How to partition with an encrypted LVM

If you use an encrypted disk, create an encrypted LVM volume that contains the / and /var logical volumes.

About this task

The following procedure requires either physical or remote console access to the Guardium system.

Procedure

  1. Insert the IBM® Guardium® DVD and boot the machine.
  2. Choose Custom Partition Installation from the boot screen.
  3. Press Enter.
  4. In the Installation Summary, select Installation Destination. Under Other Storage Options, select I will configure partitioning and check Encrypt my data.
  5. Select Click here to create them automatically and change the Mount Point and Name from home to var. Click Done.
  6. When prompted, enter a Disk encryption passphrase and safeguard it. Click Save Passphrase and Accept Changes.
    Tip: The encryption passphrase is required to unlock the LVM volume when you restart the system. This key cannot be replaced if lost.
  7. Optional: You can set up a tang server to automatically enter the encryption key and unlock each volume of your encrypted disks when you restart your system. If a tang server is down when rebooting, the message dracut-initqueue: Error communicating with server appears. You must then unlock the encrypted machine by manually entering the passphrase.
    Tip: Set up the tang server by using the CLI command store tang server or by using the API command grdapi clevis_bind on your central manager to bind all your managed units to a tang server. For more information on the commands, see store tang server, reset luks keys, and grdapi clevis_bind.