fr33.info

User Tools

Site Tools

linux:filesystems:crypto_raid

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux:filesystems:crypto_raid [2012/01/25 01:30]
tkilla 		linux:filesystems:crypto_raid [2016/06/20 22:22] (current)
tkilla [CryptFile]
Line 1: Line 1:
-====== Crypto RAID ======+====== Crypto ====== 
 + 
 +===== Abstract ===== 
 +sdX = sda, sdb, sdg, sdp, sdomie all together we cry!!! 
 +FATAL ERROR, PLEASE CHECK YOUR BRAIN!!!! 
 +sdXy - y is the partition you want to encrypt 
 + 
 +  fdisk /dev/sdX                                                                # partition the disc 
 +  dd if=/dev/urandom of=/dev/sdXy                                               # write random data on the partition 
 +  cryptsetup -c aes-xts-plain64 -s 512 -y luksFormat /dev/sdXy                  # create cryptocontäner 
 +  cryptsetup luksOpen /dev/sdXy cryptname                                       # Open the contäner 
 +  mkfs.ext4 -j -m 1 -O dir_index,filetype -L binaryblob /dev/mapper/cryptname   # Format  
 +  mount /dev/mapper/cryptname /mnt/crypt                                        # mount the opened container 
 + 
 + 
 + 
 +===== RAID =====
  
 **howto create a RAID array with LUKS encryption, madm RAID tools and LVM2** **howto create a RAID array with LUKS encryption, madm RAID tools and LVM2**
Line 13: Line 29:
   badblocks -c 10240 -s -w -t random -v /dev/sdY     badblocks -c 10240 -s -w -t random -v /dev/sdY  
  
-or slower and more secure:+"Warning: **Do not use badblocks here**. It only generates a random pattern which just repeats its randomness over and over again." uups 
 + 
 + 
 +slower and more secure:
  
   dd if=/dev/urandom of=/dev/sdX   dd if=/dev/urandom of=/dev/sdX
Line 21: Line 40:
 wait some hours or days.. wait some hours or days..
  
-FIXME: some howtos suggest to run this step over the partitions, not the whole device.. unknown..+ubuntu suggests to randomize only the start of the partition: 
 + 
 +  dd if=/dev/urandom bs=1M count=8 of=/dev/sdX 
 + 
 + 
 +best practice: use some random AES ciphers - this is faster and should be secure: 
 + 
 +  openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero > /dev/sdxy 
 + 
  
 ---- ----
Line 34: Line 62:
   fdisk /dev/sdY   fdisk /dev/sdY
  
 +**Partition table limit! -> GPT**
 +
 +You cannot create a Linux partition larger than 2 TB using the fdisk command
 +An GPT partition table is required, it can be created with
 +  parted
 + 
 +http://www.cyberciti.biz/tips/fdisk-unable-to-create-partition-greater-2tb.html
 +
 +Check if the kernel supports EFI
 +
 +  cat /boot/config-2.6.26-2-686 | grep EFI
 +
 +Replace version by with current kernel (uname -a)
 +
 +Create GPT partition table:
 +  mklabel gpt
 +  mkpart non-fs 0 2
 +  mkpart ext3 2 130
 +  mkpart ... raid system...
 +  
 +The first partition is a fake MBR, the 2. is the /boot/partition
 +
 +  gptsync /dev/sdX # gptsync sets up the MBR to point to the fake partition
 +
 +FIXME true?: Set type of 2. partition /boot/ to 'da' in fdisk
 +
 +After fixing partition types with fdisk, start parted to set mode of 1. to bios_grub. After this, the partition table is protected and fdisc cannot read it anymore.
 +
 +  parted /dev/sdX
 +  set 1 bios_grub on
 +  quit
 +
 +-> http://www.wensley.org.uk/gpt
 +
 +If you are moving a root system to this disc, continue to copy the system and install bootlaoder from a chroot, see: [[linux:filesystems:boot|]]
 ---- ----
 \\ \\
Line 48: Line 111:
   cat /proc/mdstat   cat /proc/mdstat
   mdadm --detail /dev/md1   mdadm --detail /dev/md1
 +
 +
 +**Create /etc/mdadm/mdadm.conf**
 +
 +  cd /etc/mdadm
 +  echo 'DEVICE /dev/hd*[0-9] /dev/sd*[0-9]' >> mdadm.conf
 +  mdadm --detail --scan >> mdadm.conf
 +
 +Comment original DEVICE line out
  
 ---- ----
Line 54: Line 126:
 **Encrypting the Block Devices** **Encrypting the Block Devices**
  
-  cryptsetup -c aes-cbc-essiv:sha256 --s 256 luksFormat /dev/mdX+  cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y luksFormat /dev/mdX [/path/to/keyfile] 
 + 
 +If you add a key file, leave out "-y" 
 + 
 +**ciphers:** 
 +  * aes-cbc-essiv:sha256 is deprecated: http://www.heise.de/security/artikel/Erfolgreicher-Angriff-auf-Linux-Verschluesselung-2072199.html 
 +  * aes-xts-plain64 with --key-size ( = -s) 512 <bits> and sha512 as hashing algo is a good choice 
 +  * "twofish" and "serpent" are trusted as well and "Whirlpool" can be used as hashing algo 
 + 
 +Another example using twofish: 
 +  cryptsetup luksFormat --cipher twofish-xts-plain64 --key-size 512 --hash sha512 --iter-time 2000 /dev/sdxy 
  
 ---- ----
Line 63: Line 146:
   cryptsetup luksOpen /dev/mdX cryptname   cryptsetup luksOpen /dev/mdX cryptname
  
-the opened volume is available in /dev/mapper/cryptname adter entering the passphrase+Open with key file: 
 + 
 +  cryptsetup --key-file /path/to/keyfile luksOpen /dev/md1 cryptname 
 + 
 +The opened volume is available in /dev/mapper/cryptname after entering the correct passphrase or if the file is available
  
 ---- ----
Line 70: Line 157:
 **Create Logical Volume with Logical Volume Manager (LVM)** **Create Logical Volume with Logical Volume Manager (LVM)**
  
-..if you like. read why, here: [[https://en.wikipedia.org/wiki/Logical_Volume_Manager_%28Linux%29#Common_uses]]+..read why, here: [[https://en.wikipedia.org/wiki/Logical_Volume_Manager_%28Linux%29#Common_uses]]
  
-for example: you can combine two RAID arrays to appear as one drive:+for example: you can combine two RAID arrays to appear as one drive or create a swap inside the crypto container:
  
 +  apt-get install lvm2
 +  
   pvcreate /dev/mapper/sharedstore    pvcreate /dev/mapper/sharedstore 
   ...   ...
Line 82: Line 171:
   vgdisplay   vgdisplay
  
-vgdisplay shows you the number of physical extents available in a volume group, e.g.: "Total PE  476931"To use the complete volume group cryptvg for logical volume, we tell lvcreate the number of extents to use. +vgdisplay shows the number of physical extents available in a volume group, e.g.: "Total PE  476931" 
 +Create swap first 
 +  lvm lvcreate cryptvg -n swap -L 4G
  
-  lvcreate -l 476931 -n cryptvg cryptvg+To use the complete volume group cryptvg for a logical volume, we tell lvcreate the number of free extents to use with "-l" (check vgdisplay):
  
-This maps the new logical to device file: /dev/backup/cryptvg+  lvcreate -l 476931 -n lvdata cryptvg 
 + 
 +Percentage or M / G are also possible: 
 +  lvcreate -l 60%VG -n lvdata cryptvg 
 +  lvcreate -l 50000G -n lvdata cryptvg 
 +   
 +This maps the new logical to device file: /dev/cryptvg/lvdata
  
 ---- ----
Line 93: Line 190:
 **Format the volume group:** **Format the volume group:**
  
-  mkfs.ext4 -L cryptvg /dev/cryptvg/cryptvg+  mkfs.ext4 -L cryptvg /dev/cryptvg/lvXY
  
 +Optimized parameters, testing:
 +  mkfs.ext4 -j -m 1 -O dir_index,filetype -L tresor /dev/cryptvg/lvXY
 +
 +sparse_super  useful? creates fewer backups of superblock
 +
 +If you created a swap:
 +  mkswap /dev/cryptvg/lvswap
 +  
 ---- ----
 \\ \\
  
-**Mount the volume:**+**Mount the volume group:**
  
 +add a line to /etc/fstab to make it persistent:
  
 +  /dev/cryptvg/lvdata /crypt ext4 ikeep,noatime 0 0
  
-make it persistent with an entry in /etc/fstab:+---- 
 +\\
  
-  /dev/backup/cryptvg /crypt xfs ikeep,noatime 0 0 +**Create startup and shutdown scripts:** 
-   + 
-   +Check http://linuxgazette.net/140/pfeiffer.html for a example scripts.. 
-   + 
-References:+ 
 +---- 
 +\\ 
 + 
 +**Add a disc:** 
 + 
 +increase number of hdds: 
 +  mdadm --grow /dev/md2 --raid-devices=2  
 + 
 +add disc 
 +  mdadm /dev/md2 --add /dev/sdd1 
 + 
 +watch it sync: 
 +  for i in {1..1000}; do cat /proc/mdstat ; echo '_____'; sleep 10 ; done; 
 +or 
 +  watch cat /proc/mdstat 
 + 
 +---- 
 +\\ 
 + 
 +**TEST** 
 + 
 +Quoting http://linuxgazette.net/140/pfeiffer.html : 
 + 
 +"Now that your new shiny encrypted logical volume is empty, you have a once in a lifetime chance of testing the storage mechanism. Don't miss to do this! Try simulating a disk failure. Switch off the power and reboot. Do a filesystem check. Create thousands of files and delete them. Copy loads of big ISO images. Do whatever could happen to your storage and see if your data is still there." 
 + 
 +---- 
 +\\ 
 + 
 +**References:**
   * http://linuxgazette.net/140/pfeiffer.html   * http://linuxgazette.net/140/pfeiffer.html
   * http://www.saout.de/tikiwiki/tiki-index.php   * http://www.saout.de/tikiwiki/tiki-index.php
-  * +  * https://thesimplecomputer.info/full-disk-encryption-with-ubuntu 
 + 
 + 
 + 
 + 
 +===== CryptFile ===== 
 + 
 +the only difference is to use a loop mounted file instead of a partition: 
 + 
 +create a file full of random data, setup loop device, luksFormat & format 
 +                                       
 +  dd if=/dev/urandom of=/cryptfile bs=1M count=3900    #=MB 
 +  losetup /dev/loop32 /cryptfile 
 +  cryptsetup luksFormat /dev/loop32 
 +  cryptsetup luksOpen /dev/loop32 cryptfs 
 +  mkfs.ext4 -L homecrypt /dev/mapper/cryptfs 
 + 
 + 
 + 
 +===== btrfs on top of luks ===== 
 + 
 +Create a crypto partition as described above, then format the opened crypto container filesystem: 
 + 
 +  mkfs.btrfs /dev/mapper/<cryptname> 
 +   
 +  # recommended options for rotational discs (for ssds set 'sdd' option): 
 +  mount -o noatime,compress=lzo,noauto,autodefrag /dev/mapper/<cryptname> /<mountpoint> 
 + 
 + 
 +===== Recommended options for installing on a pendrive, a SD card or a slow SSD drive ===== 
 + 
 + 
 +/dev/sdaX / btrfs x-systemd.device-timeout=0,noatime,compress=lzo,commit=0,ssd_spread,autodefrag 0 0 
  
 +* https://wiki.debian.org/Btrfs
linux/filesystems/crypto_raid.1327451456.txt.gz · Last modified: 2012/01/25 01:30 by tkilla

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki