Web lists-archives.com

Re: Encrypted RAID1 for storage with Debian Jessie




As already stated LUKS and mdadm are a good combination. I too use these in all my recent systems. I Create RAID volumes, then LVM, then cryptsetup:

=========
+  mdamd +
+       |      +
+    LVM   +
+       |      +
+   LUKS  +
+       |      +
+    ext4    +
=========

I can't speak to your system being on USB, but in general you can just do something like the following:

    $mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sda /dev/sdb
    $mdadm --create /dev/md1 --level=1 --raid-devices=2 /dev/sdc /dev/sdd
    $mdadm --create /dev/md2 --level=1 --raid-devices=2 /dev/sde /dev/sdf

If you want to use LVM then you create the PV, VG, and LV:

    $pvcreate /dev/md0
    $pvcreate /dev/md1
    $pvcreate /dev/md2
    $vgcreate vg_data1 /dev/md0
    $vgcreate vg_data2 /dev/md1
    $vgcreate vg_data3 /dev/md2
    $lvcreate vg_data1 -n lv_data1 -L <size>
    $lvcreate vg_data2 -n lv_data2 -L <size>
    $lvcreate vg_data3 -n lv_data3 -L <size>

Then create your LUKS partition:

    $cryptsetup -v --verify-passphrase luksFormat /dev/mapper/lv_data1 vg_data1-lv_data1_crypt
    $cryptsetup -v --verify-passphrase luksFormat /dev/mapper/lv_data2 vg_data2-lv_data2_crypt
    $cryptsetup -v --verify-passphrase luksFormat /dev/mapper/lv_data3 vg_data3-lv_data3_crypt

Then create your filesystem and mount them:

    $mkfs.ext4 /dev/mapper/vg_data1-lv_data1_crypt
    $mkfs.ext4 /dev/mapper/vg_data2-lv_data2_crypt
    $mkfs.ext4 /dev/mapper/vg_data3-lv_data3_crypt

    $mount -t ext4 /dev/mapper/vg_data1-lv_data1_crypt /mnt/data1
    $mount -t ext4 /dev/mapper/vg_data2-lv_data2_crypt /mnt/data2
    $mount -t ext4 /dev/mapper/vg_data3-lv_data3_crypt /mnt/data3

One of my systems looks like this. On this particular system I only encrypt home and swap:

    $jschaeffer@zipmaster07 ~ $ lsblk
    NAME                                  MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
    sda                                     8:0    0 111.8G  0 disk  
    \sda1                                  8:1    0   100M  0 part  /boot/efi
    \sda2                                  8:2    0   250M  0 part  
      \md0                                 9:0    0   250M  0 raid1 /boot
    \sda3                                  8:3    0 111.5G  0 part  
      \md1                                 9:1    0 111.4G  0 raid1 
        \vg_sys1-lv_var1 (dm-1)          252:1    0    55G  0 lvm   /var
        \vg_sys1-lv_tmp1 (dm-2)          252:2    0     4G  0 lvm   /tmp
        \vg_sys1-lv_swap1 (dm-3)         252:3    0     6G  0 lvm   
          \vg_sys1-lv_swap1_crypt (dm-5) 252:5    0     6G  0 crypt [SWAP]
        \vg_sys1-lv_root1 (dm-4)         252:4    0  46.4G  0 lvm   /
    sdb                                     8:16   0 111.8G  0 disk  
    \sdb1                                  8:17   0   100M  0 part  
    \sdb2                                  8:18   0   250M  0 part  
      \md0                                 9:0    0   250M  0 raid1 /boot
    \sdb3                                  8:19   0 111.5G  0 part  
      \md1                                 9:1    0 111.4G  0 raid1 
        \vg_sys1-lv_var1 (dm-1)          252:1    0    55G  0 lvm   /var
        \vg_sys1-lv_tmp1 (dm-2)          252:2    0     4G  0 lvm   /tmp
        \vg_sys1-lv_swap1 (dm-3)         252:3    0     6G  0 lvm   
          \vg_sys1-lv_swap1_crypt (dm-5) 252:5    0     6G  0 crypt [SWAP]
        \vg_sys1-lv_root1 (dm-4)         252:4    0  46.4G  0 lvm   /
    sdc                                     8:32   0 931.5G  0 disk  
    \sdc1                                  8:33   0   100M  0 part  
    \sdc2                                  8:34   0 931.4G  0 part  
      \vg_home1-lv_home1 (dm-0)          252:0    0   850G  0 lvm   
        \vg_home1-lv_home1_crypt (dm-6)  252:6    0   850G  0 crypt /home
    sr0                                    11:0    1   3.8G  0 rom

Thanks,
Joshua Schaeffer


On Wed, Apr 19, 2017 at 3:11 AM, tv.debian@xxxxxxxxxxxxxx <tv.debian@xxxxxxxxxxxxxx> wrote:
On 19/04/2017 05:06, commentsabout@xxxxxxxxxx wrote:
Hello,

Is there an easy way to attach several pair of RAID1 disks (with full
disk encryption) to a Debian Jessie system?

Here is a picture of what I'm trying to achieve: http://imgur.com/vF7IqX2

I am building a home backup system, I have different type of data to
backup (work, family, random stuff - hence the three pairs in the
picture). The system (Debian Jessie) will be on a USB key.

It's a backup system on a budget that I'd like to have up and running
within a couple of weeks, I know that ZFS (with FreeNAS for instance)
can achieve similar goals but it's out of budget ; I also know that work
is being done on BTRFS about encryption but it's not ready for prime
time yet.

Always state the obvious so :

- the idea behind having the SYSTEM on a independent USB drive is to
have one independent piece to handle the boot and system operations
(that I can easily - and cheaply - mirror to have drop in replacement in
case of failure) and "DATA" drives are just "dumb" encrypted drives that
could be unplugged from the setup and mounted anywhere else ;

- the idea behind the RAID1 is to create redundancy, hence in case one
drive fails, be able to plug a new one in, would it be possible with
full disk encryption?

- this backup system will only be turned on when needed, I don't plan on
using it as some sort of server or a NAS.

Am I re-inventing the wheel here, is there a better, simpler solution to
achieve both redundancy and encryption ?

Thank you in advance for your help,

CA


Hi, RAID1 and luks work well together, I have been using it for years.

I use luks on top of raid1, mdadm raid1 volumes get mounted first at boot, then cryptsetup opens the luks containers. This way re-syncing or replacing a failed disk never caused me trouble.

Performance-wise it's not the best solution, there is an overhead with both raid1 (heavy writing can load up the system) and luks. With luks encryption it depends on the cpu having acceleration for the cypher you choose. Mine doesn't, but the overhead never disturbed normal operations so I don't consider it a problem.

System on usb flash disks always caused me troubles, I use it only if the system can be loaded in ram at boot time and the drive isn't used for write operation. A low-end small SSD would be a far better option in my opinion.

On my system all RAID1 are started at boot, then the luks volumes are either opened at boot time, later when a user logs in via pam-mount, or on-demand with scripts.
My BackupPC server runs with RAID1 + luks volumes too, no problems for the past six years.
I use ext4 as my file-system. ext4 has built-in encryption capabilities now, but I can't comment on it since I have no first hand experience.

Good luck.