On Wed, May 15, 2013 at 9:42 AM, SilverTip257 <silvertip257 at gmail.com> wrote: > > On Wed, May 15, 2013 at 12:25 PM, Digimer <lists at alteeve.ca> wrote: > > > On 05/15/2013 12:22 PM, Dave Johansen wrote: > > > I'm setting up a computer with CentOS 6.4 and a mirrored software > > > RAID. I would like it to be encrypted so I was wondering what the best > > > configuration is. The only info I could find is > > > http://lists.centos.org/pipermail/centos-docs/2008-October/001912.html > > > but it appears to be a bit old and the info on the wiki ( > > > http://wiki.centos.org/HowTos/EncryptTmpSwapHome ) doesn't seem to > > > address RAIDs. > > > > > > My main question is will it be better to encrypt the RAID itself or > > > the two partitions used by the RAID? Any other things I should be > > > aware of? > > > > > > Thanks, > > > Dave > > > > This depends on your use-case. Personally, I want my servers to be able > > to boot headless, so I leave /boot, <swap> and / unencrypted, RAID or > > > > /boot absolutely can't be encrypted > > I use LUKS in conjunction with Serial over LAN ... otherwise I'd have to > manually mount (or script it) so my encrypted volume is mounted. In my > case as well, I only have the volume where my backup data goes ... so > /boot, /, and others are not encrypted (no need). > > > > not. Then I encrypt the LV (or partition) I am going to put data I care > > about on. I don't think there is any benefit to encrypting the > > partitions behind the MD device as it won't be able to form until you > > decrypt the devices. I'd keep crypt on the resulting /dev/mdX, at the > > lowest. > > > > Create a software raid array and then create your LUKS encrypted volume on > top of that md device. It is *highly recommended* to write random data to > the underlying disk device prior to creating the LUKS volume. I believe I > referenced [0] on the Arch Linux wiki a bunch way back when, but you'll > find other great references on the Gentoo wiki as well. > > cryptsetup is the utility you're looking for. (As I'm sure you already > know...since your mailing list link mentions it.) :) > > > > > > Again, it depends on your use-case. > > > > -- > > Digimer > > Papers and Projects: https://alteeve.ca/w/ > > What if the cure for cancer is trapped in the mind of a person without > > access to education? > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > http://lists.centos.org/mailman/listinfo/centos > > > > > [0] https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS Thanks for the feedback. I'm actually doing this through an Anaconda config file and I'm using the following settings: part raid.boota --size=500 --ondisk sda part raid.bootb --size=500 --ondisk sdb raid /boot --fstype=ext4 --level=1 --device=md0 raid.boota raid.bootb part raid.slasha --grow --size=500 --ondisk sda part raid.slashb --grow --size=500 --ondisk sdb raid / --fstype=ext4 --level=1 --encrypted --passphrase=<passphrase> --device=md1 raid.slasha raid.slashb Is that the "right" way to do it? Or is there a configuration that would work better? Thanks, Dave