[dm-crypt] Encrypted Raid1 or Raid 1 of encrypted devices?

Arno Wagner arno at wagner.name
Tue Jul 12 14:20:07 CEST 2011

Hi Laurence,

for security reasons, encrypt the RAID1. Otherwise you a
re giving an attacker more data, namely everything encrypted
with two different keys.

For Performance reasons, the same. If you RAID1 encrypted disk, 
everything has to be encrypted twice, if you encrypot the 
RAID1, all data is encrypted only once, halving the effort.

On Mon, Jul 11, 2011 at 11:03:12PM +0100, Laurence Darby wrote:
> Hello,
> I have 2 disks currently as a RAID1, and want to encrypt it.  I've
> done several tests with loopback devices, and found that I can either
> create a raid1 with the raw devices, and then encrypt the /dev/md
> device, eg:
> losetup /dev/loop1 /tmp/a
> losetup /dev/loop2 /tmp/b
> mdadm --create /dev/md3 --level=1 /dev/loop1 /dev/loop2 --raid-devices=2
> cryptsetup luksFormat /dev/md3
> cryptsetup luksOpen /dev/md3 md3
> or instead encrypt each device, and then make the 2 encrypted devices
> into a raid, eg:
> losetup /dev/loop3 /tmp/c
> losetup /dev/loop4 /tmp/d
> cryptsetup luksFormat /dev/loop3
> cryptsetup luksFormat /dev/loop4
> cryptsetup luksOpen /dev/loop3 data3
> cryptsetup luksOpen /dev/loop4 data4
> mdadm --create /dev/md4 --level=1 /dev/mapper/data3 /dev/mapper/data4
> --raid-devices=2
> Is there a recommended way to do this?

See abofe, place encryption direcly below the filesystem and
above any RAID/LVM,... mechanism.
> I've read the FAQ, 

Very good!

> especially the part about bad RAM, how single bit
> flip errors get amplified - would that mean encrypting each disk
> separately is safer, because a bit flip error would be only be copied
> to only one device instead of both? 

Good thinking, but no. It has zero advantage having one good
and one corrupted copy, but no way to tell which is which.
If you have bit-errors, you have a najor problem. If they
get amplified, the main difference is that you may detect them
eralier, which is an advantage.

> If that happened and a
> verification test spotted it, I could remove each device in turn to
> find which has the corruption, and repair it.  

A RAID consistency check would spot it,but how would you identify
the good copy? And if the bit-error does hapen before encryption,
this does not help at all. In addition, as encryption does run mainly
in the CPU caches, bit errors are not very likely there anyways.

> I am planning on running
> the full set of RAM tests anyway.  Is there any reason not to encrypt
> each device separately, or any other general advice here?

See above. Don't worry about adapting your disk encryption to the
possibility of bit-errors. These are separate issues and should
not be mixed. 

Waht you should do with regard tobit-errors is whenever you copy 
something large or archive something large or do backups, always
do a verify that compares the data. This is the best way to
detect errors and ensure data integrity. For small writes,
bit errors are very, very unlikely, unless your system is
extremely instable.

I think I will add a section on encryption vs. RAID in the

Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

More information about the dm-crypt mailing list