NOTE: This is an older article, so the information provided may no longer be accurate.

Wills Notebook: Encryption on top of RAID1 - Ubuntu

I was setting up a customer's computer for server duty and wanted the following configuration: Two identical 2TB disks, /dev/sda and /dev/sdb configured as RAID1 (mirrored) then with encryption on top of that which will be mounted as /home.  This is on Ubuntu 14.04.x Server edition.

After studying man pages and searching the 'net, here are the instructions I used. Hopefully you find them helpful. If you find any inaccuracies, please contact me through the comments below.

Warning! If you are doing these steps on a remote computer, be aware that it will stop booting if there is a problem mounting the new file-system! Make sure you have physical access to the computer, or that you have some way to roll the changes back so you don't lose contact with your computer completely.

All commands issued as root:

Install mdadm and cryptsetup
  apt-get install mdadm cryptsetup

Tell mdadm to create a disk array with two devices and in mirror mode (RAID1) using sda and sdb
  mdadm --create /dev/md0 -n 2 -l mirror /dev/sda /dev/sdb

Create (or append to) our disk array config file (may also be in: /etc/mdadm/mdadm.conf)
  mdadm --detail --scan >> /etc/mdadm.conf

Restart the mdadm service
  service mdadm restart

Create a passphrase key file for encryption commands below
  echo "blahpingding" > /etc/mycryptkey.key

Create a luks header on the disk array
  cryptsetup --key-file /etc/mycryptkey.key¬†luksFormat /dev/md0
(should NOT ask for password!)

Open encrypted file-system
  cryptsetup --key-file /etc/mycryptkey.key open /dev/md0 md0_crypt
(should NOT ask for password!)

Create encryption config file
  nano /etc/crypttab

# /etc/crypttab file
# Fields are: name, underlying device, passphrase, cryptsetup options.
# Mount /dev/md0 as /dev/mapper/md0_crypt using LUKS, with a passphrase stored in a file.
md0_crypt  /dev/md0  /etc/mycryptkey.key  luks

  (use parted and/or cgdisk to add a partition table and partition(s) to /dev/mapper/md0_crypt)

Create ext4 file-system on encrypted file-system
  mkfs -t ext4 /dev/mapper/md0_crypt

Add entry to /etc/fstab
  echo "/dev/mapper/md0_crypt /home ext4 noatime,errors=remount-ro 0 2" >> /etc/fstab

Close encrypted file-system
  cryptsetup close md0_crypt

Reboot! smile

On reboot, everything should work. Do a lsblk to see if md0 and md0_crypt are there.  smile


God loves geeks too!
Why Jesus?


Post A Comment

Your name:

Your e-mail address: (Will not be seen or used by anyone else but me)

To help cut down on spam, what do you get when you add two and four?:

Please type your message below: (Please limit message to less than 1,000 characters)

By submitting your comment, you consent to me posting it on my site

All submissions are moderated before being posted

My Story   |   Web Server Probes   |   Today God is First!   |   Autism
This page should pass HTML validation. Standards-compliance is important to me.