How to extend a volgroup and filesystem backed by LUKS-formatted encrypted physical volumes

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 5
  • LVM volume groups backed by LUKS-formatted encrypted PVs
    (In contrast to encrypted LVM logical volumes)

Issue

  • When installing Red Hat Enterprise Linux, we selected the Encrypt system checkbox. Now we need more space. How can we safely extend our filesystem(s), ensuring they are backed by encrypted storage?

  • We have an LVM volume group backed by an encrypted LVM physical volume. What's the procedure to add new encrypted physical volumes to this volgroup (and to extend the logical volumes and the filesystems they contain)?

Resolution

  1. Add a new disk to the system, optionally partitioning it

    • This step could involve presenting an entirely new LUN, new virtual disk, or even extending an existing disk
    • This step will also likely require a rescan of the scsi bus and might necessitate a reboot
    • If an existing disk is extended, a choice will need to be made whether to add the new space to an existing partition OR use the new space to create a new partition
      • Extending an existing partition is beyond the scope of this article (don't do it)

  2. Encrypt the new device with cryptsetup luksFormat DEV, where DEV is the path to the full disk or partition
    Examples:

    • cryptsetup -c aes-xts-plain64 luksFormat /dev/sda3     # More on ciphers1
    • cryptsetup -c aes-xts-plain64 luksFormat /dev/sdb1
    • cryptsetup luksFormat /dev/sdaa

  3. Open new encrypted disk with cryptsetup luksOpen DEV MAPPING, where MAPPING is an arbitrary name to use for the device-mapper target that will provide read/write access to the decrypted device
    Note that MAPPING is commonly set to "luks-UUID" (where UUID is the LUKS universally unique identifier)
    Examples:

    • cryptsetup luksOpen /dev/sda3 luks-$(cryptsetup luksUUID /dev/sda3)
    • cryptsetup luksOpen /dev/sdb1 luks-$(cryptsetup luksUUID /dev/sdb1)
    • cryptsetup luksOpen /dev/sdaa luks-MyPV-sdaa

  4. Add the new device mapping to /etc/crypttab, i.e., echo MAPPING DEV none >>/etc/crypttab
    Examples:

    • uuid=$(cryptsetup luksUUID /dev/sda3); echo luks-$uuid UUID=$uuid none >>/etc/crypttab
    • uuid=$(cryptsetup luksUUID /dev/sdb1); echo luks-$uuid UUID=$uuid none >>/etc/crypttab
    • echo luks-MyPV-sdaa /dev/sdaa none >>/etc/crypttab

  5. Tag the new device as an LVM physical volume with pvcreate
    Examples:

    • pvcreate /dev/mapper/luks-$(cryptsetup luksUUID /dev/sda3)
    • pvcreate /dev/mapper/luks-MyPV-sdaa

  6. Add the new device to an LVM volume group with vgextend
    Examples:

    • vgextend VolGroup00 /dev/mapper/luks-$(cryptsetup luksUUID /dev/sda3)
    • vgextend vg_server1 /dev/mapper/luks-MyPV-sdaa

  7. Extend LVM logical volumes (and their filesystems) as desired, with lvextend
    Examples:

    • lvextend -rl +100%FREE /dev/VolGroup00/LogVol00
    • lvextend -rL +25G /dev/vg_server1/lv_root

  8. If the LVM volume group that was extended is the same volgroup that contains the logvol for the root filesystem, the UUID for the new LUKS device must be added to the kernel cmdline (e.g., by modifying /boot/grub/grub.conf in RHEL 6 or /etc/default/grub in RHEL 7) as rd_LUKS_UUID=<DeviceUUID> (RHEL 6)2 or rd.luks.uuid=<DeviceUUID> (RHEL 7)3
    This is how the kernel will know to activate the LUKS device before bringing up the root filesystem

    • RHEL 6:
      • sed -i "/^\s*kernel/s,$, rd_LUKS_UUID=$(cryptsetup luksUUID /dev/sda3)," /boot/grub/grub.conf
    • RHEL 7:
      • sed -i "/^GRUB_CMDLINE_LINUX/s,\"$, rd.luks.uuid=$(cryptsetup luksUUID /dev/sda3)\"," /etc/default/grub
        grub2-mkconfig >/etc/grub2.cfg

  9. Rebuild the initrd/initramfs

    • RHEL 5:
      • mkinitrd -f /boot/initrd-$(uname -r) $(uname -r)     # More on mkinitrd4
    • RHEL 6 and RHEL 7:
      • dracut -f     # More on dracut5
1

Using cryptsetup luksFormat to create devices with aes-xts-plain64 is generally recommended -- this is how LUKS devices are created at install-time. See the following article for more detail: All about LUKS, cryptsetup, and dm-crypt
2: See dracut(8) man page in RHEL 6 for explanation of rd_LUKS_UUID
3: See dracut.cmdline(7) man page in RHEL 7 for explanation of rd.luks.uuid
4: How do I rebuild the initial ramdisk image in Red Hat Enterprise Linux?
5: How do I create initramfs using dracut on Red Hat Enterprise Linux 6? (Note: applies to RHEL 7 as well)

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.