[dm-crypt] Correct rebuild process for hardware RAID 6 array with LUKS data ?

Arno Wagner arno at wagner.name
Wed Jan 17 17:40:20 CET 2018


You are confusing layers here. 

Just rebuild your hardware RAID as you would with unencrypted data.
It does not care whether the _data_ on the combined RAID device 
is encrypted or not.

>From your list, that would be steps 1., 4. and 5. The rest
has no place in this. Incidentally, the RAID controller
never sees the data decrypted.

That is also why you do not find this question or an answer:
It is simply not relevant to cryptsetup/LUKS.

Regards,
Arno


On Mon, Jan 15, 2018 at 09:22:22 CET, nouser wrote:
>    I haven't seen this question answered before and it's not easy to
>    search the list archives.
>    I'm not aware of an IRC channel to ask such a simple question.
>    What is the correct process to initiate a hardware RAID rebuild to
>    ensure the reconstructed disk writes encrypted data?
>    Steps performed: may be incorrect
>    1. activate degraded array (vendor tool)
>    2. cryptsetup luksOpen /dev/sdX sdX
>    3. mount /dev/mapper/sdX /mnt/tmp
>    4. insert new hard drive
>    5. rebuild begins
>    My confusion is as follows.
>    LUKS data is encrypted at rest.
>    Once a LUKS container is unlocked and mounted that data is clear and
>    visible to the operating system and RAID controller. A hardware RAID
>    controller should not be aware of LUKS or encrypted data.
>    During the RAID rebuild I was monitoring CPU usage.
>    There were no CPU spikes typical with writing encrypted data.
>    I'm wondering if the RAID controller is writing unencrypted data from
>    the unlocked LUKS container.
>    Which leads to my original question.
>    1. What is the correct process to rebuild a hardware RAID array with
>    encrypted LUKS data?
>    2. Should the LUKS container be unlocked and filesystem mounted before
>    inserting a new hard drive to initiate a rebuild?  Does it make a
>    difference either way?  Will a bad method destroy or corrupt data?
>    3. What is the best method to verify the rebuilt disk was written with
>    encrypted data?
>    Thank you for your time and I apologize.
>    I couldn't find a clear answer.
>    Thank you,
>    Wrangl3r

> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt


-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier


More information about the dm-crypt mailing list