Web lists-archives.com

Re: Encrypted RAID1 for storage with Debian Jessie




On 19/04/2017 05:06, commentsabout@xxxxxxxxxx wrote:
Hello,

Is there an easy way to attach several pair of RAID1 disks (with full
disk encryption) to a Debian Jessie system?

Here is a picture of what I'm trying to achieve: http://imgur.com/vF7IqX2

I am building a home backup system, I have different type of data to
backup (work, family, random stuff - hence the three pairs in the
picture). The system (Debian Jessie) will be on a USB key.

It's a backup system on a budget that I'd like to have up and running
within a couple of weeks, I know that ZFS (with FreeNAS for instance)
can achieve similar goals but it's out of budget ; I also know that work
is being done on BTRFS about encryption but it's not ready for prime
time yet.

Always state the obvious so :

- the idea behind having the SYSTEM on a independent USB drive is to
have one independent piece to handle the boot and system operations
(that I can easily - and cheaply - mirror to have drop in replacement in
case of failure) and "DATA" drives are just "dumb" encrypted drives that
could be unplugged from the setup and mounted anywhere else ;

- the idea behind the RAID1 is to create redundancy, hence in case one
drive fails, be able to plug a new one in, would it be possible with
full disk encryption?

- this backup system will only be turned on when needed, I don't plan on
using it as some sort of server or a NAS.

Am I re-inventing the wheel here, is there a better, simpler solution to
achieve both redundancy and encryption ?

Thank you in advance for your help,

CA


Hi, RAID1 and luks work well together, I have been using it for years.

I use luks on top of raid1, mdadm raid1 volumes get mounted first at boot, then cryptsetup opens the luks containers. This way re-syncing or replacing a failed disk never caused me trouble.

Performance-wise it's not the best solution, there is an overhead with both raid1 (heavy writing can load up the system) and luks. With luks encryption it depends on the cpu having acceleration for the cypher you choose. Mine doesn't, but the overhead never disturbed normal operations so I don't consider it a problem.

System on usb flash disks always caused me troubles, I use it only if the system can be loaded in ram at boot time and the drive isn't used for write operation. A low-end small SSD would be a far better option in my opinion.

On my system all RAID1 are started at boot, then the luks volumes are either opened at boot time, later when a user logs in via pam-mount, or on-demand with scripts. My BackupPC server runs with RAID1 + luks volumes too, no problems for the past six years. I use ext4 as my file-system. ext4 has built-in encryption capabilities now, but I can't comment on it since I have no first hand experience.

Good luck.