How can I add a new physical volume to extend an existing LUKS-encrypted lvm (volume group) and maintain encryption?

I want to extend my LUKS-encrypted lvm (volume group) with a new physical volume.

In my previous question I was told – in respect to my actual setup – that I need to encrypt the new physical volume prior to add it to my existing volume group.

I would like to know what steps I have to respect, to successfully add that physical volume to my existing volume group.

My actual stacking looks like this:

nvme0n1p8 -> luks -> physical volume -> volume group -> lv

├─nvme0n1p8             259:8    0  86,5G  0 part
│ └─nvme0n1p8_crypt     253:0    0  86,5G  0 crypt
│   ├─lvm--crypt-wurzel 253:1    0  30,7G  0 lvm   /
│   ├─lvm--crypt-home   253:2    0    80G  0 lvm   /home

My crypttab file looks like this:

cat /etc/crypttab
nvme0n1p8_crypt UUID=1697ec4a-b30b-4642-b4f3-6ba94afc40ec none luks,discard

Now I want to add a new physical volume to that volume group.

  1. How do I add a new physical volume to that volume group without losing encryption?
  2. What modifications to which configuration file might I need to do?
Asked By: AlexOnLinux


You’ll need to set up encryption on the new physical device:

sudo cryptsetup luksFormat /dev/newdevice

(replacing newdevice as appropriate).

Then open it:

sudo cryptsetup luksOpen /dev/newdevice newdevice_crypt

You’ll need to add a matching line to /etc/crypttab so that it’s opened at boot, and update your initramfs using the appropriate command for your distribution (e.g. sudo update-initramfs -c -k all on Debian derivatives).

Once you have newdevice_crypt, you can create a physical volume on it:

sudo pvcreate /dev/newdevice_crypt


sudo pvcreate /dev/mapper/newdevice_crypt

and add it to your volume group:

sudo vgextend lvm /dev/mapper/newdevice_crypt

(replacing lvm with the name of the volume group).

You can share the passphrase for several encrypted devices; see Using a single passphrase to unlock multiple encrypted disks at boot.

Answered By: Stephen Kitt

Based on Stephen Kitt’s answer, here is the full list of command I needed to run (use "lsblk", "vgdisplay" and "lvdisplay" to check the name of your logival volume, volume group and disks, and then replace the names accordingly):

sudo cryptsetup luksFormat /dev/nvme0n1
sudo cryptsetup luksOpen /dev/nvme0n1 nvme0n1_crypt
sudo pvcreate /dev/mapper/nvme0n1_crypt
sudo vgextend ubuntu-vg /dev/mapper/nvme0n1_crypt
sudo lvextend -l +100%FREE /dev/ubuntu-vg/root
sudo resize2fs /dev/mapper/ubuntu--vg-root

At this point edit /etc/crypttab and add the new disks (see
Using a single passphrase to unlock multiple encrypted disks at boot to use the same key for several disks)
The UUID in fstab is the UUID of the "LUKS" volume shown in the "disks" utility.

sudo apt install keyutils
sudo update-initramfs -c -k all 
Answered By: Étienne
Categories: Answers Tags: ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.