Thu 09 of Sep, 2010 [13:13 UTC]
Encrypted logical volume on top of RAID
|
English |
I have planned for some time (I need money to get the hardware :) to build a secure, extensible, huge and failsafe storage for my server.
The plan consists of adding external (my bigtower is allready full of disks) firewire disks on demand, 6 at a time.
Each of these chunks will be used to create a RAID5 device.
Each of these RAID5 devices will be added to my storage volume group.
Each partition I store lots of data on will be a logical volume in this volume group.
Each of these partitions that I want to encrypt will be mapped using dm-crypt.
Of these steps, I allready sort of master the RAID5 part, since I allready have a 6 disk array in my server. The new stuff for me will be LVM2 and dm-crypt.
Does anyone have any ideas regarding improvements on this scheme? For example, is it possible to map a cryptodevice on a logical volume, or do I have to map the RAID5 device to an encrypted device, and use that encrypted device in the volume group?
When this is all finished, I will be happy to create a HOWTO about this :)
//MartinKihlgren
Well, I can happily tell anyone interested that it was trivial.
First you create a couple raid arrays:
mdadm -C -l 5 -n 5 /dev/md0 /dev/sda1 /dev/sdb1 /dev/sdc1 /dev/sdd1 /dev/sde1
mdadm -C -l 5 -n 5 /dev/md0 /dev/sdf1 /dev/sdg1 /dev/sdh1 /dev/sdi1 /dev/sdj1
Then you create a couple physical volumes out of those (dont remember the exact command, see http://www.tldp.org/HOWTO/LVM-HOWTO/ ).
Then you create a volume group out of those two physical volumes.
Then you create a logical volume out of that volume group.
Then you use cryptsetup to map this logical volume to an encrypted device.
Then you use mkfs to create a filesystem on that device.
Now, if you close the encrypted device and assign this logical volume more physical extends from the volume group, its a simple matter of reopening the encrypted volume and (if your filesystem allows this, most do) grow the filesystem to take up more of the (now larger) drive it resides on.
Simple eh!
//MartinKihlgren
I think having disks -> raid5 -> crypt -> LVM would be a lot better. If you encrypt each of the LVs inside LVM instead of encrypting the PV, it will be more dificult to extend/reduce the filesystem later (maybe it will be the same, but I see no reason to run that risk).
//AndreRuiz
Resizing in the former case is no problem. first unmount, stop crypto and stop all lv. then resize the lv, restart crypt device (automatically takes the new size), resize the filesystem and mount it.
i think you can have it all ways:
disks -> raid -> lvm -> crypt -> filesystem
note: every filesystem can have separate key and must be started separately. mixture of encrypted and not encrypted fs possible
disks -> raid -> crypt -> lvm -> filesystem
note: one key for the whole lvm
Generic Viagra
Cheap Generic Viagra
Generic Cialis
Propecia
Generic Cialis
careprost
Lumigan
retina
The plan consists of adding external (my bigtower is allready full of disks) firewire disks on demand, 6 at a time.
Each of these chunks will be used to create a RAID5 device.
Each of these RAID5 devices will be added to my storage volume group.
Each partition I store lots of data on will be a logical volume in this volume group.
Each of these partitions that I want to encrypt will be mapped using dm-crypt.
Of these steps, I allready sort of master the RAID5 part, since I allready have a 6 disk array in my server. The new stuff for me will be LVM2 and dm-crypt.
Does anyone have any ideas regarding improvements on this scheme? For example, is it possible to map a cryptodevice on a logical volume, or do I have to map the RAID5 device to an encrypted device, and use that encrypted device in the volume group?
When this is all finished, I will be happy to create a HOWTO about this :)
//MartinKihlgren
Well, I can happily tell anyone interested that it was trivial.
First you create a couple raid arrays:
mdadm -C -l 5 -n 5 /dev/md0 /dev/sda1 /dev/sdb1 /dev/sdc1 /dev/sdd1 /dev/sde1
mdadm -C -l 5 -n 5 /dev/md0 /dev/sdf1 /dev/sdg1 /dev/sdh1 /dev/sdi1 /dev/sdj1
Then you create a couple physical volumes out of those (dont remember the exact command, see http://www.tldp.org/HOWTO/LVM-HOWTO/ ).
Then you create a volume group out of those two physical volumes.
Then you create a logical volume out of that volume group.
Then you use cryptsetup to map this logical volume to an encrypted device.
Then you use mkfs to create a filesystem on that device.
Now, if you close the encrypted device and assign this logical volume more physical extends from the volume group, its a simple matter of reopening the encrypted volume and (if your filesystem allows this, most do) grow the filesystem to take up more of the (now larger) drive it resides on.
Simple eh!
//MartinKihlgren
I think having disks -> raid5 -> crypt -> LVM would be a lot better. If you encrypt each of the LVs inside LVM instead of encrypting the PV, it will be more dificult to extend/reduce the filesystem later (maybe it will be the same, but I see no reason to run that risk).
//AndreRuiz
Resizing in the former case is no problem. first unmount, stop crypto and stop all lv. then resize the lv, restart crypt device (automatically takes the new size), resize the filesystem and mount it.
i think you can have it all ways:
disks -> raid -> lvm -> crypt -> filesystem
note: every filesystem can have separate key and must be started separately. mixture of encrypted and not encrypted fs possible
disks -> raid -> crypt -> lvm -> filesystem
note: one key for the whole lvm
Generic Viagra
Cheap Generic Viagra
Generic Cialis
Propecia
Generic Cialis
careprost
Lumigan
retina
Created by: zond last modification: Friday 30 of April, 2010 [06:50:09 UTC] by jame123
Page: 1/1
1
1
|
Page generated in: 0.15 seconds |
|
||||||||||||||
Login