[dm-crypt] Encrypt underlying disks after the fact?
arno at wagner.name
Tue Apr 2 02:39:29 CEST 2013
On Mon, Apr 01, 2013 at 04:25:28PM -0700, Omen Wild wrote:
> I have a mirrored ZFS on Linux pool and I am now regretting not having
> encrypted the underlying disks. Can I do this after the fact, i.e.:
> - break the mirror: zpool detach tank /dev/sdb
> - wipe disk
> - cryptsetup luksFormat /dev/sdb
> - rebuild the mirror: zpool attach tank /dev/sda /dev/mapper/c1
With enought space, this should work. However if you encrypt the
underlying disks, you will have to unlock each one individually
or script something before mounting. Integrating RAID into the
filesystem like ZFS does really is not that good an idea and this
is one eaxmple why: It breaks the layering and the filesystem has to
suddenly do everything, including encryption. Not good as it violates
KISS. Sadly, the BTRFS developers are making the same mistake...
> When I created the pool I gave ZFS the entire disks so it formatted them
> ----- Begin quote -----
> Partition Table: gpt
> Number Start End Size File system Name Flags
> 1 1048576B 2000390528511B 2000389479936B zfs zfs
> 9 2000390528512B 2000398917119B 8388608B
> ----- End quote -----
> The main question is whether the LUKS disk would have at least as many
> blocks as #1. Looking at the numbers is looks like there is 1MB
> available at the beginning, and 8MB at the end, and the LUKS header is
> 1MB+4096B or 2 MB, so it looks like it will fit on the raw device. The
> other route would be to use a detached header. Any recommendations
> between the two methods?
Detached header would mean you have one more device to worry about.
I would recommend avoiding it in this scenario. Your device is
only 2TB, are you sure you want ZFS on top of that? Also, AFAIK,
ZFS is Beta-quality on Linux and incomplete.
> Assuming this could work I suppose the safest way to do this would be to
> buy a 3rd disk, encrypt it, add it to the pool, then rotate the original
> 2 out one at a time.
You could also do something else if it does not fit or if you
want to change thesize anyways:
1. Make a degraded md RAID1 on a new disk.
2. Put a LUKS container on it
3. Put ZFS (single drive) on top of that
4. Copy all data over
5. Remove one disk from the SFS tool and add it to the md RAID1.
This gives you proper layering again and you have to do only one
unlock on mounting.
> Oh, and backups, backups, and more backups.
> The world is coming to an end, SAVE YOUR BUFFERS!!!
> dm-crypt mailing list
> dm-crypt at saout.de
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno at wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell
More information about the dm-crypt