You are not logged in.

#1 2011-06-05 01:46:40

KairiTech
Member
From: Toronto, Canada
Registered: 2011-06-04
Posts: 275

RAID system encryption with LUKS & LVM

The thing I like most about Arch is the KISS philosophy.

The Irony is that the Wikis are anything but. So I read them dutifully and finally figure out how to bring together RAID encryption/LUKS and LVM2.

There are a few things I'll like to point out however - these are just my personal choices so you should change them to your taste and feel free to comment on ways of doing them better.

I use RAID0 - not so much interested in data storage security. I want performance and trust me - I learned my lesson about backups a long time ago. I backup my backups.

I don't use SWAP - I have 8GB of RAM.

I even configure /boot as RAID1 because Arch is the only distro I have ever been able to get to install GRUB on all the disk so I can boot from any one of them - Sweet!

As you can likely tell I have three 64GB SSDs.

Boot, root and my data are spread across all three disks.

#############################################
#
# script to prepare hard disk for RAID system encryption with /arch/setup
#
# partition the first drive like so...the [archiso:2] label was applied by the install not by me
# 
#     Name           Flags          Part Type    FS Type               [Label]            Size (MB)
# -----------------------------------------------------------------------------------------------------
#     sda1                           Primary     linux_raid_m                                 24.68     
#     sda2                           Primary     linux_raid_m          [archiso:2]         63992.68
#
cfdisk    /dev/sda
#
# dump the partition table to a file
#
sfdisk -d /dev/sda > SSD-table
#
# import the table to the other drives do they'll have an identical partition scheme
#
sfdisk    /dev/sdb < SSD-table
sfdisk    /dev/sdc < SSD-table
#
# load the RAID modules just in case they aren't already loaded
#
modprobe raid0 raid1
#
# create the RAID device for /boot
#
mdadm --create /dev/md1 --level=1 --raid-devices=3 /dev/sda1 /dev/sdb1 /dev/sdc1 --metadata=0.90
#
# create the RAID device for root & data
#
mdadm --create /dev/md2 --level=0 --raid-devices=3 /dev/sda2 /dev/sdb2 /dev/sdc2
#
# load the device mapper module
#
modprobe dm_mod
#
# encrypt the device that will hold root & data
#
cryptsetup --cipher=aes-xts-plain --verify-passphrase --key-size=512 luksFormat /dev/md2
#
# open the encrypted device (pvCryptDisk)
#
cryptsetup luksOpen /dev/md2 pvCryptDisk
#
# create the physical volume
#
pvcreate /dev/mapper/pvCryptDisk
#
# create the volume group
#
vgcreate vg64SSDx3 /dev/mapper/pvCryptDisk
#
# create the logical volume for root
#
lvcreate --contiguous y --size 6G --name lvRoot vg64SSDx3 
#
# create the logical volume for data (lvMyStuff) with all the remaining space
#
lvcreate --extents +100%FREE --name lvMyStuff vg64SSDx3
#
# this is when you start /arch/setup
#
# choose the option to manually prepare hard drives using UUID
#
# when I didn't use UUID the device assignments for the drives would jump around after the reboot and the boot would fail
#
# device                           label        fs        mountpoint
# --------                         ------       --        --------------
# /dev/md1                         boot         ext2      /boot
# /dev/dmapper/vg64SSDx3-lvRoot    root         ext4      /
# /dev/dmapper/vg64SSDx3-lvMyStuff myStuff      ext4      /media/myStuff
#
# after the base packages are installed jump to VT2 with Alt-2 and copy over the RAID configuration to the install
#
# cp /mnt/etc/mdadm.conf > /mnt/etc/mdadm.conf.original
# mdadm --examine --scan > /mnt/etc/mdadm.conf
#
#############################################
#
# configure the system as indicated below (do not include the "###s")
#
# change "no" to "yes" in /etc/rc.conf
#
### USEDMRAID="yes"
### USELVM="yes"
#
# insert modules to be included in the boot image in/etc/mkinitcpio
#
### MODULES="dm_mod dm_crypt aes_x86_64 raid1 raid0"
#
# insert the hooks for the boot image in/etc/mkinitcpio
#
# I have a USB keyboard so I need usbinput
# I prefer to type the passphrase every time so I need keymaps
# the order is important so don't change it unless you know what you are doing
#
### HOOKS="base udev autodetect pata scsi sata mdadm usbinput keymap encrypt lvm2 filesystems"
#
# insert into /boot/grub/menu.lst immediately before "ro" on both kernel boot parameter lines 
#
### cryptdevice=/dev/md2:vg64SSDx3
#
#############################################

Last edited by KairiTech (2011-09-14 17:32:28)

Offline

#2 2011-07-18 17:03:48

spreadtux
Member
From: 78711
Registered: 2011-05-27
Posts: 3

Re: RAID system encryption with LUKS & LVM

Hiya,

Thx a lot. You've done a great job with your HowTo.
I unsuccessfully tried many times to achieve the same setup with 2 HDD.

But something must be missing at the end :
When Grub tries to install, it complains about "root partition autodetection failure" "Modify 'root (hd0,0)".
How did you achieve this step plz?

Regards

Offline

#3 2011-09-14 16:13:05

KairiTech
Member
From: Toronto, Canada
Registered: 2011-06-04
Posts: 275

Re: RAID system encryption with LUKS & LVM

Sorry for the late response but I've never see this error before. It's a little strange though because you should have manually defined where root is during the install so I'm thinking there should be no need to autodetect it.

Offline

#4 2011-09-14 17:31:32

KairiTech
Member
From: Toronto, Canada
Registered: 2011-06-04
Posts: 275

Re: RAID system encryption with LUKS & LVM

See my post about wanting to move all of this to GPT, GRUB2 and UEFI but not knowing how.

Offline

#5 2011-09-19 18:32:29

spreadtux
Member
From: 78711
Registered: 2011-05-27
Posts: 3

Re: RAID system encryption with LUKS & LVM

Hi Kairitech

Thx for your reply. Perhaps have I done some mistakes.
So I'll give it another try. I hope it will be successfull this time.
And I'll will have a look at your other post and your script, trying to customizing it and having it working successfully.

I'll soon give you some (good?)news so stay tuned.

Offline

Board footer

Powered by FluxBB