[dm-crypt] LUKS safety on RAID 1 mirror

Mark Connor markc44 at gmx.com
Tue Nov 25 11:03:17 CET 2014


Hello

I currently have a deployment with luks (aes-cbc-256) on different 1TB, 500GB, 300GB etc. drives. All the drives use different keys and XFS filesystem on the top of luks. 
I'm planning to replace this setup with 2X4TB disks in software raid1 (with mdraid) but I have my concerns.

1, If a sector goes bad on disk1 that normally shouldn't be replicated to disk2 but in case of luks I don't know what happens then.

2, I think it is more practical -when one is dealing with encryption- to keep many smaller partitions encrypted with separate keys, in case of partial disk failure (other parts of the disk can still be accessed).
Also all the partitions have their own separate luks headers...

Unlike if I don't even create partition just put sda (4TB) sdb(4TB) into and md0 array and make luks on that one, if anything goes wrong with the header I lose all my data or if any part of the disks breaks.

I know that ultimately raid is only protect against drive failures (not if files get corrupted or deleted) so have to have a separated snapshotted backup next to it. But would implementing raid1 in case of luks be an advantage or a disadvantage?

Thanks


More information about the dm-crypt mailing list