Debian : Encrypted Raid 1 setup.

We have a Debian X64 server which has the following config. One single 512GB SSD, which has our OS and two 2.0TB HDD's which have data like attachments, etc.

The two 2.0 TB drives are in RAID-1 configuration. For security purposes, I would like to encrypt this RAID-1 setup. The thing I don't understand is, even the encrypted drive will require a key to decrypt. These are the two problems I am having :

  1. How to setup an encrypted RAID-1. I found a lot of stuff for RAID with LVM.
  2. Where and how will the key be stored for decrypting the drive.

Here is my raid config :

mdadm --detail /dev/md0
/dev/md0: Version : 1.2 Creation Time : Tue Feb 2 16:35:52 2016 Raid Level : raid1 Array Size : 1953382336 (1862.89 GiB 2000.26 GB) Used Dev Size : 1953382336 (1862.89 GiB 2000.26 GB) Raid Devices : 2 Total Devices : 2 Persistence : Superblock is persistent Update Time : Thu Feb 11 10:00:37 2016 State : clean Active Devices : 2
Working Devices : 2 Failed Devices : 0 Spare Devices : 0 Name : domain:0 (local to host domain) UUID : e3750654:c7e1a24c:3f0a15b6:46f26d0d Events : 22 Number Major Minor RaidDevice State 0 8 1 0 active sync /dev/sda1 1 8 17 1 active sync /dev/sdb1

Any help would be nice. Thank you.

0

3 Answers

Encrypting the filesystem is not as secure as full partition encryption, and arguably harder to use - as well as slower.

The typical way to set up encryption would be to set up RAID1, Then LVM, Then Encrypt to LVM volume. (You could skip the LVM volume bit, but it adds more flexibility). I would imagine that most distros will allow you to do this on a fresh install - This is true of Ubuntu/Mint and, if you want to switch the LVM and Encryption layers here. I'm pretty sure you can do this with Redhat and derivitives as well.

As far as storing the key - Full Disk encryption uses LUKS, so the key is stored in the header of the disk, and encrypted with your passphrase. This means you can change your passphrase without needing to re-encrypt the disk.

When running an encrypted FS you need to re-enter the key each time you boot up. (If you use Ubuntu user encryption, this is not the case - it takes the key from the users password - and its also less secure).

Extended information after Comments

As you have built the RAID 1 array, the first step is to build LVM on top of it. You should google for it to fully understand it, but there are 3 parts to this -

  1. Use the command pvcreate /dev/md0 makes the RAID device an LVM resource.

  2. Add a volume group with the command vgcreate RaidVG /dev/md0

  3. Create a Logical Volume using a command like lvcreate -n LVMVol RaidVG -L +1700G (Its a good idea to ensure the Logical Volume is smaller then the full disk size so you can do snapshots and other cool stuff)

This will create a new volume (similar to a partition) called /dev/RaidVG/LVMVol, which you would then encrypt. To do this use the command cryptsetup -u u-v luksFormat /dev/RaidVG/LVMVol to create the volume.

To mount the volume (and you will need to run this command every time you restart the system), type cryptsetup luksOpen /dev/RaidVG/LVMVol CryptVol - This will ask you to enter a password and then create a new volume/partition /dev/mapper/CryptVol which you can operate on - and all operations will be encrypted.

After this its a matter of creating the filesystem - eg mkfs.ext4 /dev/mapper/CryptVol, and then mounting it mount /dev/mapper/CryptVol /path/to/mountpoint - You will, of-course, need to manually mount the volume each time you restart the computer, after unencrypting it first as above.

4

How to setup an encrypted RAID-1.

Easiest way: Set up an unencryped RAID 1 and encrypt the filesystem. (No the disk or the partition).

I never did this myself, but it seems one way to do it is:

  • cryptsetup options luksFormat device
  • cryptsetup open device name
  • mkfs.fstype /dev/mapper/name (which is done on the encrypted device)

Where and how will the key be stored for decrypting the drive.

Ah, good question. The answer should be 'nowhere on the computer'.
Else it is similar to a lock with the key still inserted.

You will need to manually enter the key on each time you boot.

Apparently you can also store it in /etc/crypttab, but then your security is significanly less. It will prevent someone from just physically removing the disks and reading the contents. But if they can access the disks then they probably also can access your SSD and retrieve the keys.

3

Assuming you have a RAID in place already in /dev/md0. Check it using:

cat /proc/mdstat

If you see something like md0 : active raid1 sdc[1] sda[0] you are good to go:

sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/md0

Open it

sudo cryptsetup luksOpen /dev/md0 my_raid

Check for size

ls -l /dev/mapper/my_raid

Create file system

sudo mkfs.ext4 /dev/mapper/my_raid

Mount it

sudo mount /dev/mapper/my_raid /mnt/my_raid

Check it

df -h | grep raid

Here is our encrypted, mounted raid:

/dev/mapper/my_raid 3.6T 89M 3.4T 1% /mnt/my_raid

tada.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like