As already stated LUKS and mdadm are a good combination. I too use these in
all my recent systems. I Create RAID volumes, then LVM, then cryptsetup:
=========
+ mdamd +
+ | +
+ LVM +
+ | +
+ LUKS +
+ | +
+ ext4 +
=========
I can't speak to your system being on USB, but in general you can just do
something like the following:
$mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sda /dev/sdb
$mdadm --create /dev/md1 --level=1 --raid-devices=2 /dev/sdc /dev/sdd
$mdadm --create /dev/md2 --level=1 --raid-devices=2 /dev/sde /dev/sdf
If you want to use LVM then you create the PV, VG, and LV:
$pvcreate /dev/md0
$pvcreate /dev/md1
$pvcreate /dev/md2
$vgcreate vg_data1 /dev/md0
$vgcreate vg_data2 /dev/md1
$vgcreate vg_data3 /dev/md2
$lvcreate vg_data1 -n lv_data1 -L <size>
$lvcreate vg_data2 -n lv_data2 -L <size>
$lvcreate vg_data3 -n lv_data3 -L <size>
Then create your LUKS partition:
$cryptsetup -v --verify-passphrase luksFormat /dev/mapper/lv_data1
vg_data1-lv_data1_crypt
$cryptsetup -v --verify-passphrase luksFormat /dev/mapper/lv_data2
vg_data2-lv_data2_crypt
$cryptsetup -v --verify-passphrase luksFormat /dev/mapper/lv_data3
vg_data3-lv_data3_crypt
Then create your filesystem and mount them:
$mkfs.ext4 /dev/mapper/vg_data1-lv_data1_crypt
$mkfs.ext4 /dev/mapper/vg_data2-lv_data2_crypt
$mkfs.ext4 /dev/mapper/vg_data3-lv_data3_crypt
$mount -t ext4 /dev/mapper/vg_data1-lv_data1_crypt /mnt/data1
$mount -t ext4 /dev/mapper/vg_data2-lv_data2_crypt /mnt/data2
$mount -t ext4 /dev/mapper/vg_data3-lv_data3_crypt /mnt/data3
One of my systems looks like this. On this particular system I only encrypt
home and swap:
$jschaeffer@zipmaster07 ~ $ lsblk
NAME MAJ:MIN RM SIZE RO TYPE
MOUNTPOINT
sda 8:0 0 111.8G 0 disk
\sda1 8:1 0 100M 0 part
/boot/efi
\sda2 8:2 0 250M 0 part
\md0 9:0 0 250M 0 raid1 /boot
\sda3 8:3 0 111.5G 0 part
\md1 9:1 0 111.4G 0 raid1
\vg_sys1-lv_var1 (dm-1) 252:1 0 55G 0 lvm /var
\vg_sys1-lv_tmp1 (dm-2) 252:2 0 4G 0 lvm /tmp
\vg_sys1-lv_swap1 (dm-3) 252:3 0 6G 0 lvm
\vg_sys1-lv_swap1_crypt (dm-5) 252:5 0 6G 0 crypt [SWAP]
\vg_sys1-lv_root1 (dm-4) 252:4 0 46.4G 0 lvm /
sdb 8:16 0 111.8G 0 disk
\sdb1 8:17 0 100M 0 part
\sdb2 8:18 0 250M 0 part
\md0 9:0 0 250M 0 raid1 /boot
\sdb3 8:19 0 111.5G 0 part
\md1 9:1 0 111.4G 0 raid1
\vg_sys1-lv_var1 (dm-1) 252:1 0 55G 0 lvm /var
\vg_sys1-lv_tmp1 (dm-2) 252:2 0 4G 0 lvm /tmp
\vg_sys1-lv_swap1 (dm-3) 252:3 0 6G 0 lvm
\vg_sys1-lv_swap1_crypt (dm-5) 252:5 0 6G 0 crypt [SWAP]
\vg_sys1-lv_root1 (dm-4) 252:4 0 46.4G 0 lvm /
sdc 8:32 0 931.5G 0 disk
\sdc1 8:33 0 100M 0 part
\sdc2 8:34 0 931.4G 0 part
\vg_home1-lv_home1 (dm-0) 252:0 0 850G 0 lvm
\vg_home1-lv_home1_crypt (dm-6) 252:6 0 850G 0 crypt /home
sr0 11:0 1 3.8G 0 rom
Thanks,
Joshua Schaeffer
On Wed, Apr 19, 2017 at 3:11 AM, tv.deb...@googlemail.com <
tv.deb...@googlemail.com> wrote:
> On 19/04/2017 05:06, commentsab...@riseup.net wrote:
>
>> Hello,
>>
>> Is there an easy way to attach several pair of RAID1 disks (with full
>> disk encryption) to a Debian Jessie system?
>>
>> Here is a picture of what I'm trying to achieve: http://imgur.com/vF7IqX2
>>
>> I am building a home backup system, I have different type of data to
>> backup (work, family, random stuff - hence the three pairs in the
>> picture). The system (Debian Jessie) will be on a USB key.
>>
>> It's a backup system on a budget that I'd like to have up and running
>> within a couple of weeks, I know that ZFS (with FreeNAS for instance)
>> can achieve similar goals but it's out of budget ; I also know that work
>> is being done on BTRFS about encryption but it's not ready for prime
>> time yet.
>>
>> Always state the obvious so :
>>
>> - the idea behind having the SYSTEM on a independent USB drive is to
>> have one independent piece to handle the boot and system operations
>> (that I can easily - and cheaply - mirror to have drop in replacement in
>> case of failure) and "DATA" drives are just "dumb" encrypted drives that
>> could be unplugged from the setup and mounted anywhere else ;
>>
>> - the idea behind the RAID1 is to create redundancy, hence in case one
>> drive fails, be able to plug a new one in, would it be possible with
>> full disk encryption?
>>
>> - this backup system will only be turned on when needed, I don't plan on
>> using it as some sort of server or a NAS.
>>
>> Am I re-inventing the wheel here, is there a better, simpler solution to
>> achieve both redundancy and encryption ?
>>
>> Thank you in advance for your help,
>>
>> CA
>>
>>
> Hi, RAID1 and luks work well together, I have been using it for years.
>
> I use luks on top of raid1, mdadm raid1 volumes get mounted first at boot,
> then cryptsetup opens the luks containers. This way re-syncing or replacing
> a failed disk never caused me trouble.
>
> Performance-wise it's not the best solution, there is an overhead with
> both raid1 (heavy writing can load up the system) and luks. With luks
> encryption it depends on the cpu having acceleration for the cypher you
> choose. Mine doesn't, but the overhead never disturbed normal operations so
> I don't consider it a problem.
>
> System on usb flash disks always caused me troubles, I use it only if the
> system can be loaded in ram at boot time and the drive isn't used for write
> operation. A low-end small SSD would be a far better option in my opinion.
>
> On my system all RAID1 are started at boot, then the luks volumes are
> either opened at boot time, later when a user logs in via pam-mount, or
> on-demand with scripts.
> My BackupPC server runs with RAID1 + luks volumes too, no problems for the
> past six years.
> I use ext4 as my file-system. ext4 has built-in encryption capabilities
> now, but I can't comment on it since I have no first hand experience.
>
> Good luck.
>
>
