[CentOS] Best configuration for encrypted software RAID 1?

Fri May 17 15:21:41 UTC 2013
Dave Johansen <davejohansen at gmail.com>

On Wed, May 15, 2013 at 9:42 AM, SilverTip257 <silvertip257 at gmail.com> wrote:
>
> On Wed, May 15, 2013 at 12:25 PM, Digimer <lists at alteeve.ca> wrote:
>
> > On 05/15/2013 12:22 PM, Dave Johansen wrote:
> > > I'm setting up a computer with CentOS 6.4 and a mirrored software
> > > RAID. I would like it to be encrypted so I was wondering what the best
> > > configuration is. The only info I could find is
> > > http://lists.centos.org/pipermail/centos-docs/2008-October/001912.html
> > > but it appears to be a bit old and the info on the wiki (
> > > http://wiki.centos.org/HowTos/EncryptTmpSwapHome ) doesn't seem to
> > > address RAIDs.
> > >
> > > My main question is will it be better to encrypt the RAID itself or
> > > the two partitions used by the RAID? Any other things I should be
> > > aware of?
> > >
> > > Thanks,
> > > Dave
> >
> > This depends on your use-case. Personally, I want my servers to be able
> > to boot headless, so I leave /boot, <swap> and / unencrypted, RAID or
> >
>
> /boot absolutely can't be encrypted
>
> I use LUKS in conjunction with Serial over LAN ... otherwise I'd have to
> manually mount (or script it) so my encrypted volume is mounted.  In my
> case as well, I only have the volume where my backup data goes ... so
> /boot, /, and others are not encrypted (no need).
>
>
> > not. Then I encrypt the LV (or partition) I am going to put data I care
> > about on. I don't think there is any benefit to encrypting the
> > partitions behind the MD device as it won't be able to form until you
> > decrypt the devices. I'd keep crypt on the resulting /dev/mdX, at the
> > lowest.
> >
>
> Create a software raid array and then create your LUKS encrypted volume on
> top of that md device.  It is *highly recommended* to write random data to
> the underlying disk device prior to creating the LUKS volume.  I believe I
> referenced [0] on the Arch Linux wiki a bunch way back when, but you'll
> find other great references on the Gentoo wiki as well.
>
> cryptsetup is the utility you're looking for.  (As I'm sure you already
> know...since your mailing list link mentions it.) :)
>
>
> >
> > Again, it depends on your use-case.
> >
> > --
> > Digimer
> > Papers and Projects: https://alteeve.ca/w/
> > What if the cure for cancer is trapped in the mind of a person without
> > access to education?
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
>
>
> [0] https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS

Thanks for the feedback. I'm actually doing this through an Anaconda
config file and I'm using the following settings:

part raid.boota --size=500 --ondisk sda
part raid.bootb --size=500 --ondisk sdb
raid /boot --fstype=ext4 --level=1 --device=md0 raid.boota raid.bootb
part raid.slasha --grow --size=500 --ondisk sda
part raid.slashb --grow --size=500 --ondisk sdb
raid / --fstype=ext4 --level=1 --encrypted --passphrase=<passphrase>
--device=md1 raid.slasha raid.slashb

Is that the "right" way to do it? Or is there a configuration that
would work better?

Thanks,
Dave