= Setting up an encrypted RAID filesystem = || {i} Please refer to EncryptedFilesystems for further documentation.|| This wikipage explains how to setup an encrypted RAID filesystem using these layers: * raid * lvm * dm-crypt * ext4 (you can use ext2 or ext3 as well) Get superuser priviledges: {{{ sudo -s -H }}} Install needed packages: {{{ aptitude install mdadm gddrescue cryptsetup pwgen lvm2 }}} Create the RAID, specifying the devices to be used: (In this case sda1, sdb1 and sdc1) {{{ mdadm /dev/md0 --create -n 3 -l 5 -z 488281250 -c 256 /dev/sd{a..c}1 }}} Some commands to be run: (I'll clean up this section later!) {{{ cat /proc/mdstat mdadm --detail /dev/md0 pvcreate /dev/md0 vgcreate rawlargevg /dev/md0 lvcreate -n rawsharelv -l 238418 rawlargevg }}} Randomize the disk content: (This can take a VERY long time depending on size.) {{{ openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero > /dev/rawlargevg/rawsharelv }}} Create the encrypted volume on top of the random data: (See the next section, on how to create a random password!) {{{ cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/rawlargevg/rawsharelv }}} You can use pwgen, to make a random password: (This command creates 200 12-character passwords) {{{ pwgen -ync 12 200 }}} Now open the encrypted volume: {{{ cryptsetup luksOpen /dev/rawlargevg/rawsharelv encsharedev }}} Format the volume as ext4: {{{ mkfs.ext4 -m 0 /dev/mapper/encsharedev }}} Make the mount-directory: {{{ mkdir /media/share }}} Create a desktop-link or similar pointing at this command: (use gksudo, or kdesu) - AS ROOT!!! {{{ cryptsetup luksOpen /dev/rawlargevg/rawsharelv encsharedev && mount /dev/mapper/encsharedev /media/share }}} Run the link you just created, or run the command directly from a root-terminal! Now, lets modify the chown and chmod settings on the folder: {{{ chown USERNAME:USERNAME /media/share chmod 777 /media/share }}} Congratulations, now you have an encrypted filesystem on /media/share! To setup your new encrypted volume to auto-mount on boot added the following: {{{ to /etc/crypttab: encsharedev /dev/rawlargevg/rawsharelv none luks to /etc/fstab: /dev/mapper/encsharedev /media/share MOUNTOPTIONS 1 2 }}} Your mount point may differ as well as your mount options, dump, and pass.