encrypted raid with lvm

testet under ubuntu 9.10 and 10.10:
1. boot your system in a live session with internet connection.

2. install lvm2, mdadm and cryptsetup, if they are not already there

3. build your raid with mdadm (for raid 0 or 1 you do not need mdadm, you might try it with lvm2). but be aware that you will need an unencrypted part for /boot. so you will need another harddisk or a free partition somewhere…
# mdadm –create /dev/md0 –level=raid5 –raid-devices=3 /dev/sdb /dev/sdc /dev/sdd

4. setup your encrypted storage on the raid device.
# cryptsetup luksFormat -v /dev/md0
-> you can choose between a password or a key file (e.g. on a usb-stick as a dongle).

5. open your encrypted storage.
# cryptsetup luksOpen /dev/md0 myStuff

6. create your physical volume, volume group and logical volumes for lvm2.
# pvcreate /dev/mapper/myStuff
# vgcreate vg_raid –size=16MB /dev/mapper/myStuff
-> be careful with big raid devices, lvm2 can handle about 65536 extents for each logical volume, with –size you can set another size for the extents. the default is 4MB -> 65536 x 16 MB = 1TB (4MB -> 256 GB).
# lvcreate -l 1 TB vg_raid -n home
-> creates a logical volume with the size of 1 TB in the volume group vg_raid with the name home.
# lvcreate -L 100%FREE vg_raid -n swap
-> creates a logical volume with the rest of the extents in the volume group vg_raid with the name swap.

7. next point is to put filesystems on the logical volumes, because the installer of ubuntu has a problem with logical volumes and creates a subdevice for them, if you format them then. so if you put a filesystem on the logical volume home in the installer. it creates vg_raid-home1, but it will disappear after the installation and you cannot use it.
# mkswap /dev/mapper/vg_raid-swap
# mkfs.ext4 /dev/mapper/vg_raid-home

8. now you can install the system, but do not reboot (quite important).

9. do a chroot in the new system
# mount /dev/sda /mnt
# mount /dev/mapper/vg_raid-home /mnt/home
# mount -o bind /dev /mnt/dev
# mount -t proc /proc /mnt/proc
# mount -t sysfs /sys /mnt/sys
# cp /etc/resolv.conf /mnt/etc/resolv.conf
# chroot /mnt /bin/bash

10. install the needed applications to detect the raid, encrypt the raid and provide the devices
# aptitude install lvm2 cryptsetup mdadm

11. prepare cryptsetup to bring up your encrypted device
# vi /etc/crypttab
-> add the name of the encrypted device, the uuid of the raid device, how the encryption is handled (password, key, etc.) and options how to handle the device. the uuid is in “ls /dev/disk/by-uuid/md0 -l”
myStuff UUID= none luks

12. update your initram
# update-initramfs -u -k all

13. reboot
# reboot

thats all. hopefully it came up. cryptsetup terminates with 1, if the options in /etc/crypttab are wrong, just put the uuid in there not the path or something else. to look what you have done in lvm2, you can display it with pvdisplay, vgdisplay and lvdisplay what you created and how much of it is used, the other commands starting with pv/vg/lv are selfexplaining. if your raid does not come up automatically, use “mdadm –assemble –scan” than it should be there. the encryption with luks is very flexible, you can use more than one key or alter them after a while.




~ by frankooh on 2011-01-21T10:56:25+00:00.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: