[dm-crypt] Protection against data failure

Arno Wagner arno at wagner.name
Wed Aug 10 19:26:15 CEST 2011


On Wed, Aug 10, 2011 at 10:14:37AM +0200, Sun_Blood wrote:
> Hi DM-crypt
> 
> I have done some Googling and read your FAQ(great info) but I'm still

Thanks!

> a bit confused so I hope somebody have time to answer a few questions.
> 
> I have recently started using dm-crypt and LVM finally taking a leap
> in to the feature of disk handling. But now when I'm not using the
> normal old partitions system with "one disk one partition" and the
> disk itself are getting bigger there is a lot more data that could be
> lost in a error. And with a big encrypted LVM I feel that some sort of
> backups are necessary.

Personally, I do not like LVM. I think in most situations it
complicates things without need. 
 
> So how can I protect my self from loosing all my data? My system today
> looks like this
> sdb1 -> lvm -> dm_crypt -> filesystem
> So by adding mirror raid I'm guessing that I protect my self from
> hardware failure. sd[b-c]1 -> Raid -> LVM -> dm_crypt -> filysystem.
> So far are I correct or am I missing something?

RAID1 protects you against disk failure, but you still need a 
backup, just as Milan says in his anzwer. 


> The above solution saves me from a broken disk but it can't protect me
> from my self right(the biggest danger to a system: The user)? If I

Indeed. Or two broken disks.

> accidental do a dd /dev/zero /dev/raid then all will be lost because
> the raid will mirror even my mistakes?

Faithfully, yes.

> Lucky I see that cryptsesetup has the luksHeaderBackup function. (LVM
> also have a similar function).
> My question here is if I accidental overwrite the first 5% of the disk
> could I with this option restore and access the 95% rest of the system
> data?

Depends on the filsyste, you have in there. Or the partitioning.

> Or is this the wrong approach maybe a CoW setup would be the solution?
> What I'm looking for is a way to protect the system from myself.
> Hardware is one way and with that I can protect myself against
> hardware failure good enough with raid and SMART disk.
> But if I accidental overwrite the first part of the disk or some other
> important part can I protect myself from that?

Backup on several (at least 3) media sets is the only good solution. 
And you are asking exactly the right questions.

> And I final question. The output from luksHeaderBackup how sensitive
> is that information? Is it like handing somebody my password if I
> store it on a local unencrypted disk?

It is like handing somebody your disks. Alls still protected.
Only potential problem is old passwords in the backup, see FAQ.

> Thanks in advance for any answers! =)

No Problem.
Arno

> Martin
> _______________________________________________
> dm-crypt mailing list

> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 


More information about the dm-crypt mailing list