On Fri, May 17, 2013 at 8:21 AM, Dave Johansen <davejohansen at gmail.com>wrote: > On Wed, May 15, 2013 at 9:42 AM, SilverTip257 <silvertip257 at gmail.com> > wrote: > > > > On Wed, May 15, 2013 at 12:25 PM, Digimer <lists at alteeve.ca> wrote: > > > > > On 05/15/2013 12:22 PM, Dave Johansen wrote: > > > > I'm setting up a computer with CentOS 6.4 and a mirrored software > > > > RAID. I would like it to be encrypted so I was wondering what the > best > > > > configuration is. The only info I could find is > > > > > http://lists.centos.org/pipermail/centos-docs/2008-October/001912.html > > > > but it appears to be a bit old and the info on the wiki ( > > > > http://wiki.centos.org/HowTos/EncryptTmpSwapHome ) doesn't seem to > > > > address RAIDs. > > > > > > > > My main question is will it be better to encrypt the RAID itself or > > > > the two partitions used by the RAID? Any other things I should be > > > > aware of? > > > > > > > > Thanks, > > > > Dave > > > > > > This depends on your use-case. Personally, I want my servers to be able > > > to boot headless, so I leave /boot, <swap> and / unencrypted, RAID or > > > > > > > /boot absolutely can't be encrypted > > > > I use LUKS in conjunction with Serial over LAN ... otherwise I'd have to > > manually mount (or script it) so my encrypted volume is mounted. In my > > case as well, I only have the volume where my backup data goes ... so > > /boot, /, and others are not encrypted (no need). > > > > > > > not. Then I encrypt the LV (or partition) I am going to put data I care > > > about on. I don't think there is any benefit to encrypting the > > > partitions behind the MD device as it won't be able to form until you > > > decrypt the devices. I'd keep crypt on the resulting /dev/mdX, at the > > > lowest. > > > > > > > Create a software raid array and then create your LUKS encrypted volume > on > > top of that md device. It is *highly recommended* to write random data > to > > the underlying disk device prior to creating the LUKS volume. I believe > I > > referenced [0] on the Arch Linux wiki a bunch way back when, but you'll > > find other great references on the Gentoo wiki as well. > > > > cryptsetup is the utility you're looking for. (As I'm sure you already > > know...since your mailing list link mentions it.) :) > > > > > > > > > > Again, it depends on your use-case. > > > > > > -- > > > Digimer > > > Papers and Projects: https://alteeve.ca/w/ > > > What if the cure for cancer is trapped in the mind of a person without > > > access to education? > > > _______________________________________________ > > > CentOS mailing list > > > CentOS at centos.org > > > http://lists.centos.org/mailman/listinfo/centos > > > > > > > > > [0] https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS > > Thanks for the feedback. I'm actually doing this through an Anaconda > config file and I'm using the following settings: > > part raid.boota --size=500 --ondisk sda > part raid.bootb --size=500 --ondisk sdb > raid /boot --fstype=ext4 --level=1 --device=md0 raid.boota raid.bootb > part raid.slasha --grow --size=500 --ondisk sda > part raid.slashb --grow --size=500 --ondisk sdb > raid / --fstype=ext4 --level=1 --encrypted --passphrase=<passphrase> > --device=md1 raid.slasha raid.slashb > > Is that the "right" way to do it? Or is there a configuration that > would work better? > For the sake of anyone who reads this later. --fsprofile=ext4 needs to be specified on the partition definition lines so that it will be use the proper parameters. When it's not specified, only the defaults are used are performance is significantly degraded. So the above definition would look like this: part raid.boota --fsprofile=ext4 --size=500 --ondisk sda part raid.bootb --fsprofile=ext4 --size=500 --ondisk sdb raid /boot --fstype=ext4 --level=1 --device=md0 raid.boota raid.bootb part raid.slasha --fsprofile=ext4 --grow --size=500 --ondisk sda part raid.slashb --fsprofile=ext4 --grow --size=500 --ondisk sdb raid / --fstype=ext4 --level=1 --encrypted --passphrase=<passphrase> --device=md1 raid.slasha raid.slashb You can see info about it here: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/s1-kickstart2-options.html