[dm-crypt] Encrypted Raid1 or Raid 1 of encrypted devices?

Laurence Darby ldarby at tuffmail.com
Tue Jul 12 00:03:12 CEST 2011


I have 2 disks currently as a RAID1, and want to encrypt it.  I've
done several tests with loopback devices, and found that I can either
create a raid1 with the raw devices, and then encrypt the /dev/md
device, eg:

losetup /dev/loop1 /tmp/a
losetup /dev/loop2 /tmp/b

mdadm --create /dev/md3 --level=1 /dev/loop1 /dev/loop2 --raid-devices=2

cryptsetup luksFormat /dev/md3
cryptsetup luksOpen /dev/md3 md3

or instead encrypt each device, and then make the 2 encrypted devices
into a raid, eg:

losetup /dev/loop3 /tmp/c
losetup /dev/loop4 /tmp/d

cryptsetup luksFormat /dev/loop3
cryptsetup luksFormat /dev/loop4

cryptsetup luksOpen /dev/loop3 data3
cryptsetup luksOpen /dev/loop4 data4

mdadm --create /dev/md4 --level=1 /dev/mapper/data3 /dev/mapper/data4

Is there a recommended way to do this?

I've read the FAQ, especially the part about bad RAM, how single bit
flip errors get amplified - would that mean encrypting each disk
separately is safer, because a bit flip error would be only be copied
to only one device instead of both?  If that happened and a
verification test spotted it, I could remove each device in turn to
find which has the corruption, and repair it.  I am planning on running
the full set of RAM tests anyway.  Is there any reason not to encrypt
each device separately, or any other general advice here?


More information about the dm-crypt mailing list