Hi Mark,
I currently employ the following setup:
I have multiple md software raid 1 arrays and luks on top of that. For example, /dev/sda1 and /dev/sdb1 are two identifcal disks which are in a raid1 using md raid as /dev/md0. The luks encrypted device is /dev/md0. So far, I have had two discs fail in two different arrays and I have had no problem restoring them. The array continued in degrated mode and I could safely replace the two drives and add the new disks to the arrays using the mdadm command.
I am also curious as to what the devs have to say about this.
BTW: I always make a complete backup on a third external disk, I don't want to take any chances.
Cheers,
Fabrice Bongartz
Von: "Mark Connor" <markc44@xxxxxxx>
An: "dm-crypt" <dm-crypt@xxxxxxxx>
Gesendet: Dienstag, 25. November 2014 11:03:17
Betreff: [dm-crypt] LUKS safety on RAID 1 mirror
An: "dm-crypt" <dm-crypt@xxxxxxxx>
Gesendet: Dienstag, 25. November 2014 11:03:17
Betreff: [dm-crypt] LUKS safety on RAID 1 mirror
Hello
I currently have a deployment with luks (aes-cbc-256) on different 1TB, 500GB, 300GB etc. drives. All the drives use different keys and XFS filesystem on the top of luks.
I'm planning to replace this setup with 2X4TB disks in software raid1 (with mdraid) but I have my concerns.
1, If a sector goes bad on disk1 that normally shouldn't be replicated to disk2 but in case of luks I don't know what happens then.
2, I think it is more practical -when one is dealing with encryption- to keep many smaller partitions encrypted with separate keys, in case of partial disk failure (other parts of the disk can still be accessed).
Also all the partitions have their own separate luks headers...
Unlike if I don't even create partition just put sda (4TB) sdb(4TB) into and md0 array and make luks on that one, if anything goes wrong with the header I lose all my data or if any part of the disks breaks.
I know that ultimately raid is only protect against drive failures (not if files get corrupted or deleted) so have to have a separated snapshotted backup next to it. But would implementing raid1 in case of luks be an advantage or a disadvantage?
Thanks
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
I currently have a deployment with luks (aes-cbc-256) on different 1TB, 500GB, 300GB etc. drives. All the drives use different keys and XFS filesystem on the top of luks.
I'm planning to replace this setup with 2X4TB disks in software raid1 (with mdraid) but I have my concerns.
1, If a sector goes bad on disk1 that normally shouldn't be replicated to disk2 but in case of luks I don't know what happens then.
2, I think it is more practical -when one is dealing with encryption- to keep many smaller partitions encrypted with separate keys, in case of partial disk failure (other parts of the disk can still be accessed).
Also all the partitions have their own separate luks headers...
Unlike if I don't even create partition just put sda (4TB) sdb(4TB) into and md0 array and make luks on that one, if anything goes wrong with the header I lose all my data or if any part of the disks breaks.
I know that ultimately raid is only protect against drive failures (not if files get corrupted or deleted) so have to have a separated snapshotted backup next to it. But would implementing raid1 in case of luks be an advantage or a disadvantage?
Thanks
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
_______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
