[dm-crypt] Correct rebuild process for hardware RAID 6 array with LUKS data ?

Hannes Erven hannes at erven.at
Wed Jan 17 12:35:05 CET 2018


Hi Wrangl3r,


 > What is the correct process to initiate a hardware RAID rebuild to
 > ensure the reconstructed disk writes encrypted data?
 > [...]
 > 1. activate degraded array (vendor tool)
 > 2. cryptsetup luksOpen /dev/sdX sdX
 > 3. mount /dev/mapper/sdX /mnt/tmp
 > 4. insert new hard drive
 > 5. rebuild begins


Given your steps, it looks like you are using a hardware RAID controller 
and /dev/sdX is the "raid" device itself (not an individual RAID member).
The hardware controller will write the necessary data from the good 
members to the new drive "by itself", without any interference from the 
OS. It can only address the RAID drives and does not know about the LUKS 
device mappings.

I guess the easiest way demonstrate only encrypted data will be stored 
is simply not to unlock the encrypted volume during the RAID's rebuild.

So:
  1. activate degraded array (vendor tool)
  2. insert new hard drive
  3. rebuild begins
  4. wait for rebuild to finish

  5. cryptsetup luksOpen /dev/sdX sdX
  6. mount /dev/mapper/sdX /mnt/tmp


Things might be more complicated when using a software raid, but again, 
the easiest solution would be just not to unlock the RAID encryption 
during rebuild.


Whether you open the filesystem before, during or after the rebuild 
should not matter. The RAID controller knows which blocks are good on 
what device and will synchronize all data, even data that is written 
while the rebuild is active.



Best regards,

	-hannes



Am 2018-01-15 um 09:22 schrieb nouser:
> I haven't seen this question answered before and it's not easy to search 
> the list archives.
> I'm not aware of an IRC channel to ask such a simple question.
> 
> 
> Steps performed: may be incorrect
> 
> 
> 
> My confusion is as follows.
> LUKS data is encrypted at rest.
> 
> Once a LUKS container is unlocked and mounted that data is clear and 
> visible to the operating system and RAID controller. A hardware RAID 
> controller should not be aware of LUKS or encrypted data.
> 
> During the RAID rebuild I was monitoring CPU usage.
> There were no CPU spikes typical with writing encrypted data.
> I'm wondering if the RAID controller is writing unencrypted data from 
> the unlocked LUKS container.
> 
> Which leads to my original question.
> 
> 1. What is the correct process to rebuild a hardware RAID array with 
> encrypted LUKS data?
> 
> 2. Should the LUKS container be unlocked and filesystem mounted before 
> inserting a new hard drive to initiate a rebuild?  Does it make a 
> difference either way?  Will a bad method destroy or corrupt data?
> 
> 3. What is the best method to verify the rebuilt disk was written with 
> encrypted data?
> 
> 
> Thank you for your time and I apologize.
> I couldn't find a clear answer.
> 
> 
> Thank you,
> 
> Wrangl3r
> 
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 



More information about the dm-crypt mailing list