[dm-crypt] Encrypted Btrfs RAID1

ax487 ax487 at gmx.de
Wed Sep 11 22:39:13 CEST 2013

On 11.09.2013 20:24, Arno Wagner wrote:
> On Wed, Sep 11, 2013 at 08:13:12PM +0200, ax487 wrote:
>> Hello all,
>> I have been using LUKS for quite some time now to encrypt block devices.
>> Up to now I have always used the setup RAID1 -> Encryption -> LVM2 ->
>> filesystems.
>> Now however I want to create an encrypted Btrfs RAID1. The problem is
>> that a RAID based on Btrfs is not based on block devices. What I would
>> need is to encrypt two different partitions and then use their decrypted
>> counterparts as basis for the RAID. The problem is that I really don't
>> want to add my pass phrase multiple times and I don't like key files. I
>> realize that the 'reuse key' problem is a long standing issue:
>> https://bbs.archlinux.org/viewtopic.php?id=117152
>> https://bugzilla.redhat.com/show_bug.cgi?id=446567
>> https://www.martineve.com/2012/11/02/luks-encrypting-multiple-partitions-on-debianubuntu-with-a-single-passphrase/
>> However I did not find a solution anywhere.
>> Could you tell me how to setup my system to make things work the way I
>> intend to?
> Easy answer: Don't use Btrfs as long as it is not finished (i.e.
> does not implement encryption). If these people think they can 
> integrate multiple storage layers, they should at least have the
> most common in there and that does include encryption.

Well, I think that Btrfs is ready for a production system. The
filesystem-based approach to a RAID1 offers some advantages, as does
Btrfs in general. Also, as I have pointed out, people seem to want
reusable keys as a feature. If Btrfs becomes the new standard filesystem
on linux there will probably be some more requests. I might be wrong,
but I assumed that reusable keys would be a feature not too difficult to
implement, most certainly much less difficult than for the Btrfs
developers to implement disk encryption from scratch.

> More complicated answer: There is no pre-packaged solution.
> You could do different things, e.g. make one parition LUKS
> and the other plain dm-crypt with a key derived somehow from 
> the LUKS master key.

I don't know how much you know about what a RAID1 is, but that approach
pretty much defeats the entire purpose of it...

> Arno

More information about the dm-crypt mailing list