howto create a RAID array with LUKS encryption, madm RAID tools and LVM2

tested on debian squeeze

replace sdX and sdY with the hdd devices of your choice - choose careful!

run badblocks check or dd to overwrite all data with random bit patterns

badblocks -c 10240 -s -w -t random -v /dev/sdX
badblocks -c 10240 -s -w -t random -v /dev/sdY  

or slower and more secure:

dd if=/dev/urandom of=/dev/sdX
dd if=/dev/urandom of=/dev/sdY

wait some hours or days..

some howtos suggest to run this step over the partitions, not the whole device.. unknown..

Create partitions on two devices

• mark them with the type code FD
• all partitions should be of the same size!

fdisk /dev/sdX 
..
fdisk /dev/sdY

Create the RAID array:

mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sdX1 /dev/sdY1

This creates a RAID 1. Choose a free device number for X in /dev/mdX

The device will be created and synchronization of the blocks starts. Check the sync progress and details of the array:

cat /proc/mdstat
mdadm --detail /dev/md1

Create /etc/mdadm/mdadm.conf

cd /etc/mdadm
echo 'DEVICE /dev/hd*[0-9] /dev/sd*[0-9]' >> mdadm.conf
mdadm --detail --scan >> mdadm.conf

Comment original DEVICE line out

Encrypting the Block Devices

cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/mdX

Unlocking the Block Devices

cryptsetup luksOpen /dev/mdX cryptname

the opened volume is available in /dev/mapper/cryptname after entering the correct passphrase

Create Logical Volume with Logical Volume Manager (LVM)

..if you like. read why, here: https://en.wikipedia.org/wiki/Logical_Volume_Manager_%28Linux%29#Common_uses

for example: you can combine two RAID arrays to appear as one drive:

pvcreate /dev/mapper/sharedstore 
...
vgcreate -v cryptvg /dev/mapper/cryptname

Check results:

pvscan
vgdisplay

vgdisplay shows you the number of physical extents available in a volume group, e.g.: “Total PE 476931”. To use the complete volume group cryptvg for a logical volume, we tell lvcreate the number of extents to use.

lvcreate -l 476931 -n cryptvg cryptvg

This maps the new logical to device file: /dev/backup/cryptvg

Format the volume group:

mkfs.ext4 -L cryptvg /dev/cryptvg/cryptvg

optimize parameters, testing:

mkfs.ext4 -j -m 1 -O dir_index,filetype,sparse_super -L tresor /dev/tresorvg/tresor

Mount the volume group:

add a line to /etc/fstab to make it persistent:

/dev/backup/cryptvg /crypt xfs ikeep,noatime 0 0

—-

Create startup and shutdown scripts:

Check http://linuxgazette.net/140/pfeiffer.html for a example scripts..

Add a disc:

increase number of hdds:

mdadm --grow /dev/md2 --raid-devices=2 

add disc

mdadm /dev/md2 --add /dev/sdd1

watch it sync:

for i in {1..1000}; do cat /proc/mdstat ; echo '_____'; sleep 10 ; done;

or

watch cat /proc/mdstat

TEST

Quoting http://linuxgazette.net/140/pfeiffer.html :

“Now that your new shiny encrypted logical volume is empty, you have a once in a lifetime chance of testing the storage mechanism. Don't miss to do this! Try simulating a disk failure. Switch off the power and reboot. Do a filesystem check. Create thousands of files and delete them. Copy loads of big ISO images. Do whatever could happen to your storage and see if your data is still there.”

References:

• http://linuxgazette.net/140/pfeiffer.html
• http://www.saout.de/tikiwiki/tiki-index.php

the only difference is to use a loop mounted file instead of a partition:

create a file full of random data, setup loop device, luksFormat & format

                                    
dd if=/dev/urandom of=testfile bs=1M count=3900    #=MB
losetup /dev/loop32 cryptfile
cryptsetup luksFormat /dev/loop32
cryptsetup luksOpen /dev/loop32 cryptfs
mkfs.ext4 -L homecrypt /dev/mapper/cryptfs