LUKS encryption On LVM On Raid
This is a short guide on how to create a RAID 5 with an LVM filesystem on top and a LUKS encrypted volume on top of the LVM logical volume.
Raid
Create partitions on each drive with gdisk. Partition type is "Linux RAID". Partition type code is FD00.
Create the raid 5 array:
mdadm --create /dev/md1 --level=5 --raid-devices=10 /dev/sdb1 /dev/sdc1 /dev/sdd1 /dev/sde1 /dev/sdf1 /dev/sdg1 /dev/sdh1 /dev/sdi1 /dev/sdj1 /dev/sdk1
Now set read-write mode (this will cause a resync):
mdadm --readwrite /dev/md1
Manually add lines for new raid array to /etc/madadm.con Run the following command to get lines:
mdadm --examine --scan
LVM
Create physical lvm volume:
pvcreate /dev/md1 # may be very very slow durin resync
Create volume group called 'sink':
vgcreate sink /dev/md1 # slow during resync
Create logical lvm volume takin up 100% of free space with name 'sink':
lvcreate -l 100%FREE sink -n data # slow during resync
You should now have:
/dev/sink/data
and:
/dev/mapper/sink-data
Now set up encryption:
cryptsetup luksFormat /dev/sink/data
Open encrypted volume and create the filesystem:
cryptsetup luksOpen /dev/sink/data sink-data_crypt mkfs.ext4 /dev/mapper/sink-data_crypt # will take a long time if resync is in progress
Mount on boot
Get the UUID with:
cryptsetup luksUUID /dev/sink/data
Then add this line to /etc/crypttab:
sink-data_crypt UUID=<the_uuid_from_previous_command> none luks
Add this line to /etc/fstab:
/dev/mapper/sink-data_crypt /data ext4 noatime 0 2
Your encrypted partition will now mount on boot. Be aware that your system will now require the passphrase in order to boot.