LUKS encryption On LVM On Raid

From Sudo Room
Jump to navigation Jump to search

This is a short guide on how to create a RAID 5 with an LVM filesystem on top and a LUKS encrypted volume on top of the LVM logical volume.

Raid

Create partitions on each drive with gdisk. Partition type is "Linux RAID". Partition type code is FD00.

Create the raid 5 array:

mdadm --create /dev/md1 --level=5 --raid-devices=10 /dev/sdb1 /dev/sdc1 /dev/sdd1 /dev/sde1 /dev/sdf1 /dev/sdg1 /dev/sdh1 /dev/sdi1 /dev/sdj1 /dev/sdk1

Now set read-write mode (this will cause a resync):

mdadm --readwrite /dev/md1

Manually add lines for new raid array to /etc/madadm.con Run the following command to get lines:

mdadm --examine --scan

LVM

Create physical lvm volume:

pvcreate /dev/md1 # may be very very slow durin resync

Create volume group called 'sink':

vgcreate sink /dev/md1 # slow during resync

Create logical lvm volume takin up 100% of free space with name 'sink':

lvcreate -l 100%FREE sink -n data # slow during resync

You should now have:

/dev/sink/data

and:

/dev/mapper/sink-data

Now set up encryption:

cryptsetup luksFormat /dev/sink/data

Open encrypted volume and create the filesystem:

cryptsetup luksOpen /dev/sink/data sink-data_crypt
mkfs.ext4 /dev/mapper/sink-data_crypt # will take a long time if resync is in progress

Mount on boot

Get the UUID with:

cryptsetup luksUUID /dev/sink/data

Then add this line to /etc/crypttab:

sink-data_crypt UUID=<the_uuid_from_previous_command> none luks

Add this line to /etc/fstab:

/dev/mapper/sink-data_crypt /data ext4 noatime 0 2

Your encrypted partition will now mount on boot. Be aware that your system will now require the passphrase in order to boot.