fr33.info

User Tools

Site Tools

linux:filesystems:crypto_raid

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux:filesystems:crypto_raid [2012/01/25 01:38]
tkilla 		linux:filesystems:crypto_raid [2016/06/20 22:22] (current)
tkilla [CryptFile]
Line 1: Line 1:
-====== Crypto RAID ======+====== Crypto ====== 
 + 
 +===== Abstract ===== 
 +sdX = sda, sdb, sdg, sdp, sdomie all together we cry!!! 
 +FATAL ERROR, PLEASE CHECK YOUR BRAIN!!!! 
 +sdXy - y is the partition you want to encrypt 
 + 
 +  fdisk /dev/sdX                                                                # partition the disc 
 +  dd if=/dev/urandom of=/dev/sdXy                                               # write random data on the partition 
 +  cryptsetup -c aes-xts-plain64 -s 512 -y luksFormat /dev/sdXy                  # create cryptocontäner 
 +  cryptsetup luksOpen /dev/sdXy cryptname                                       # Open the contäner 
 +  mkfs.ext4 -j -m 1 -O dir_index,filetype -L binaryblob /dev/mapper/cryptname   # Format  
 +  mount /dev/mapper/cryptname /mnt/crypt                                        # mount the opened container 
 + 
 + 
 + 
 +===== RAID =====
  
 **howto create a RAID array with LUKS encryption, madm RAID tools and LVM2** **howto create a RAID array with LUKS encryption, madm RAID tools and LVM2**
Line 13: Line 29:
   badblocks -c 10240 -s -w -t random -v /dev/sdY     badblocks -c 10240 -s -w -t random -v /dev/sdY  
  
-or slower and more secure:+"Warning: **Do not use badblocks here**. It only generates a random pattern which just repeats its randomness over and over again." uups 
 + 
 + 
 +slower and more secure:
  
   dd if=/dev/urandom of=/dev/sdX   dd if=/dev/urandom of=/dev/sdX
Line 21: Line 40:
 wait some hours or days.. wait some hours or days..
  
-FIXME some howtos suggest to run this step over the partitions, not the whole device.. unknown..+ubuntu suggests to randomize only the start of the partition: 
 + 
 +  dd if=/dev/urandom bs=1M count=8 of=/dev/sdX 
 + 
 + 
 +best practice: use some random AES ciphers - this is faster and should be secure: 
 + 
 +  openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero > /dev/sdxy 
 + 
  
 ---- ----
Line 34: Line 62:
   fdisk /dev/sdY   fdisk /dev/sdY
  
 +**Partition table limit! -> GPT**
 +
 +You cannot create a Linux partition larger than 2 TB using the fdisk command
 +An GPT partition table is required, it can be created with
 +  parted
 + 
 +http://www.cyberciti.biz/tips/fdisk-unable-to-create-partition-greater-2tb.html
 +
 +Check if the kernel supports EFI
 +
 +  cat /boot/config-2.6.26-2-686 | grep EFI
 +
 +Replace version by with current kernel (uname -a)
 +
 +Create GPT partition table:
 +  mklabel gpt
 +  mkpart non-fs 0 2
 +  mkpart ext3 2 130
 +  mkpart ... raid system...
 +  
 +The first partition is a fake MBR, the 2. is the /boot/partition
 +
 +  gptsync /dev/sdX # gptsync sets up the MBR to point to the fake partition
 +
 +FIXME true?: Set type of 2. partition /boot/ to 'da' in fdisk
 +
 +After fixing partition types with fdisk, start parted to set mode of 1. to bios_grub. After this, the partition table is protected and fdisc cannot read it anymore.
 +
 +  parted /dev/sdX
 +  set 1 bios_grub on
 +  quit
 +
 +-> http://www.wensley.org.uk/gpt
 +
 +If you are moving a root system to this disc, continue to copy the system and install bootlaoder from a chroot, see: [[linux:filesystems:boot|]]
 ---- ----
 \\ \\
Line 48: Line 111:
   cat /proc/mdstat   cat /proc/mdstat
   mdadm --detail /dev/md1   mdadm --detail /dev/md1
 +
 +
 +**Create /etc/mdadm/mdadm.conf**
 +
 +  cd /etc/mdadm
 +  echo 'DEVICE /dev/hd*[0-9] /dev/sd*[0-9]' >> mdadm.conf
 +  mdadm --detail --scan >> mdadm.conf
 +
 +Comment original DEVICE line out
  
 ---- ----
Line 54: Line 126:
 **Encrypting the Block Devices** **Encrypting the Block Devices**
  
-  cryptsetup -c aes-cbc-essiv:sha256 --s 256 luksFormat /dev/mdX+  cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y luksFormat /dev/mdX [/path/to/keyfile] 
 + 
 +If you add a key file, leave out "-y" 
 + 
 +**ciphers:** 
 +  * aes-cbc-essiv:sha256 is deprecated: http://www.heise.de/security/artikel/Erfolgreicher-Angriff-auf-Linux-Verschluesselung-2072199.html 
 +  * aes-xts-plain64 with --key-size ( = -s) 512 <bits> and sha512 as hashing algo is a good choice 
 +  * "twofish" and "serpent" are trusted as well and "Whirlpool" can be used as hashing algo 
 + 
 +Another example using twofish: 
 +  cryptsetup luksFormat --cipher twofish-xts-plain64 --key-size 512 --hash sha512 --iter-time 2000 /dev/sdxy 
  
 ---- ----
Line 63: Line 146:
   cryptsetup luksOpen /dev/mdX cryptname   cryptsetup luksOpen /dev/mdX cryptname
  
-the opened volume is available in /dev/mapper/cryptname after entering the correct passphrase+Open with key file: 
 + 
 +  cryptsetup --key-file /path/to/keyfile luksOpen /dev/md1 cryptname 
 + 
 +The opened volume is available in /dev/mapper/cryptname after entering the correct passphrase or if the file is available
  
 ---- ----
Line 70: Line 157:
 **Create Logical Volume with Logical Volume Manager (LVM)** **Create Logical Volume with Logical Volume Manager (LVM)**
  
-..if you like. read why, here: [[https://en.wikipedia.org/wiki/Logical_Volume_Manager_%28Linux%29#Common_uses]]+..read why, here: [[https://en.wikipedia.org/wiki/Logical_Volume_Manager_%28Linux%29#Common_uses]]
  
-for example: you can combine two RAID arrays to appear as one drive:+for example: you can combine two RAID arrays to appear as one drive or create a swap inside the crypto container:
  
 +  apt-get install lvm2
 +  
   pvcreate /dev/mapper/sharedstore    pvcreate /dev/mapper/sharedstore 
   ...   ...
Line 82: Line 171:
   vgdisplay   vgdisplay
  
-vgdisplay shows you the number of physical extents available in a volume group, e.g.: "Total PE  476931"To use the complete volume group cryptvg for logical volume, we tell lvcreate the number of extents to use. +vgdisplay shows the number of physical extents available in a volume group, e.g.: "Total PE  476931" 
 +Create swap first 
 +  lvm lvcreate cryptvg -n swap -L 4G
  
-  lvcreate -l 476931 -n cryptvg cryptvg+To use the complete volume group cryptvg for a logical volume, we tell lvcreate the number of free extents to use with "-l" (check vgdisplay):
  
-This maps the new logical to device file: /dev/backup/cryptvg+  lvcreate -l 476931 -n lvdata cryptvg 
 + 
 +Percentage or M / G are also possible: 
 +  lvcreate -l 60%VG -n lvdata cryptvg 
 +  lvcreate -l 50000G -n lvdata cryptvg 
 +   
 +This maps the new logical to device file: /dev/cryptvg/lvdata
  
 ---- ----
Line 93: Line 190:
 **Format the volume group:** **Format the volume group:**
  
-  mkfs.ext4 -L cryptvg /dev/cryptvg/cryptvg+  mkfs.ext4 -L cryptvg /dev/cryptvg/lvXY
  
 +Optimized parameters, testing:
 +  mkfs.ext4 -j -m 1 -O dir_index,filetype -L tresor /dev/cryptvg/lvXY
 +
 +sparse_super  useful? creates fewer backups of superblock
 +
 +If you created a swap:
 +  mkswap /dev/cryptvg/lvswap
 +  
 ---- ----
 \\ \\
Line 102: Line 207:
 add a line to /etc/fstab to make it persistent: add a line to /etc/fstab to make it persistent:
  
-  /dev/backup/cryptvg /crypt xfs ikeep,noatime 0 0 +  /dev/cryptvg/lvdata /crypt ext4 ikeep,noatime 0 0 
-  +
 ---- ----
 \\ \\
 +
 +**Create startup and shutdown scripts:**
 +
 +Check http://linuxgazette.net/140/pfeiffer.html for a example scripts..
 +
 +
 +----
 +\\
 +
 +**Add a disc:**
 +
 +increase number of hdds:
 +  mdadm --grow /dev/md2 --raid-devices=2 
 +
 +add disc
 +  mdadm /dev/md2 --add /dev/sdd1
 +
 +watch it sync:
 +  for i in {1..1000}; do cat /proc/mdstat ; echo '_____'; sleep 10 ; done;
 +or
 +  watch cat /proc/mdstat
 +
 +----
 +\\
 +
 **TEST** **TEST**
  
Line 112: Line 242:
 "Now that your new shiny encrypted logical volume is empty, you have a once in a lifetime chance of testing the storage mechanism. Don't miss to do this! Try simulating a disk failure. Switch off the power and reboot. Do a filesystem check. Create thousands of files and delete them. Copy loads of big ISO images. Do whatever could happen to your storage and see if your data is still there." "Now that your new shiny encrypted logical volume is empty, you have a once in a lifetime chance of testing the storage mechanism. Don't miss to do this! Try simulating a disk failure. Switch off the power and reboot. Do a filesystem check. Create thousands of files and delete them. Copy loads of big ISO images. Do whatever could happen to your storage and see if your data is still there."
  
 +----
 +\\
  
 **References:** **References:**
   * http://linuxgazette.net/140/pfeiffer.html   * http://linuxgazette.net/140/pfeiffer.html
   * http://www.saout.de/tikiwiki/tiki-index.php   * http://www.saout.de/tikiwiki/tiki-index.php
-  * +  * https://thesimplecomputer.info/full-disk-encryption-with-ubuntu 
 + 
 + 
 + 
 + 
 +===== CryptFile ===== 
 + 
 +the only difference is to use a loop mounted file instead of a partition: 
 + 
 +create a file full of random data, setup loop device, luksFormat & format 
 +                                       
 +  dd if=/dev/urandom of=/cryptfile bs=1M count=3900    #=MB 
 +  losetup /dev/loop32 /cryptfile 
 +  cryptsetup luksFormat /dev/loop32 
 +  cryptsetup luksOpen /dev/loop32 cryptfs 
 +  mkfs.ext4 -L homecrypt /dev/mapper/cryptfs 
 + 
 + 
 + 
 +===== btrfs on top of luks ===== 
 + 
 +Create a crypto partition as described above, then format the opened crypto container filesystem: 
 + 
 +  mkfs.btrfs /dev/mapper/<cryptname> 
 +   
 +  # recommended options for rotational discs (for ssds set 'sdd' option): 
 +  mount -o noatime,compress=lzo,noauto,autodefrag /dev/mapper/<cryptname> /<mountpoint> 
 + 
 + 
 +===== Recommended options for installing on a pendrive, a SD card or a slow SSD drive ===== 
 + 
 + 
 +/dev/sdaX / btrfs x-systemd.device-timeout=0,noatime,compress=lzo,commit=0,ssd_spread,autodefrag 0 0 
  
 +* https://wiki.debian.org/Btrfs
linux/filesystems/crypto_raid.1327451899.txt.gz · Last modified: 2012/01/25 01:38 by tkilla

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki