[CentOS] Best configuration for encrypted software RAID 1?

Tue May 21 15:26:53 UTC 2013
Dave Johansen <davejohansen at gmail.com>

On Mon, May 20, 2013 at 2:07 PM, SilverTip257 <silvertip257 at gmail.com> wrote:
>
> On Fri, May 17, 2013 at 9:48 PM, Dave Johansen
> <davejohansen at gmail.com>wrote:
>
> > On Fri, May 17, 2013 at 12:04 PM, SilverTip257 <silvertip257 at gmail.com>
> > wrote:
> > >
> > > On Fri, May 17, 2013 at 12:42 PM, SilverTip257 <silvertip257 at gmail.com
> > >wrote:
> > >
> > > > On Fri, May 17, 2013 at 11:21 AM, Dave Johansen <
> > davejohansen at gmail.com>wrote:
> > > >
> > > >>
> > > >> >
> > > >> > [0] https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS
> > > >>
> > > >> Thanks for the feedback. I'm actually doing this through an
> > > >> Anaconda
> > > >> config file and I'm using the following settings:
> > > >>
> > > >> part raid.boota --size=500 --ondisk sda
> > > >> part raid.bootb --size=500 --ondisk sdb
> > > >> raid /boot --fstype=ext4 --level=1 --device=md0 raid.boota
> > > >> raid.bootb
> > > >> part raid.slasha --grow --size=500 --ondisk sda
> > > >> part raid.slashb --grow --size=500 --ondisk sdb
> > > >> raid / --fstype=ext4 --level=1 --encrypted
> > > >> --passphrase=<passphrase>
> > > >> --device=md1 raid.slasha raid.slashb
> > > >>
> > > >> Is that the "right" way to do it? Or is there a configuration that
> > > >> would work better?
> > > >>
> > > >
> > > > That looks right.  Maybe somebody else will have a tip.
> > > >
> > >
> > > You might also reference the advanced example here [0].
> > >
> > > [0]
> > >
> >
> > http://www.centos.org/docs/5/html/Installation_Guide-en-US/s1-kickstart2-options.html#s2-kickstart2-options-part-examples
> >
> > That example is helpful for the RAID stuff, but it doesn't show an
> > example of encryption and so that's what my question is really about.
> > Should the raid line have the encryption like I have in my example? Or
> > should it be on each of the partitions? I'm just curious if there's a
>
>
> It is impossible to encrypt /boot... (you only have one other partition =>
> root)
> Single LUKS volume = ease of management?  So I'm thinking LUKS with LVM
> inside.

Yes, just ease of management. We're not going to be adding/changing
disks or anything and only having to type a single passphrase is best.

> If you encrypt root, but don't encrypt swap you could be exposing data.
> As far as I've seen if you encrypt root, then you encrypt swap and
> most/all
> other partitions.  It really depends on what you want encrypted (remember
> there will be some CPU cycles and additional I/O wait).

Thanks for the reminder, but we're actually not using swap on this system.

> > pro/con to each of those options. My very basic/quick testing seemed
> > to indicate that doing it on the raid line was the better solution,
> >
>
> ** Where else would you place the encryption?  (Please list of scenarios.)
> **

The encryption could be on the individual partitions and then the raid
would use the two encrypted partitions. I tried this and it seemed
that then there were two encryption processes running so my very
simple testing seemed to indicate that this sort of configuration
would double the CPU usage.

> You'll notice I choose not to put the LUKS passphrase in plain text in the
> kickstart config (Anaconda asks for one before partitioning the disks).
>
> I have an example below with and without LVM.  I've done non-LVM encrypted
> setups in the past, so I haven't tested that recently.  But the
> raid+luks+lvm I kickstarted on a test VM (notice the virtio disks).

Thanks the examples are good for comparison.

> > but I was just wondering if anyone had experience with this?
> >
>
> # clears ALL partitions on ALL drives
> clearpart --all --initlabel
>
> # set up software raid arrays
> part raid.01 --size=512 --asprimary --ondisk=vda
> part raid.02 --size=512 --asprimary --ondisk=vdb
> part raid.03 --size=1024 --asprimary --ondisk=vda
> part raid.04 --size=1024 --asprimary --ondisk=vdb
> part raid.05 --size=5120 --asprimary --grow --ondisk=vda
> part raid.06 --size=5120 --asprimary --grow --ondisk=vdb
>
> # set up partitions on the software raid array (no LVM)
> #raid /boot --fstype=ext4 --level=RAID1 raid.01 raid.02
> #raid swap --fstype=swap --level=RAID0 raid.03 raid.04 --encrypted
> #raid / --fstype=ext4 --level=RAID1 raid.05 raid.06 --encrypted
> #    #
> # OR #
> #    #
> # set up partitions on the software raid array (with LVM)
> raid /boot   --fstype=ext4 --device=md0 --level=RAID1 raid.01 raid.02
> raid swap    --fstype=swap --device=md1 --level=RAID0 raid.03 raid.04
> --encrypted
> raid pv.01   --fstype=ext4 --device=md2 --level=RAID1 raid.05 raid.06
> --encrypted
>
> # actual LVM volume group and logical volumes
> volgroup vg00 pv.01
> logvol /       --vgname=vg00 --size=4096 --maxsize=6144 --grow
> --fstype=ext4 --name=rootfs
> logvol /home   --vgname=vg00 --size=512                 --grow
> --fstype=ext4 --name=home
>
>
>
> >
> > Thanks,
> > Dave
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
>
>
> I've noticed the same passphrase is used for both LUKS volumes (Anaconda
> only asked for a passphrase once) -- swap and the LVM PV are separate
> softraid MDs.

We want the kickstart to be fully automated/unattended. We use a dummy
passphrase during the kickstart and then change it after the setup is
complete. Also, like I mentioned before, only having to type a single
passphrase is what we're going for.

Thanks,
Dave