/boot md0 /boot/EFI md1 / md2 -> vg0 -> lvsOtherwise it was more a suggestion on using encryption for more then just the /home partition since there is always a risk with SWAP etc to have information that you do not want to be read.
My current setup goes: /dev/mapper/vg0-root / /dev/mapper/vg0-usr /usr/dev/nvme0n1p2 /boot <- this would be a md device in your case /dev/nvme0n1p1 /boot/efi <- this would be a md device in your case
/dev/mapper/vg0-home /home /dev/mapper/vg0-var /var /dev/mapper/vg0-tmp /tmp /dev/mapper/vg0-var_tmp /var/tmp /dev/mapper/vg0-var_log /var/log /dev/mapper/vg0-var_log_audit /var/log/auditNote that we are most likely mixing data redundancy with data security a bit here. So as far as your plan to run a md device for each "partition" needed that is a sound and solid plan.
When it comes to encryption the point is that you might want to have more then just /home protected. But this is very dependent on your threat model. If you have a laptop encryption of all partitions is suggested.
Regards On 2022-04-24 20:54, H wrote:
On 04/23/2022 09:19 PM, H wrote:On 04/19/2022 09:57 AM, Roberto Ragusa wrote:On 4/18/22 1:27 PM, H wrote:I have a new computer with 2 x 2TB SSDs where I wanted to install C7 and use mdadm for RAID1 configuration and encrypting the /home partition. On the net I found https://tuxfixer.com/centos-7-installation-with-lvm-raid-1-mirroring/ which I adopted slightly with respect to partition sizes, using RAID1 for /boot and /root as well and added the /home partition with RAID1 and chose to have /home encrypted.It may be a good idea to also have / and swap encrypted, since user data can go there easily (logs, locatedb, swapped mem). I would do: - /boot as a separate RAID1 (md1=sda1+sdb1) - then another RAID1 (md2=sda2+sdb2) using all the remaining disk - luks on top of md2, giving you luks-xxxxx - LVM with a PV on luks-xxxxx - VG and LVs for swap, / and /home (do not assign all the available space now, especially if using xfs as filesystem) Not sure if you can do this setup through the installer, you have to try (in a VM maybe). Regards.Thank you. I will have time to get back to this system tomorrow to try this. _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centosRoberto, what would the advantage(s) be with your setup, ie one RAID1 array for everything but /boot compared to what I had done, ie three RAID1 arrays for /boot/efi RAID1, /boot RAID1 and one LVM-RAID1 for / and /home? As a naive user it would seem to me that the setup I did would be more resilient if a disk fails, or? _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos