4

We have a Debian X64 server which has the following config. One single 512GB SSD, which has our OS and two 2.0TB HDD's which have data like attachments, etc.

The two 2.0 TB drives are in RAID-1 configuration. For security purposes, I would like to encrypt this RAID-1 setup. The thing I don't understand is, even the encrypted drive will require a key to decrypt. These are the two problems I am having :

  1. How to setup an encrypted RAID-1. I found a lot of stuff for RAID with LVM.
  2. Where and how will the key be stored for decrypting the drive.

Here is my raid config :

mdadm --detail /dev/md0
/dev/md0:
        Version : 1.2
  Creation Time : Tue Feb  2 16:35:52 2016
     Raid Level : raid1
     Array Size : 1953382336 (1862.89 GiB 2000.26 GB)
  Used Dev Size : 1953382336 (1862.89 GiB 2000.26 GB)
   Raid Devices : 2
  Total Devices : 2
    Persistence : Superblock is persistent

    Update Time : Thu Feb 11 10:00:37 2016
          State : clean 
 Active Devices : 2
Working Devices : 2
 Failed Devices : 0
  Spare Devices : 0

           Name : domain:0  (local to host domain)
           UUID : e3750654:c7e1a24c:3f0a15b6:46f26d0d
         Events : 22

    Number   Major   Minor   RaidDevice State
       0       8        1        0      active sync   /dev/sda1
       1       8       17        1      active sync   /dev/sdb1

Any help would be nice. Thank you.

Improve this question
0

3 Answers 3

Reset to default
3

Encrypting the filesystem is not as secure as full partition encryption, and arguably harder to use - as well as slower.

The typical way to set up encryption would be to set up RAID1, Then LVM, Then Encrypt to LVM volume. (You could skip the LVM volume bit, but it adds more flexibility). I would imagine that most distros will allow you to do this on a fresh install - This is true of Ubuntu/Mint and, if you want to switch the LVM and Encryption layers here. I'm pretty sure you can do this with Redhat and derivitives as well.

As far as storing the key - Full Disk encryption uses LUKS, so the key is stored in the header of the disk, and encrypted with your passphrase. This means you can change your passphrase without needing to re-encrypt the disk.

When running an encrypted FS you need to re-enter the key each time you boot up. (If you use Ubuntu user encryption, this is not the case - it takes the key from the users password - and its also less secure).

Extended information after Comments

As you have built the RAID 1 array, the first step is to build LVM on top of it. You should google for it to fully understand it, but there are 3 parts to this -

  1. Use the command pvcreate /dev/md0 makes the RAID device an LVM resource.

  2. Add a volume group with the command vgcreate RaidVG /dev/md0

  3. Create a Logical Volume using a command like lvcreate -n LVMVol RaidVG -L +1700G (Its a good idea to ensure the Logical Volume is smaller then the full disk size so you can do snapshots and other cool stuff)

This will create a new volume (similar to a partition) called /dev/RaidVG/LVMVol, which you would then encrypt. To do this use the command cryptsetup -u u-v luksFormat /dev/RaidVG/LVMVol to create the volume.

To mount the volume (and you will need to run this command every time you restart the system), type cryptsetup luksOpen /dev/RaidVG/LVMVol CryptVol - This will ask you to enter a password and then create a new volume/partition /dev/mapper/CryptVol which you can operate on - and all operations will be encrypted.

After this its a matter of creating the filesystem - eg mkfs.ext4 /dev/mapper/CryptVol, and then mounting it mount /dev/mapper/CryptVol /path/to/mountpoint - You will, of-course, need to manually mount the volume each time you restart the computer, after unencrypting it first as above.

Improve this answer
4
  • Cannot do a fresh-install myself, server is located in different geographical region. Also, the OS does not boot from the drive/FS which I am planning to encrpyt. LVM with RAID sounds nice, I agree with that. I have already taken backup of the HD, so I can erase it. Can you tell me how I can proceed with RAID1-LVM. Thank you.
    – We are Borg
    Commented Feb 11, 2016 at 9:35
  • Thank you very much for the detailed information, I will go through the setup after some research on LVM. Is there some reason I cannot add entry for it in fstab, as the password is already entered, so by the time boot is complete, the drive must be available.
    – We are Borg
    Commented Feb 11, 2016 at 9:54
  • Just one thing, command cryptsetup is throwing an error, with unknwon option -u. Is something wrong with the command you gave?
    – We are Borg
    Commented Feb 11, 2016 at 13:47
  • I just used this command instead of that : cryptsetup -v luksFormat <device> . It worked then. Thank you so much for the detailed answer. Can you please format the text of commands properly, so other user's will find it easier. Thank you.
    – We are Borg
    Commented Feb 11, 2016 at 14:09
1

How to setup an encrypted RAID-1.

Easiest way: Set up an unencryped RAID 1 and encrypt the filesystem. (No the disk or the partition).

I never did this myself, but it seems one way to do it is:

  • cryptsetup options luksFormat device
  • cryptsetup open device name
  • mkfs.fstype /dev/mapper/name (which is done on the encrypted device)

Where and how will the key be stored for decrypting the drive.

Ah, good question. The answer should be 'nowhere on the computer'.
Else it is similar to a lock with the key still inserted.

You will need to manually enter the key on each time you boot.

Apparently you can also store it in /etc/crypttab, but then your security is significanly less. It will prevent someone from just physically removing the disks and reading the contents. But if they can access the disks then they probably also can access your SSD and retrieve the keys.

Improve this answer
3
  • Thank you for your prompt reply. After the command mdadm.create and providing both the devices, I gave the command mkfs.ext4 /dev/md0. This is where I created the file-system for the RAID-array. Should I do something else instead of this for creating an encrypted FS? Kindly let me know.
    – We are Borg
    Commented Feb 11, 2016 at 9:27
  • Added the command needed to the post. Note that I never did this on real hardware (so davids performance issue are probably relevant).
    – Hennes
    Commented Feb 11, 2016 at 10:40
  • @Henny - you might want to remove the bit of your response about filesystem encryption - our solutions are essentially the same and are block device/partition level solutions. File level solutions do exist but are known to be comparably insecure (cryptfs)
    – davidgo
    Commented Jan 21, 2017 at 1:06
1

Assuming you have a RAID in place already in /dev/md0. Check it using:

cat /proc/mdstat

If you see something like md0 : active raid1 sdc[1] sda[0] you are good to go:

sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/md0

Open it

sudo cryptsetup luksOpen /dev/md0 my_raid

Check for size

ls -l /dev/mapper/my_raid

Create file system

sudo mkfs.ext4 /dev/mapper/my_raid

Mount it

sudo mount /dev/mapper/my_raid /mnt/my_raid

Check it

df -h | grep raid

Here is our encrypted, mounted raid:

/dev/mapper/my_raid 3.6T 89M 3.4T 1% /mnt/my_raid

tada.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .