If it's one thing that is very evident about Dutch culture is that they are careful to close down all the loopholes. If you get on the tram and there's a ticket inspection and you say you forgot to swipe your card -- could be an acceptable excuse in Norway -- you'll still get a fine. There's no leniency, no second chances.

Gyms are horribly expensive and their pricing policies are very sleazy, because they usually don't have any short term membership options, you have to join for at least 3 months, or 6, or 12. As a PR bandaid they like to offer an "introductory lesson" or something along those lines. Basically, you can come in and use the gym once, for free, to sort of make up your mind before the point of no return. Sometimes they have an instructor accompany you to explain what is what. It's the same scam as "the cell phone for free", where they try to distract you from the 12 month contract.

At the gym I went to today they do have an introductory lesson. But this being Holland, there is an interesting twist to it. If you want to just come in once you can pay a one time fee of 15 bucks. The introductory lesson, which in theory is free, costs you 12.50. Then, if you decide to get a membership they will deduct that 12.50 from the price you pay later. So the introductory lesson is only free if it's not free, you see that logic?

This is a pretty eccentric attitude. In theory, if you wanted to bad enough you could come in once a month, try not to run into the same staff, and always go for the introductory lesson. If you could do it so that they didn't remember you, you'd get it for free. How many people would actually try that, though? One? Three? The money a gym would lose on this scheme is pretty negligable. More importantly, anyone inclined to go to such lengths probably isn't willing to pay for the gym anyway, so that money wasn't yours to begin with.

But this is a loophole-closing culture, they don't want to run that risk. In Norway the social stigma of being found out and feeling embarrassed is deemed sufficient in such cases that basically noone does it. But the Dutch are not satisfied with that, they need policies that remove any room for such creativity.

In the age of laptops I was thinking maybe it's time I finally try encrypting my disk. I've never done it before, so before going for it I needed a small approfondimento.

The common strategy seems to be roughly:

1. Leave /boot unencrypted.
2. Encrypt the rest of the disk with LUKS. You then have dm-crypt that provides a mapping between the partition (according to the partition table) and the corresponding unencrypted block device, which becomes a node like /dev/mapper/nodename, depending on what you call it.
3. Use /dev/mapper/nodename as the "physical" partition which you assign to lvm and make into a volume group.
4. Create logical volumes in the volume group, so that each logical volume corresponds to what we used to call a partition on the old model, ie. /, /home, /var etc.

lvm is practical here, because you need at least two partitions, / and swap. You could just as well create multiple partitions sda5,sda6,... and encrypt each one, but then you'd have to unlock them individually on boot, which is hacky.

The setup is a bit involved and I would rather be spared the trouble of doing it manually. The ubuntu alternate install cd has a fully automatic feature that does this, using the whole disk. If you're happy with the basic scheme, but you want more partitions or you want to size them differently, you can use the curses gui following a nice guide like this one.

So far so good, but now comes the inevitable question. Much like with compression you want to be able to not only compress but also to decompress. What if I screw up my boot sector or my fstab and I need to boot from a rescue cd? How do I mount /dev/sda5 now?

Mounting manually

First of all, in case we don't have all the tools we need:

$ apt-get install lvm2
$ modprobe dm-mod

We obviously need to know what the physical partitions actually are:

$ fdisk -l /dev/sda

Disk /dev/sda: 32.2 GB, 32212254720 bytes
255 heads, 63 sectors/track, 3916 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000a30a5

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          13       96256   83  Linux
Partition 1 does not end on cylinder boundary.
/dev/sda2              13        3917    31357953    5  Extended
/dev/sda5              13        3917    31357952   83  Linux

/dev/sda1 is /boot, that's easy. Then we have /dev/sda5, which is the encrypted partition and mounting it directly will not work. This is where dm-crypt comes into the picture: we are going to unlock the partition, obtaining a block device that represents the unencrypted view of the partition.

$ cryptsetup luksOpen /dev/sda5 vg0
$ cd /dev/mapper
$ ls -lh
crw-------    1 root     root       10, 236 Jun  2 16:44 control
lrwxrwxrwx    1 root     root           7 Jun  2 16:47 vg0 -> ../dm-0

We have decided to call the block device vg0, and it thus appears as /dev/mapper/vg0. Since we know this is an lvm volume group we use the lvm tools to figure out what it contains:

$ vgscan
  Reading all physical volumes.  This may take a while...
  Found volume group "vg0" using metadata type lvm2
$ vgs
  VG   #PV #LV #SN Attr   VSize  VFree
  vg0    1   2   0 wz--n- 29.90g    0 
$ lvscan
  inactive          '/dev/vg0/swap' [1.86 GiB] inherit
  inactive          '/dev/vg0/root' [28.04 GiB] inherit

We have two logical volumes in there. But they are inactive, which means they are not visible under /dev, ie. we can't mount them. To make them active:

$ vgchange -a y
  2 logical volume(s) in volume group "vg0" now active

The device names listed before are now visible and we can mount them:

$ cd /dev/vg0
$ ls -lh
lrwxrwxrwx 1 root root 7 Jun  2 18:24 root -> ../dm-2
lrwxrwxrwx 1 root root 7 Jun  2 18:24 swap -> ../dm-1
$ swapon /dev/vg0/swap
$ mount /dev/vg0/root /mnt