LUKS encryption On LVM On Raid

From Sudo Room
Jump to navigation Jump to search

This is a short guide on how to create a RAID 5 with an LVM filesystem on top and a LUKS encrypted volume on top of the LVM logical volume.


Create partitions on each drive with gdisk. Partition type is "Linux RAID". Partition type code is FD00.

Create the raid 5 array:

mdadm --create /dev/md1 --level=5 --raid-devices=10 /dev/sdb1 /dev/sdc1 /dev/sdd1 /dev/sde1 /dev/sdf1 /dev/sdg1 /dev/sdh1 /dev/sdi1 /dev/sdj1 /dev/sdk1

Now set read-write mode (this will cause a resync):

mdadm --readwrite /dev/md1

Manually add lines for new raid array to /etc/madadm.con Run the following command to get lines:

mdadm --examine --scan


Create physical lvm volume:

pvcreate /dev/md1 # may be very very slow durin resync

Create volume group called 'sink':

vgcreate sink /dev/md1 # slow during resync

Create logical lvm volume takin up 100% of free space with name 'sink':

lvcreate -l 100%FREE sink -n data # slow during resync

You should now have:




Now set up encryption:

cryptsetup luksFormat /dev/sink/data

Open encrypted volume and create the filesystem:

cryptsetup luksOpen /dev/sink/data sink-data_crypt
mkfs.ext4 /dev/mapper/sink-data_crypt # will take a long time if resync is in progress

Mount on boot

Get the UUID with:

cryptsetup luksUUID /dev/sink/data

Then add this line to /etc/crypttab:

sink-data_crypt UUID=<the_uuid_from_previous_command> none luks

Add this line to /etc/fstab:

/dev/mapper/sink-data_crypt /data ext4 noatime 0 2

Your encrypted partition will now mount on boot. Be aware that your system will now require the passphrase in order to boot.