all of the filesystems are individually unlocked and mounted as part of my login. It is however a bit messy to have so many small crypted filesystems (using the same passphrase) and the login is delayed a fair while too.

What would be preferable would be to have one encrypted volume that was unlocked by my PAM keyphrase but which provided several sub-volumes which were mounted individually and had separate sizes, etc. It might be possible to achieve this by having the volume exported by dm-crypt be itself a LVM physical volume.

Does this sound sane to anyone? Is there a better way to achieve the same thing? I could remove the first volume group and have a disk partition feed directly into dm-crypt but I would lose some flexibility (there are some things I backup but don't encrypt, such as my music collection, and now and then I need a large scratchpad). I'm not sure how well putting a VG ontop of a LV for a different VG would work, I'm also not sure how happy the LVM code would be with a VG appearing and disappearing (In practise, I log in once a month or so, so it wouldn't happen that often).


Comments