In Linux, Logical Volume Manager (LVM) is a device mapper target that provides logical volume management for the Linux kernel. You can use the same hcl add and hcl encrypt commands to register an LVM volume to KeyControl, but the Policy Agent cannot stamp a GUID on LVM volumes, unlike MBR partitions such as sdb1. Therefore an LVM cannot be migrated across VMs because that process requires a GUID.
The following examples show the process of registering a new LVM volume and a volume with existing data.
Registering a New LVM Volume
# lvs
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
datalv hytrust-vg -wi-a----- 100.00m
root sub1504-vg -wi-ao---- 6.73g
swap_1 sub1504-vg -wi-ao---- 1020.00m
# hcl status
Summary
--------------------------------------------------------------------------------
KeyControl: skc1:443
KeyControl list: skc1:443
Status: Connected
Registered Devices
--------------------------------------------------------------------------------
Disk Name Clear Cipher Status
--------------------------------------------------------------------------------
Encrypted Folders
--------------------------------------------------------------------------------
Folder Name fsid Cipher Status
--------------------------------------------------------------------------------
Available Devices
--------------------------------------------------------------------------------
Disk Name Device Node Size (in MB)
--------------------------------------------------------------------------------
hytrust--vg-datalv /dev/dm-2 100
Other Devices
--------------------------------------------------------------------------------
Disk Name Device Node Status
--------------------------------------------------------------------------------
sda1 /dev/sda1 Mounted (/boot)
sdb /dev/sdb LVM (hytrust-vg)
sda5 /dev/sda5 LVM (sub1504-vg)
sub1504--vg-root /dev/dm-0 Mounted (/)
sub1504--vg-swap_1 /dev/dm-1 Mounted (swap)
# hcl add hytrust--vg-datalv
WARNING: device hytrust--vg-datalv will be added but will not have unique ID that ensures detection if disks are reordered or moved.
WARNING: This operation will destroy the contents of the disk.
If you wish to preserve them, run "hcl encrypt" instead.
Do you want to proceed? (y/n) y
Encrypted device hytrust--vg-datalv (/dev/dm-2) attached; decrypted contents visible at /dev/mapper/clear_hytrust--vg-datalv
Creating file system ext3 on /dev/mapper/clear_hytrust--vg-datalv
--------------------------------------------------------------------------------
mke2fs 1.42.12 (29-Aug-2014)
Creating filesystem with 102400 1k blocks and 25688 inodes
Filesystem UUID: d3d987b4-4773-4e15-995d-a1669603db0a
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729
Allocating group tables: done
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
--------------------------------------------------------------------------------
# hcl status
Summary
--------------------------------------------------------------------------------
KeyControl: skc1:443
KeyControl list: skc1:443
Status: Connected
Registered Devices
--------------------------------------------------------------------------------
Disk Name Clear Cipher Status
--------------------------------------------------------------------------------
hytrust--vg-datalv/dev/mapper/clear_hytrust--vg-datalvAES-XTS-512 Attached
'--> auto_attach=ENABLED, attach_handler=DEFAULT, detach_handler=DEFAULT
Encrypted Folders
--------------------------------------------------------------------------------
Folder Name fsid Cipher Status
--------------------------------------------------------------------------------
Available Devices
--------------------------------------------------------------------------------
Disk Name Device Node Size (in MB)
--------------------------------------------------------------------------------
Other Devices
--------------------------------------------------------------------------------
Disk Name Device Node Status
--------------------------------------------------------------------------------
sda1 /dev/sda1 Mounted (/boot)
sdb /dev/sdb LVM (hytrust-vg)
sda5 /dev/sda5 LVM (sub1504-vg)
sub1504--vg-root /dev/dm-0 Mounted (/)
sub1504--vg-swap_1 /dev/dm-1 Mounted (swap)
The file system can now be created on the clear-text device.
# mkfs /dev/mapper/clear_hytrust--vg-datalv
mke2fs 1.42.12 (29-Aug-2014)
/dev/mapper/clear_hytrust--vg-datalv contains a ext3 file system
created on Tue May 3 17:54:22 2016
Proceed anyway? (y,n) y
Creating filesystem with 102400 1k blocks and 25688 inodes
Filesystem UUID: f4a9c9ca-d451-4d20-9a32-6cdf5de844d8
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729
Allocating group tables: done
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
# mkdir /tmp/mnt
# mount /dev/mapper/clear_hytrust--vg-datalv /tmp/mnt
# hcl rm hytrust--vg-datalv
WARNING: Removal of devices will cause any data stored on them to be permanently lost.
Do you want to proceed? (y/n) y
Removed device hytrust--vg-datalv
Encrypting an LVM Volume with an Existing File System
# mkfs /dev/mapper/hytrust--vg-datalv
mke2fs 1.42.12 (29-Aug-2014)
Creating filesystem with 102400 1k blocks and 25688 inodes
Filesystem UUID: f643d9b9-0b12-4710-8aad-7529c61c82af
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729
Allocating group tables: done
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
# hcl encrypt hytrust--vg-datalv -o
All the data on hytrust--vg-datalv will be encrypted
The cleartext data will be available on /dev/mapper/clear_hytrust--vg-datalv
This operation may take long time.
Do you want to proceed? (y/n) y
hytrust--vg-datalv (/dev/dm-2) appears to contain an existing filesystem (ext2)
Do you want to proceed? (y/n) y
WARNING: device hytrust--vg-datalv will be added but will not have unique ID that ensures detection if disks are reordered or moved.
Encrypted device hytrust--vg-datalv (/dev/dm-2) attached; decrypted contents visible at /dev/mapper/clear_hytrust--vg-datalv
total device size 102400 K
Processing: 100% Time left: 00:00:00
Completed encryption of hytrust--vg-datalv successfully