You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2015-12-22 20:47:11
- MegaBites
- Member
- Registered: 2015-12-22
- Posts: 9
Encrypted RAID5
Hello,
I have an Arch system on a SSD. I also have 3x 2 TB HDDs attached to the system. I would like to use them in a RAID-5 array with encryption. I've done some Googling, but I'm still a bit confused. Is the following the best way to do this?
1. Create a GUID Partition Table on the 3 disks.
2. Use mdadm to create the RAID5 array.
3. Create LVM volume group from the md devices (is this right?).
4. Encrypt LVM volume group with cryptsetup/LUKS.
5. Open LUKS volume and create filesystem.
I created the above steps from several results I found through Google. I'm not sure why LVM would be required here (I guess mdadm doesn't create a single logical volume?).
I'm familiar with cryptsetup/LUKS, so I'm not worried about how to do that; I'm just trying to figure out WHERE in the process it goes.
I'm also considering Btrfs RAID5. However, the fact that it's currently incomplete discourages me. This isn't super important data; if a disk failed, I'd be more upset about having to buy a replacement disk than data loss. But I don't want something that I'll have to mess around with on a daily/weekly basis to fix it.
I also looked into ZFS, but it seems ZFS on Linux doesn't support encryption itself, so it would still be an extra step to encrypt it. I'd rather stick with a more native approach instead of using ZFS.
The data on the drives will be approximately 80% random reads, 20% random writes. I'm not super concerned about write performance.
Thank you all very much!
Offline
#2 2015-12-22 20:57:49
- graysky
- Wiki Maintainer
- From: :wq
- Registered: 2008-12-01
- Posts: 10,597
- Website
Re: Encrypted RAID5
No, ZFS for linux does not support native encryption. Run freenas for that (or some other bsd flavor). Also, HIGHLY recommend that you use ECC memory with ZFS. For linux-native encrypted raid, see: https://bbs.archlinux.org/viewtopic.php?id=205730
EDIT: more links
http://jasonwryan.com/blog/2012/02/11/lvm/
http://www.ducea.com/2009/03/08/mdadm-cheat-sheet/
Last edited by graysky (2015-12-22 20:59:26)
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
#3 2015-12-22 21:24:20
- tom.ty89
- Member
- Registered: 2012-11-15
- Posts: 897
Re: Encrypted RAID5
One reason you need LVM for dm-crypt is because creating partitions on the encrypted devices directly is not quite feasible. For example, you need to probe the partitions manually every time you open the device and you don't have something like `vgchange -an` to allow you to close the device. If you think that you don't need partitioning (like formatting the whole device with btrfs), or you are going to encrypt the partitions one by one instead of encrypting the whole drives, then LVM is probably optional or even unnecessary. FWIW it's mainly a layer to allow flexible management, so it doesn't matter here whether you use RAID or not.
Also are you going to use MSDOS/MBR or GPT? If you use GPT you probably need to partition first (e.g. to have a EF00 or EF02 partition), and then create a vg on the big partition, unless you're gonna use a flash drive to unlock.
Last edited by tom.ty89 (2015-12-22 21:25:03)
Offline
#4 2015-12-22 21:32:47
- alphaniner
- Member
- From: Ancapistan
- Registered: 2010-07-12
- Posts: 2,810
Re: Encrypted RAID5
3. Create LVM volume group from the md devices (is this right?).
4. Encrypt LVM volume group with cryptsetup/LUKS.
3. An mdadm raid will be presented as a single block device, /dev/md### . It can be treated exactly like /dev/sdX. In lieu of encryption it would be used as LVM PV (physical volume).
4. Strictly speaking you can't encrypt an LVM VG. You encrypt the mdadm device and then create LVM PV "on top of the opened LUKS container" (quoted from the wiki).
I'm not sure why LVM would be required here (I guess mdadm doesn't create a single logical volume?).
LVM isn't required, it's just that it'd be silly not to use it.
But whether the Constitution really be one thing, or another, this much is certain - that it has either authorized such a government as we have had, or has been powerless to prevent it. In either case, it is unfit to exist.
-Lysander Spooner
Offline
#5 2015-12-23 01:09:41
- MegaBites
- Member
- Registered: 2015-12-22
- Posts: 9
Re: Encrypted RAID5
Thank you all! I understand it much better now. I'm not going to put partitions on the device (just a single filesystem in the whole md0) so I'm going to try and skip LVM to simplify things a bit. I'm wiping the disks now so I wont be able to until at least tomorrow.
Thanks!
Offline
#6 2015-12-23 16:25:29
- MegaBites
- Member
- Registered: 2015-12-22
- Posts: 9
Re: Encrypted RAID5
Quick question that came up: The HDDs I'm currently using all have a logical and physical sector size of 512 bytes. If I later replace a disk with an Advanced Format (sector size 4K) disk, will this have any affect I need to be aware of? I would, of course, align the partition properly, but other than that?
Offline
#7 2015-12-23 23:42:05
- MegaBites
- Member
- Registered: 2015-12-22
- Posts: 9
Re: Encrypted RAID5
I am now at the step to create the filesystem on /dev/md0. Based on my chunk and block sizes, I've used the wiki guide on RAID to calculate the stride and stripe-width for the filesystem. However, all the examples seem to be for ext4, not btrfs. I read the btrfs man page, but didn't see the relevant settings. How can I format /dev/md0 properly?
Stride = 64/4 = 16
Stripe-width = 2 * 16 = 32
Offline
Pages: 1