Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 880876 - Anaconda encrypts the physical volume instead of the logical volume
Anaconda encrypts the physical volume instead of the logical volume
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
Unspecified Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: David Lehman
Fedora Extras Quality Assurance
: 909228 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2012-11-27 20:24 EST by emailadhoc
Modified: 2013-05-29 21:18 EDT (History)
9 users (show)

See Also:
Fixed In Version: anaconda-19.22-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-05-29 21:18:00 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
/boot mountpoint (65.53 KB, image/png)
2012-11-28 10:52 EST, emailadhoc
no flags Details
/ mountpoint (66.00 KB, image/png)
2012-11-28 10:52 EST, emailadhoc
no flags Details
/home mountpoint (68.63 KB, image/png)
2012-11-28 10:53 EST, emailadhoc
no flags Details

  None (edit)
Description emailadhoc 2012-11-27 20:24:52 EST
Using fedora 18 beta, I try to partition the disk manually. I want to have an ext3 /boot, and an lvm vg (since this is a test installation, it's build upon only one pv), inside which there must be two lv: /, ext4, and /home, luks + ext4.

Steps to Reproduce:
1.I create a /boot partition label
2.I create a / partition, ext4, lvm, not encrypted
3.I then create a /home partition, ext4, lvm, encrypted
Actual results:
Anaconda automatically creates one luks volume and a pv inside it, encrypting the whole logical volume "fedora", including the / filesystem

--- Physical volume ---
PV Name /dev/mapper/luks-[...]
VG Name fedora
PV Size 7.50 GiB

--- Logical Volume ---
LV Path /dev/fedora/home

--- Logical Volume ---
LV Path /dev/fedora/root

Expected results:
I should obtain an ext3 filesystem mounted under /boot, an unencrypted pv, a logical volume for / and another one for a luks partition containing an ext4 filesystem for /home. I choose not to encrypt / because it doesn't contain much sensible data for me (I could be vulnerable to an evil maid attack anyway); encryption causes a noticeable overhead on slow machines and higher power consumption on laptop computers
Comment 1 Chris Lumens 2012-11-28 10:32:11 EST
Did you click the encryption checkbox on the initial storage screen, or did you click it for each filesystem individually?  Or both?
Comment 2 emailadhoc 2012-11-28 10:51:40 EST
I selected it only for the /home filesystem. I didn't select "Encrypt my data. I'll set a passhprase later" on the initial storage screen, and I choose "I don't need help; let me customize disk patitioning"
Comment 3 emailadhoc 2012-11-28 10:52:24 EST
Created attachment 653591 [details]
/boot mountpoint
Comment 4 emailadhoc 2012-11-28 10:52:58 EST
Created attachment 653592 [details]
/ mountpoint
Comment 5 emailadhoc 2012-11-28 10:53:24 EST
Created attachment 653593 [details]
/home mountpoint
Comment 6 David Lehman 2012-11-30 10:01:28 EST
For the time being this is your only option unless you want to use kickstart to get exactly what you describe. I plan to add some UI control to enable encrypting either logical volumes or the entire volume group, but there are higher priorities at the moment.
Comment 7 emailadhoc 2012-11-30 13:06:16 EST
I understand that you have other priorities and I don't really need a similar setup now, but I think there shouldn't be another option in the UI: There's already one, and it is the "encrypt" checkbox. Anaconda should determine automatically what to do. It should encrypt the physical volume(s) if all the "mountpoints" in the volume group are to be encrypted, and encrypt individual filesystems in the vg if not all the "mountpoints" are selected to be encrypted. It doesn't make sense otherwise to leave the user free to choose which mountpoints need to be encrypted, IMHO
Comment 8 Shawn Sterling 2013-01-16 01:49:58 EST
I have run into this problem as well. 

Being able to pick and choose which logical volume you want to encrypt has worked in the previous installations of Fedora/anaconda. 

Having a user encrypting their home partition/lv is a fairly normal thing (according to me). Expecting a normal user to be able to setup a luks partition in a kickstart for what they want is entirely another. I'm fine doing a kickstart, but this seems like a big step backwards.
Comment 9 Adam Williamson 2013-05-29 21:15:23 EDT
*** Bug 909228 has been marked as a duplicate of this bug. ***
Comment 10 Adam Williamson 2013-05-29 21:18:00 EDT
This is definitely present since 19.22. Please test it out (Fedora 19 Beta includes the code) and file new bugs if you find problems. Thanks! I did a quick test of encrypting /home but not / , both as LVs within the same VG, and it looks to have worked OK.

Note You need to log in before you can comment on or make changes to this bug.