Setting up an encrypted RAID filesystem

(i) Please refer to EncryptedFilesystems for further documentation.

This wikipage explains how to setup an encrypted RAID filesystem using these layers:

* raid

* lvm

* dm-crypt

* ext4 (you can use ext2 or ext3 as well)

Get superuser priviledges:

sudo -s -H

Install needed packages:

aptitude install mdadm gddrescue cryptsetup pwgen lvm2

Create the RAID, specifying the devices to be used: (In this case sda1, sdb1 and sdc1)

mdadm /dev/md0 --create -n 3 -l 5 -z 488281250 -c 256 /dev/sd{a..c}1

Some commands to be run: (I'll clean up this section later!)

cat /proc/mdstat

mdadm --detail /dev/md0

pvcreate /dev/md0

vgcreate rawlargevg /dev/md0

lvcreate -n rawsharelv -l 238418 rawlargevg

Randomize the disk content: (This can take a VERY long time depending on size.)

openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero > /dev/rawlargevg/rawsharelv

Create the encrypted volume on top of the random data: (See the next section, on how to create a random password!)

cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/rawlargevg/rawsharelv

You can use pwgen, to make a random password: (This command creates 200 12-character passwords)

pwgen -ync 12 200

Now open the encrypted volume:

cryptsetup luksOpen /dev/rawlargevg/rawsharelv encsharedev

Format the volume as ext4:

mkfs.ext4 -m 0 /dev/mapper/encsharedev

Make the mount-directory:

mkdir /media/share

Create a desktop-link or similar pointing at this command: (use gksudo, or kdesu) - AS ROOT!!!

cryptsetup luksOpen /dev/rawlargevg/rawsharelv encsharedev && mount /dev/mapper/encsharedev /media/share

Run the link you just created, or run the command directly from a root-terminal!

Now, lets modify the chown and chmod settings on the folder:

chown USERNAME:USERNAME /media/share
chmod 777 /media/share

Congratulations, now you have an encrypted filesystem on /media/share!

To setup your new encrypted volume to auto-mount on boot added the following:

to /etc/crypttab:
encsharedev  /dev/rawlargevg/rawsharelv   none   luks

to /etc/fstab:
/dev/mapper/encsharedev  /media/share   MOUNTOPTIONS   1    2

Your mount point may differ as well as your mount options, dump, and pass.

EncryptedFSOnLVMOnRAID (last edited 2018-09-12 07:23:46 by martin-devsed)