Encrypting storage volumes ensures that sensitive information is protected, even if physical devices are lost or stolen. This post will guide you through encrypting KVM volumes as LVM logical volumes on Debian 12. We’ll cover setting up LVM, encrypting the volumes with LUKS (Linux Unified Key Setup), and integrating them into your KVM setup.
Before we start, make sure you have the following:
- A Debian 12 system with root or sudo access.
- KVM and related tools installed (
qemu-kvm,libvirt-daemon-system,virt-manager, etc.). - Basic understanding of LVM and LUKS.
Install necessary packages
First, ensure that your system is up to date and install the required packages.
sudo apt update
sudo apt upgrade -y
sudo apt install lvm2 cryptsetup
Set up LVM
Create a Physical Volume
Identify the disk or partition you want to use for LVM. For this example, let’s assume /dev/sdb.
sudo pvcreate /dev/sdb
Create a Volume Group
Next, create a volume group (VG). We’ll name it vg_data.
sudo vgcreate vg_data /dev/sdb
Create a Logical Volume
Create a logical volume (LV) within the volume group. We’ll name it lv_encrypted.
sudo lvcreate -n lv_encrypted -L 50G vg_data
Encrypt the Logical Volume
Initialize LUKS
Initialize the logical volume for use with LUKS. This process will erase all data on the volume, so ensure that it is empty or that you have backups.
sudo cryptsetup luksFormat /dev/vg_data/lv_encrypted
Open the encrypted volume
Open the encrypted volume, which makes it accessible under a mapped device name. We’ll call this mapped device crypt_data.
sudo cryptsetup open /dev/vg_data/lv_encrypted crypt_data
Create a filesystem
Now, create a filesystem on the opened encrypted volume. Here, we’ll use ext4.
sudo mkfs.ext4 /dev/mapper/crypt_data
Mount the encrypted volume
Create a mount point and mount the encrypted volume.
sudo mkdir /mnt/crypt_data
sudo mount /dev/mapper/crypt_data /mnt/crypt_data
To ensure the volume is mounted automatically on boot, add an entry to /etc/crypttab and /etc/fstab.
echo "crypt_data /dev/vg_data/lv_encrypted none luks" | sudo tee -a /etc/crypttab
echo "/dev/mapper/crypt_data /mnt/crypt_data ext4 defaults 0 2" | sudo tee -a /etc/fstab
Configure KVM to use the encrypted volume
To use the encrypted volume as storage for your KVM virtual machines, follow these steps:
Create a storage pool
Create a new storage pool in KVM, pointing to the mount point of your encrypted volume.
sudo virsh pool-define-as encrypted_pool dir --target /mnt/crypt_data
sudo virsh pool-build encrypted_pool
sudo virsh pool-start encrypted_pool
sudo virsh pool-autostart encrypted_pool
Create storage volumes
With the storage pool in place, you can now create storage volumes within this pool for your virtual machines.
sudo virsh vol-create-as encrypted_pool vm_disk1 20G
sudo virsh vol-create-as encrypted_pool vm_disk2 20G
Attach Storage Volumes to VMs
Finally, attach these storage volumes to your virtual machines via virt-manager or the virsh command-line tool.
sudo virsh attach-disk vm_name /mnt/crypt_data/vm_disk1.vmdk vda --persistent
Conclusion
By following these steps, you’ve successfully encrypted your KVM volumes as LVM logical volumes on Debian 12. This setup ensures that your data is protected at rest, leveraging LVM for flexible storage management and LUKS for robust encryption. Regularly update your system and maintain backups to ensure data integrity and security.
Tom's IT Cafe 