sdX = sda, sdb, sdg, sdp, sdomie all together we cry!!! FATAL ERROR, PLEASE CHECK YOUR BRAIN!!!! sdXy - y is the partition you want to encrypt
fdisk /dev/sdX # partition the disc dd if=/dev/urandom of=/dev/sdXy # write random data on the partition cryptsetup -c aes-xts-plain64 -s 512 -y luksFormat /dev/sdXy # create cryptocontäner cryptsetup luksOpen /dev/sdXy cryptname # Open the contäner mkfs.ext4 -j -m 1 -O dir_index,filetype -L binaryblob /dev/mapper/cryptname # Format mount /dev/mapper/cryptname /mnt/crypt # mount the opened container
howto create a RAID array with LUKS encryption, madm RAID tools and LVM2
tested on debian squeeze
replace sdX and sdY with the hdd devices of your choice - choose careful!
run badblocks check or dd to overwrite all data with random bit patterns
badblocks -c 10240 -s -w -t random -v /dev/sdX badblocks -c 10240 -s -w -t random -v /dev/sdY
“Warning: Do not use badblocks here. It only generates a random pattern which just repeats its randomness over and over again.” uups
slower and more secure:
dd if=/dev/urandom of=/dev/sdX dd if=/dev/urandom of=/dev/sdY
wait some hours or days..
ubuntu suggests to randomize only the start of the partition:
dd if=/dev/urandom bs=1M count=8 of=/dev/sdX
best practice: use some random AES ciphers - this is faster and should be secure:
openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero > /dev/sdxy
Create partitions on two devices
fdisk /dev/sdX .. fdisk /dev/sdY
Partition table limit! → GPT
You cannot create a Linux partition larger than 2 TB using the fdisk command An GPT partition table is required, it can be created with
parted
http://www.cyberciti.biz/tips/fdisk-unable-to-create-partition-greater-2tb.html
Check if the kernel supports EFI
cat /boot/config-2.6.26-2-686 | grep EFI
Replace version by with current kernel (uname -a)
Create GPT partition table:
mklabel gpt mkpart non-fs 0 2 mkpart ext3 2 130 mkpart ... raid system...
The first partition is a fake MBR, the 2. is the /boot/partition
gptsync /dev/sdX # gptsync sets up the MBR to point to the fake partition
true?: Set type of 2. partition /boot/ to 'da' in fdisk
After fixing partition types with fdisk, start parted to set mode of 1. to bios_grub. After this, the partition table is protected and fdisc cannot read it anymore.
parted /dev/sdX set 1 bios_grub on quit
→ http://www.wensley.org.uk/gpt
If you are moving a root system to this disc, continue to copy the system and install bootlaoder from a chroot, see: Bootloader
Create the RAID array:
mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sdX1 /dev/sdY1
This creates a RAID 1. Choose a free device number for X in /dev/mdX
The device will be created and synchronization of the blocks starts. Check the sync progress and details of the array:
cat /proc/mdstat mdadm --detail /dev/md1
Create /etc/mdadm/mdadm.conf
cd /etc/mdadm echo 'DEVICE /dev/hd*[0-9] /dev/sd*[0-9]' >> mdadm.conf mdadm --detail --scan >> mdadm.conf
Comment original DEVICE line out
Encrypting the Block Devices
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y luksFormat /dev/mdX [/path/to/keyfile]
If you add a key file, leave out “-y”
ciphers:
Another example using twofish:
cryptsetup luksFormat --cipher twofish-xts-plain64 --key-size 512 --hash sha512 --iter-time 2000 /dev/sdxy
Unlocking the Block Devices
cryptsetup luksOpen /dev/mdX cryptname
Open with key file:
cryptsetup --key-file /path/to/keyfile luksOpen /dev/md1 cryptname
The opened volume is available in /dev/mapper/cryptname after entering the correct passphrase or if the file is available
Create Logical Volume with Logical Volume Manager (LVM)
..read why, here: https://en.wikipedia.org/wiki/Logical_Volume_Manager_%28Linux%29#Common_uses
for example: you can combine two RAID arrays to appear as one drive or create a swap inside the crypto container:
apt-get install lvm2 pvcreate /dev/mapper/sharedstore ... vgcreate -v cryptvg /dev/mapper/cryptname
Check results:
pvscan vgdisplay
vgdisplay shows the number of physical extents available in a volume group, e.g.: “Total PE 476931”. Create a swap first
lvm lvcreate cryptvg -n swap -L 4G
To use the complete volume group cryptvg for a logical volume, we tell lvcreate the number of free extents to use with “-l” (check vgdisplay):
lvcreate -l 476931 -n lvdata cryptvg
Percentage or M / G are also possible:
lvcreate -l 60%VG -n lvdata cryptvg lvcreate -l 50000G -n lvdata cryptvg
This maps the new logical to device file: /dev/cryptvg/lvdata
Format the volume group:
mkfs.ext4 -L cryptvg /dev/cryptvg/lvXY
Optimized parameters, testing:
mkfs.ext4 -j -m 1 -O dir_index,filetype -L tresor /dev/cryptvg/lvXY
sparse_super useful? creates fewer backups of superblock
If you created a swap:
mkswap /dev/cryptvg/lvswap
—-
Mount the volume group:
add a line to /etc/fstab to make it persistent:
/dev/cryptvg/lvdata /crypt ext4 ikeep,noatime 0 0
Create startup and shutdown scripts:
Check http://linuxgazette.net/140/pfeiffer.html for a example scripts..
Add a disc:
increase number of hdds:
mdadm --grow /dev/md2 --raid-devices=2
add disc
mdadm /dev/md2 --add /dev/sdd1
watch it sync:
for i in {1..1000}; do cat /proc/mdstat ; echo '_____'; sleep 10 ; done;
or
watch cat /proc/mdstat
TEST
Quoting http://linuxgazette.net/140/pfeiffer.html :
“Now that your new shiny encrypted logical volume is empty, you have a once in a lifetime chance of testing the storage mechanism. Don't miss to do this! Try simulating a disk failure. Switch off the power and reboot. Do a filesystem check. Create thousands of files and delete them. Copy loads of big ISO images. Do whatever could happen to your storage and see if your data is still there.”
References:
the only difference is to use a loop mounted file instead of a partition:
create a file full of random data, setup loop device, luksFormat & format
dd if=/dev/urandom of=/cryptfile bs=1M count=3900 #=MB losetup /dev/loop32 /cryptfile cryptsetup luksFormat /dev/loop32 cryptsetup luksOpen /dev/loop32 cryptfs mkfs.ext4 -L homecrypt /dev/mapper/cryptfs
Create a crypto partition as described above, then format the opened crypto container filesystem:
mkfs.btrfs /dev/mapper/<cryptname> # recommended options for rotational discs (for ssds set 'sdd' option): mount -o noatime,compress=lzo,noauto,autodefrag /dev/mapper/<cryptname> /<mountpoint>
/dev/sdaX / btrfs x-systemd.device-timeout=0,noatime,compress=lzo,commit=0,ssd_spread,autodefrag 0 0