| View previous topic :: View next topic |
| Author |
Message |
Mr. M
Tux's lil' helper
Joined: 18 Sep 2004
Posts: 89
Location: USA
|
 Posted: Sat Dec 12, 2015 1:39 pm Post subject: Encrypted RAID with LVM for root partition |
 |
|
I have a Gentoo installation that has been running for years that I would like to move to an encrypted RAID. I have 2 3TB disks that I'm planning to use for a RAID1 array with full disk encryption. What is the best way to set this up? Currently, I'm thinking of doing the following:
- Create 2 partitions on each drive: sda1 sda2, sdb1, sdb2 the first partition is small and is used for /boot, the 2nd partition fills the rest of the drive.
- Encrypt sda2, sdb2 using LUKS
- Create a RAID1 array using the two encrypted containers
- Set up LVM with the RAID1 array as PV
- Create /, /home partitions (..) and swap space on top of LVM
I have done something similar on my laptop a few years ago, but with only 1 hard drive and an encrypted swap partition and LVM for the rest. It was a bit of a pain to set up and I had to use a custom initramfs that used a gpg key to unlock both containers (so the password only had to be entered once). It seems to me that I'm in a similar situation here, as the initramfs needs to unlock both sda2 and sdb2.
Is there a better way or more streamlined way of setting this up? Possibly using genkernel without a custom initramfs? |
|
| Back to top |
|
 |
frostschutz
Advocate
Joined: 22 Feb 2005
Posts: 2977
Location: Germany
|
| Posted: Sat Dec 12, 2015 1:41 pm Post subject: |
|
|
Other way around, create the RAID, encrypt the RAID.
Otherwise anything you write has to be encrypted twice (once for each disk).
Aparft from that you are describing a common setup. I do it the same way, except my /boot is a USB stick with encrypted keyfiles and a dozen LiveCDs on it.
| Mr. M wrote: | | I had to use a custom initramfs that used a gpg key to unlock both containers (so the password only had to be entered once). |
You can use cryptsetup keys instead of gpg keys: https://wiki.gentoo.org/wiki/Custom_Initramfs#Encrypted_keyfile
But as long as you have only one RAID, you only have one container. So unless you want encrypted keyfiles for added security (no one can tamper with your /boot if you carry it with you, and a cheap hardware keylogger gets the passphrase for the keyfile, not the key itself), you can stick with a simple setup that should be supported out of the box by all common initramfs generators. |
|
| Back to top |
|
|
Mr. M
Tux's lil' helper
Joined: 18 Sep 2004
Posts: 89
Location: USA
|
| Posted: Sat Dec 12, 2015 1:50 pm Post subject: |
|
|
| frostschutz wrote: | | Other way around, create the RAID, encrypt the RAID. |
Thanks, that makes sense. What steps are needed to set up the initramfs so it asks for a password, unlocks containers, etc on boot? Can I just use
| Code: |
genkernel --dmraid --luks --lvm initramfs
|
and it picks everything up automatically? Also, in grub.conf, what do I need to use for the "crypt_root" parameter? Does the RAID have a UUID? |
|
| Back to top |
|
|
frostschutz
Advocate
Joined: 22 Feb 2005
Posts: 2977
Location: Germany
|
| Posted: Sat Dec 12, 2015 1:54 pm Post subject: |
|
|
dmraid? for linux, you want regular mdadm raid. and yes, it does have a UUID, which goes into mdadm.conf like this
| Code: |
MAILADDR your@address
ARRAY /dev/md0 UUID=d8b8b4e5:e47b2e45:2093cd36:f654020d
|
you can get the uuid with mdadm --detail --scan
for other kernel/initramfs parameters you'll have to refer to the docs, I use custom initramfs myself so ... |
|
| Back to top |
|
|
Mr. M
Tux's lil' helper
Joined: 18 Sep 2004
Posts: 89
Location: USA
|
| Posted: Sat Dec 12, 2015 1:56 pm Post subject: |
|
|
| Thanks, I will give it a shot. I think I will move /boot to a USB stick as well, makes it much easier to replace disks if necessary. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Installing Gentoo
