Why can I view my encrypted lvm logical volumes without opening them with my passphrase?

I just installed Fedora 31 on my laptop. I had created a volume group and logical volumes from the Anaconda installer itself. I had marked the checkbox for encrypting my fedora partition , and when booting I am asked my passphrase, so I thought everything was fine.

But when I am booting into a live environment and do an lsblk . This is my output:

NAME                              MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sda                                 8:0    0 931.5G  0 disk 
├─sda1                              8:1    0   512M  0 part 
├─sda2                              8:2    0   512M  0 part 
└─sda3                              8:3    0 930.5G  0 part 
  ├─vgfedora-root-real            253:0    0   700G  0 lvm  
  │ ├─vgfedora-root               253:1    0   700G  0 lvm  
  │ └─vgfedora-before_hibernate   253:3    0   700G  0 lvm  
  └─vgfedora-before_hibernate-cow 253:2    0    50G  0 lvm  
    └─vgfedora-before_hibernate   253:3    0   700G  0 lvm  
  1. How on earth are my Volume Groups visible from the live environment? I did not even open up with cryptsetup open --type luks2 /dev/sda3 . What is going on here ?
  2. As you can see I have created a snapshot, is that even encrypted ? Or is it only my root ? I need everything to be encrypted even snapshots.
  3. I can even do a vgchange -a y and select all my logical volumes. This really should not happen as it should not even be visible from the live environment . Again what is going on ?
  4. How can I verify what is encrypted and what is not ?

My understanding was that the LVM would not even be visible since it is under encryption. So how am I able to detect it from the live environment ?

Let me know if any other information is required.

Thanks.

Hi,

Your setup is LUKS on LVM. The LVM is transparent.

If you want a encrypted LUKS ‘container’ with invisible Volume Groups your setup shall be: LVM on LUKS. Doing so you have one large LUKS encrypted partition in which the LVM with ith VG and LV resides.

As usual, the Arch wiki is a great documentation resource.

Are the snapshots encrypted in my setup ? I don’t think so since LUKS was configured on only the root logical volume during the installation via Anaconda.

It seems I can’t install Fedora 31 on an encrypted LUKS partition. The fedora doc and my experiments in VBox confirms this:

An existing unlocked LUKS device cannot be used for the installation without an encryption key. The installer will now show a warning and ask a user to rescan the storage.

Why is this the case and what can I do to workaround them ?

I have created another topic for this here:

https://discussion.fedoraproject.org/t/ananconda-cant-handle-lvm-on-luks-setup/76485