Bug 880876 - Anaconda encrypts the physical volume instead of the logical volume
Summary: Anaconda encrypts the physical volume instead of the logical volume
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda
Version: 18
Hardware: Unspecified
OS: Linux
Target Milestone: ---
Assignee: David Lehman
QA Contact: Fedora Extras Quality Assurance
: 909228 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2012-11-28 01:24 UTC by emailadhoc
Modified: 2013-05-30 01:18 UTC (History)
9 users (show)

Fixed In Version: anaconda-19.22-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-05-30 01:18:00 UTC
Type: Bug

Attachments (Terms of Use)
/boot mountpoint (65.53 KB, image/png)
2012-11-28 15:52 UTC, emailadhoc
no flags Details
/ mountpoint (66.00 KB, image/png)
2012-11-28 15:52 UTC, emailadhoc
no flags Details
/home mountpoint (68.63 KB, image/png)
2012-11-28 15:53 UTC, emailadhoc
no flags Details

Description emailadhoc 2012-11-28 01:24:52 UTC
Using fedora 18 beta, I try to partition the disk manually. I want to have an ext3 /boot, and an lvm vg (since this is a test installation, it's build upon only one pv), inside which there must be two lv: /, ext4, and /home, luks + ext4.

Steps to Reproduce:
1.I create a /boot partition label
2.I create a / partition, ext4, lvm, not encrypted
3.I then create a /home partition, ext4, lvm, encrypted
Actual results:
Anaconda automatically creates one luks volume and a pv inside it, encrypting the whole logical volume "fedora", including the / filesystem

--- Physical volume ---
PV Name /dev/mapper/luks-[...]
VG Name fedora
PV Size 7.50 GiB

--- Logical Volume ---
LV Path /dev/fedora/home

--- Logical Volume ---
LV Path /dev/fedora/root

Expected results:
I should obtain an ext3 filesystem mounted under /boot, an unencrypted pv, a logical volume for / and another one for a luks partition containing an ext4 filesystem for /home. I choose not to encrypt / because it doesn't contain much sensible data for me (I could be vulnerable to an evil maid attack anyway); encryption causes a noticeable overhead on slow machines and higher power consumption on laptop computers

Comment 1 Chris Lumens 2012-11-28 15:32:11 UTC
Did you click the encryption checkbox on the initial storage screen, or did you click it for each filesystem individually?  Or both?

Comment 2 emailadhoc 2012-11-28 15:51:40 UTC
I selected it only for the /home filesystem. I didn't select "Encrypt my data. I'll set a passhprase later" on the initial storage screen, and I choose "I don't need help; let me customize disk patitioning"

Comment 3 emailadhoc 2012-11-28 15:52:24 UTC
Created attachment 653591 [details]
/boot mountpoint

Comment 4 emailadhoc 2012-11-28 15:52:58 UTC
Created attachment 653592 [details]
/ mountpoint

Comment 5 emailadhoc 2012-11-28 15:53:24 UTC
Created attachment 653593 [details]
/home mountpoint

Comment 6 David Lehman 2012-11-30 15:01:28 UTC
For the time being this is your only option unless you want to use kickstart to get exactly what you describe. I plan to add some UI control to enable encrypting either logical volumes or the entire volume group, but there are higher priorities at the moment.

Comment 7 emailadhoc 2012-11-30 18:06:16 UTC
I understand that you have other priorities and I don't really need a similar setup now, but I think there shouldn't be another option in the UI: There's already one, and it is the "encrypt" checkbox. Anaconda should determine automatically what to do. It should encrypt the physical volume(s) if all the "mountpoints" in the volume group are to be encrypted, and encrypt individual filesystems in the vg if not all the "mountpoints" are selected to be encrypted. It doesn't make sense otherwise to leave the user free to choose which mountpoints need to be encrypted, IMHO

Comment 8 Shawn Sterling 2013-01-16 06:49:58 UTC
I have run into this problem as well. 

Being able to pick and choose which logical volume you want to encrypt has worked in the previous installations of Fedora/anaconda. 

Having a user encrypting their home partition/lv is a fairly normal thing (according to me). Expecting a normal user to be able to setup a luks partition in a kickstart for what they want is entirely another. I'm fine doing a kickstart, but this seems like a big step backwards.

Comment 9 Adam Williamson 2013-05-30 01:15:23 UTC
*** Bug 909228 has been marked as a duplicate of this bug. ***

Comment 10 Adam Williamson 2013-05-30 01:18:00 UTC
This is definitely present since 19.22. Please test it out (Fedora 19 Beta includes the code) and file new bugs if you find problems. Thanks! I did a quick test of encrypting /home but not / , both as LVs within the same VG, and it looks to have worked OK.

Note You need to log in before you can comment on or make changes to this bug.