You are not logged in.

#1 2024-08-14 16:29:20

ca1f
Member
Registered: 2024-04-20
Posts: 2

btrfs, raid and luks

Hi,

I spent some time rethinking my RAID setup and I realized that my current layout does not take full advantage of btrfs raid1 features such as metadata duplication. So I came up with a new layout that I would like to format my hard disks with in order to utilize all btrfs features while ensuring that all data at rest is encrypted:

┌────────────────────────────────────────┐  ┌────────────────────────────────────────┐
│/dev/sda                                │  │/dev/sdb                                │
├────────────────────────────────────────┤  ├────────────────────────────────────────┤
│ Active ESP                             │  │ Inactive ESP                           │
│                                        │  │                                        │
├────────────────────────────────────────┤  ├────────────────────────────────────────┤
│ mdadm raid1                            │  │ mdadm raid1                            │
│ └► LUKS A: unlock via keyboard         │  │ └► LUKS A: unlock via keyboard         │
│    └► ext4: /etc/cryptsetup-keys.d/    │  │    └► ext4: /etc/cryptsetup-keys.d/    │
│                                        │  │                                        │
├────────────────────────────────────────┤  ├────────────────────────────────────────┤
│ LUKS B: unlock via keyfile A in LUKS A │  │ LUKS C: unlock via keyfile B in LUKS A │
│ └► btrfs raid1: /                      │  │ └► btrfs raid1: /                      │
│                                        │  │                                        │
└────────────────────────────────────────┘  └────────────────────────────────────────┘

In this new setup the key files would reside in a separate LUKS container that can be unlocked with a passphrase. As far as I understand the boot process, this container needs to be mounted within the initcpio environment in order for the initcpio environment to be able to unlock the other partitions containing the btrfs raid1 blocks.

But I'm not sure if the encryptssh mkinitcpio hook supports such a setup. So my question is: can I use the encryptssh hook to unlock such a seutp?

Offline

#2 2024-08-25 12:28:09

xerxes_
Member
Registered: 2018-04-29
Posts: 805

Offline

Board footer

Powered by FluxBB