{"id":1539,"date":"2023-02-05T19:22:53","date_gmt":"2023-02-06T00:22:53","guid":{"rendered":"https:\/\/russellstinnett.com\/?p=1539"},"modified":"2023-02-19T07:50:24","modified_gmt":"2023-02-19T12:50:24","slug":"adding-an-encrypted-physical-volume-to-an-existing-volume-group","status":"publish","type":"post","link":"https:\/\/russellstinnett.com\/?p=1539","title":{"rendered":"Adding an Encrypted Physical Volume to an Existing Volume Group"},"content":{"rendered":"\n

Recently I noticed that the 500 GB SSD on my desktop was getting dangerously low on space. I cleaned out my Downloads folder, deleted some movies I had saved, and emptied the trash to clear up some space. I knew that this was only a temporary solution and that I would need to think about adding another drive. The trouble was that the 500 GB drive was encrypted and used LVM for its partitioning. So how do I add a new drive to this existing, encrypted volume? After spending an embarrassing amount of time trying to get a drive formatted1<\/sup><\/sub>, adding an encrypted volume to an existing volume group turned out to be pretty simple. <\/p>\n\n\n\n

The first step is installing the physical drive in the computer (make sure you’re using a good cable2), but I feel that goes without saying. Once the system is up, make sure the system sees the drive using lsblk<\/code> and make note of the device name. In my case, the device was \/dev\/sdb, so that’s what I’ll use as the example in the rest of the article. Start gdisk with gdisk \/dev\/sdb<\/code> and remove any existing partitions with the ‘d’ option. At this point, you may be able to move directly to cryptsetup, but I created a single partition using the whole drive, then ran cryptsetup luksFormat \/dev\/sdb1<\/code>. I recommend using the same password for the new volume as the one for the existing volume. This will be explained in a later step. Now I have an encrypted Physical Volume (PV). Open the volume with cryptsetup open \/dev\/sdb1 crypthome<\/code>. You can call it whatever you want, but since I’m using it to be my new \/home, I called it crypthome.<\/p>\n\n\n\n

Now I need to add the Physical Volume to the Volume Group that is currently on the system as \/. In retrospect, I probably could have created a new VG just for the \/home mount, but I didn’t. Adding a PV to a VG is really pretty simple. Use lsblk to get the mapped name for the encrypted volume and vgdisplay to get the name of the VG that you’d like to extend. In my case, I issued the command vgextend data \/dev\/mapper\/crypthome<\/code> and root. You should see a return message indicating that the VG was extended. If you run vgdisplay again, you should see a new “VG Size” for the Volume Group. You still need to create the Logical Volume that will be mounted as the new \/home (or whatever).<\/p>\n\n\n\n

Since I wanted to use this drive for a new \/home, I just created an LV using 100% of the available space. You could divide this up into a \/var and \/home, or whatever you want. I just needed a bigger \/home, so I create the LV with lvcreate -l 100%FREE -n home data<\/code>. Case is critical here. There is also a -L parameter for creating a volume of a specific size. For whatever reason, -l is used for the percent of available space. The new volume will be the \/home directory, so I named it ‘home’ with the -n switch. The last argument ‘data’ is just to let lvcreate know which VG the volume is being created in. Now the volume should be there in the VG ‘data’ and it can be formatted with the usual mkfs -t ext4 \/dev\/data\/home<\/code>. If you’re creating a new \/home as I did, you’ll want to mount the new volume at this point and copy over the appropriate file and directories with ‘copy -av’. Then, all that’s left to do now, is to make sure the system will see it, decrypt it, and mount it on boot.<\/p>\n\n\n\n

Having the volume available at boot is a matter of updating the \/etc\/crypttab and the \/etc\/filetab. I feel like it would be easiest to just show an example here.<\/p>\n\n\n\n

# lsblk -f\nsda\n\u251c\u2500sda1          vfat        FAT32              D456-5AF3                                 116M    77% \/boot\/efi\n\u251c\u2500sda2          vfat        FAT32              D456-5773                                 1.5G    63% \/recovery\n\u251c\u2500sda3          crypto_LUKS 2                  343e7183-6728-4cd7-aa15-c8078175b4a1\n\u2502 \u2514\u2500cryptdata   LVM2_member LVM2 001           hDtcjZ-BOc6-AzGO-rkL6-Gwb9-uhx7-TnDFIf\n\u2502   \u2514\u2500data-root ext4        1.0                6e340b72-d286-4dfa-a533-0a206b472b3d      373G    12% \/\n\u2514\u2500sda4          swap        1                  b1f3723a-d852-4552-9ac4-ab8d3355d040\n  \u2514\u2500cryptswap   swap        1        cryptswap ceaef10b-ff2e-4c4a-8288-d21685614fdc                  [SWAP]\nsdb\n\u2514\u2500sdb1          crypto_LUKS 2                  d4c6579e-1f82-4605-b1d5-2763dceb689b\n  \u2514\u2500crypthome   LVM2_member LVM2 001           uNdRSv-Kyna-l7BM-ZZ3s-j6ii-wfML-oQzpXP\n    \u2514\u2500data-home ext4        1.0                1ffb8abf-ed3e-4c18-8449-ebe322cdefa2    563.5G    33% \/home\n# cat \/etc\/fstab\nUUID=6e340b72-d286-4dfa-a533-0a206b472b3d  \/  ext4  noatime,errors=remount-ro  0  0\nUUID=1ffb8abf-ed3e-4c18-8449-ebe322cdefa2  \/home  ext4  noatime,errors=remount-ro  0  0\n# cat \/etc\/crypttab\ncryptdata UUID=343e7183-6728-4cd7-aa15-c8078175b4a1 my_keys luks,initramfs,keyscript=decrypt_keyctl\ncrypthome UUID=d4c6579e-1f82-4605-b1d5-2763dceb689b my_keys luks,initramfs,keyscript=decrypt_keyctl\n<\/code><\/pre>\n\n\n\n
Notice that the UUID for the LUKS volume and the Logical Volume are different. Make sure you use the correct UUID in the correct file. Otherwise, you’ll have to tell grub where devices are at boot, which kinda sucks. Also, note the option ‘keyscript=decrypt_keyctl’ in \/etc\/crypttab. This a script available on Debian\/Ubuntu systems that caches the password and then uses it to unlock all LUKS volumes with the same password. If you don’t do this, you’ll be prompted twice for a password even if they are the same.<\/p>\n\n\n\n
With all of these steps completed successfully, run update-initramfs -u<\/code>, and that should do it. Reboot and you should have a new \/home.<\/p>\n\n\n\n
<\/p>\n\n\n\n
    \n
  1. The trouble turned out to be a faulty cable. Even though I should have known to try a known good cable, this allowed me to learn more about GUID fdisk (or gdisk), testdisk, badblocks, and smartctl.<\/li>\n\n\n\n
  2. See the previous footnote.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"
    Recently I noticed that the 500 GB SSD on my desktop was getting dangerously low on space. I cleaned out my Downloads folder, deleted some movies I had saved, and emptied the trash to clear up some space. I knew that this was only a temporary solution and that I would need to think about…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6],"tags":[52,96,54],"class_list":["post-1539","post","type-post","status-publish","format-standard","hentry","category-linux","tag-linux","tag-luks","tag-lvm"],"yoast_head":"\nAdding an Encrypted Physical Volume to an Existing Volume Group - A Commonplace Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/russellstinnett.com\/?p=1539\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Adding an Encrypted Physical Volume to an Existing Volume Group - A Commonplace Blog\" \/>\n<meta property=\"og:description\" content=\"Recently I noticed that the 500 GB SSD on my desktop was getting dangerously low on space. I cleaned out my Downloads folder, deleted some movies I had saved, and emptied the trash to clear up some space. I knew that this was only a temporary solution and that I would need to think about...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/russellstinnett.com\/?p=1539\" \/>\n<meta property=\"og:site_name\" content=\"A Commonplace Blog\" \/>\n<meta property=\"article:published_time\" content=\"2023-02-06T00:22:53+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-02-19T12:50:24+00:00\" \/>\n<meta name=\"author\" content=\"russell\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"russell\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/russellstinnett.com\\\/?p=1539#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/russellstinnett.com\\\/?p=1539\"},\"author\":{\"name\":\"russell\",\"@id\":\"https:\\\/\\\/russellstinnett.com\\\/#\\\/schema\\\/person\\\/056f15a8cb83837a561f105dc1475ce8\"},\"headline\":\"Adding an Encrypted Physical Volume to an Existing Volume Group\",\"datePublished\":\"2023-02-06T00:22:53+00:00\",\"dateModified\":\"2023-02-19T12:50:24+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/russellstinnett.com\\\/?p=1539\"},\"wordCount\":790,\"commentCount\":0,\"keywords\":[\"linux\",\"luks\",\"lvm\"],\"articleSection\":[\"Linux\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/russellstinnett.com\\\/?p=1539#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/russellstinnett.com\\\/?p=1539\",\"url\":\"https:\\\/\\\/russellstinnett.com\\\/?p=1539\",\"name\":\"Adding an Encrypted Physical Volume to an Existing Volume Group - A Commonplace Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/russellstinnett.com\\\/#website\"},\"datePublished\":\"2023-02-06T00:22:53+00:00\",\"dateModified\":\"2023-02-19T12:50:24+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/russellstinnett.com\\\/#\\\/schema\\\/person\\\/056f15a8cb83837a561f105dc1475ce8\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/russellstinnett.com\\\/?p=1539#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/russellstinnett.com\\\/?p=1539\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/russellstinnett.com\\\/?p=1539#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/russellstinnett.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Adding an Encrypted Physical Volume to an Existing Volume Group\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/russellstinnett.com\\\/#website\",\"url\":\"https:\\\/\\\/russellstinnett.com\\\/\",\"name\":\"A Commonplace Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/russellstinnett.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/russellstinnett.com\\\/#\\\/schema\\\/person\\\/056f15a8cb83837a561f105dc1475ce8\",\"name\":\"russell\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/b1fb12238c00e45c4820005d8619303e4635df76f75ef14a958d79ef08e2ce00?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/b1fb12238c00e45c4820005d8619303e4635df76f75ef14a958d79ef08e2ce00?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/b1fb12238c00e45c4820005d8619303e4635df76f75ef14a958d79ef08e2ce00?s=96&d=mm&r=g\",\"caption\":\"russell\"},\"sameAs\":[\"https:\\\/\\\/russellstinnett.com\"],\"url\":\"https:\\\/\\\/russellstinnett.com\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Adding an Encrypted Physical Volume to an Existing Volume Group - A Commonplace Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/russellstinnett.com\/?p=1539","og_locale":"en_US","og_type":"article","og_title":"Adding an Encrypted Physical Volume to an Existing Volume Group - A Commonplace Blog","og_description":"Recently I noticed that the 500 GB SSD on my desktop was getting dangerously low on space. I cleaned out my Downloads folder, deleted some movies I had saved, and emptied the trash to clear up some space. I knew that this was only a temporary solution and that I would need to think about...","og_url":"https:\/\/russellstinnett.com\/?p=1539","og_site_name":"A Commonplace Blog","article_published_time":"2023-02-06T00:22:53+00:00","article_modified_time":"2023-02-19T12:50:24+00:00","author":"russell","twitter_card":"summary_large_image","twitter_misc":{"Written by":"russell","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/russellstinnett.com\/?p=1539#article","isPartOf":{"@id":"https:\/\/russellstinnett.com\/?p=1539"},"author":{"name":"russell","@id":"https:\/\/russellstinnett.com\/#\/schema\/person\/056f15a8cb83837a561f105dc1475ce8"},"headline":"Adding an Encrypted Physical Volume to an Existing Volume Group","datePublished":"2023-02-06T00:22:53+00:00","dateModified":"2023-02-19T12:50:24+00:00","mainEntityOfPage":{"@id":"https:\/\/russellstinnett.com\/?p=1539"},"wordCount":790,"commentCount":0,"keywords":["linux","luks","lvm"],"articleSection":["Linux"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/russellstinnett.com\/?p=1539#respond"]}]},{"@type":"WebPage","@id":"https:\/\/russellstinnett.com\/?p=1539","url":"https:\/\/russellstinnett.com\/?p=1539","name":"Adding an Encrypted Physical Volume to an Existing Volume Group - A Commonplace Blog","isPartOf":{"@id":"https:\/\/russellstinnett.com\/#website"},"datePublished":"2023-02-06T00:22:53+00:00","dateModified":"2023-02-19T12:50:24+00:00","author":{"@id":"https:\/\/russellstinnett.com\/#\/schema\/person\/056f15a8cb83837a561f105dc1475ce8"},"breadcrumb":{"@id":"https:\/\/russellstinnett.com\/?p=1539#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/russellstinnett.com\/?p=1539"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/russellstinnett.com\/?p=1539#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/russellstinnett.com\/"},{"@type":"ListItem","position":2,"name":"Adding an Encrypted Physical Volume to an Existing Volume Group"}]},{"@type":"WebSite","@id":"https:\/\/russellstinnett.com\/#website","url":"https:\/\/russellstinnett.com\/","name":"A Commonplace Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/russellstinnett.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/russellstinnett.com\/#\/schema\/person\/056f15a8cb83837a561f105dc1475ce8","name":"russell","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/b1fb12238c00e45c4820005d8619303e4635df76f75ef14a958d79ef08e2ce00?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/b1fb12238c00e45c4820005d8619303e4635df76f75ef14a958d79ef08e2ce00?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/b1fb12238c00e45c4820005d8619303e4635df76f75ef14a958d79ef08e2ce00?s=96&d=mm&r=g","caption":"russell"},"sameAs":["https:\/\/russellstinnett.com"],"url":"https:\/\/russellstinnett.com\/?author=1"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/russellstinnett.com\/index.php?rest_route=\/wp\/v2\/posts\/1539","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/russellstinnett.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/russellstinnett.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/russellstinnett.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/russellstinnett.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1539"}],"version-history":[{"count":6,"href":"https:\/\/russellstinnett.com\/index.php?rest_route=\/wp\/v2\/posts\/1539\/revisions"}],"predecessor-version":[{"id":1546,"href":"https:\/\/russellstinnett.com\/index.php?rest_route=\/wp\/v2\/posts\/1539\/revisions\/1546"}],"wp:attachment":[{"href":"https:\/\/russellstinnett.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1539"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/russellstinnett.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1539"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/russellstinnett.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1539"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}