[dm-crypt] Correct rebuild process for hardware RAID 6 array with LUKS data ?
hannes at erven.at
Wed Jan 17 12:35:05 CET 2018
> What is the correct process to initiate a hardware RAID rebuild to
> ensure the reconstructed disk writes encrypted data?
> 1. activate degraded array (vendor tool)
> 2. cryptsetup luksOpen /dev/sdX sdX
> 3. mount /dev/mapper/sdX /mnt/tmp
> 4. insert new hard drive
> 5. rebuild begins
Given your steps, it looks like you are using a hardware RAID controller
and /dev/sdX is the "raid" device itself (not an individual RAID member).
The hardware controller will write the necessary data from the good
members to the new drive "by itself", without any interference from the
OS. It can only address the RAID drives and does not know about the LUKS
I guess the easiest way demonstrate only encrypted data will be stored
is simply not to unlock the encrypted volume during the RAID's rebuild.
1. activate degraded array (vendor tool)
2. insert new hard drive
3. rebuild begins
4. wait for rebuild to finish
5. cryptsetup luksOpen /dev/sdX sdX
6. mount /dev/mapper/sdX /mnt/tmp
Things might be more complicated when using a software raid, but again,
the easiest solution would be just not to unlock the RAID encryption
Whether you open the filesystem before, during or after the rebuild
should not matter. The RAID controller knows which blocks are good on
what device and will synchronize all data, even data that is written
while the rebuild is active.
Am 2018-01-15 um 09:22 schrieb nouser:
> I haven't seen this question answered before and it's not easy to search
> the list archives.
> I'm not aware of an IRC channel to ask such a simple question.
> Steps performed: may be incorrect
> My confusion is as follows.
> LUKS data is encrypted at rest.
> Once a LUKS container is unlocked and mounted that data is clear and
> visible to the operating system and RAID controller. A hardware RAID
> controller should not be aware of LUKS or encrypted data.
> During the RAID rebuild I was monitoring CPU usage.
> There were no CPU spikes typical with writing encrypted data.
> I'm wondering if the RAID controller is writing unencrypted data from
> the unlocked LUKS container.
> Which leads to my original question.
> 1. What is the correct process to rebuild a hardware RAID array with
> encrypted LUKS data?
> 2. Should the LUKS container be unlocked and filesystem mounted before
> inserting a new hard drive to initiate a rebuild? Does it make a
> difference either way? Will a bad method destroy or corrupt data?
> 3. What is the best method to verify the rebuilt disk was written with
> encrypted data?
> Thank you for your time and I apologize.
> I couldn't find a clear answer.
> Thank you,
> dm-crypt mailing list
> dm-crypt at saout.de
More information about the dm-crypt