[dm-crypt] Encrypted Raid1 or Raid 1 of encrypted devices?

Milan Broz mbroz at redhat.com
Tue Jul 12 14:10:03 CEST 2011


On 07/12/2011 01:32 PM, Jorge Fábregas wrote:
> That's an interesting question:  encrypted raid1 or raid1 of encrypted
> disks? That also could be phrased as "dm-crypt on top of dm-raid" or
> "dm-raid on top of dm-crypt"?
> 
> I must admit  I would have never thought about a "raid1 of encrypted
> disks" (seems awkward) but apparently it works.  I'm new here (and to
> disk encryption at all) but here are my two cents:

Technically both works.

> # Performance
> I guess from the point of view of performance (CPU-wise) , an "encrypted
> RAID1" would be better as you would be only encrypting once and DM-raid
> will take care of copying those bits as they are to the 2nd disk.  I
> suggest you do some tests (copying large amount of data to the encrypted
> disk) and measure it.

This depends on kernel version and if the system is SMP/multi-cpu.
For <2.6.38 you may get better performance for raid over crypt,
for newer kernel it will be different.
(I am not saying better because there are still performance issues
with crypt over MD Raid. Depends on io pattern and if IO are issued
from different cpus or not. Like dd can be slower but threaded fs test
can have much more better performance.)

> # Management
> There's no doubt that an encrypted raid1 is much better (much less
> commands: you just need to format once, luksOpen once, luksClose once.
> one backup of the header)

yes, I would suggest crypt over MD always too.

> # Reliability
> I'm not sure about this part.  Let's see what others have to say
> regarding this.

IMHO both solutions are similar here. Some errors are propagated,
hw failure (RAM, disk) would have similar effect.

RAID is not backup. You should backup LUKS header and data anyway.

Milan


More information about the dm-crypt mailing list