Re: LUKS safety on RAID 1 mirror

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Nov 25, 2014 at 11:28:47 CET, Fabrice Bongartz wrote:
> Hi Mark, 
> 
> I currently employ the following setup: 
> I have multiple md software raid 1 arrays and luks on top of that. For example, /dev/sda1 and /dev/sdb1 are two identifcal disks which are in a raid1 using md raid as /dev/md0. The luks encrypted device is /dev/md0. So far, I have had two discs fail in two different arrays and I have had no problem restoring them. The array continued in degrated mode and I could safely replace the two drives and add the new disks to the arrays using the mdadm command. 
> 
> I am also curious as to what the devs have to say about this. 

RAID and LUKS are in separate layers and do not influence
each other. See FAQ Items 2.2 ad 2.8. 2.8 also has a picture.

If you place LUKS atop RAID, you get pretty much
the same change as with a normal filesystem atop RAID. Of 
course, the LUKS header is critical, which is why you should 
always have a header backup, just the same as without RAID.

If you place LUKS below RAID (not that good an idea), you
will have to unlock the raw devices before the RAID can
be assembled. You should have header backups for as much
devices as are neded to assemble the RAID, but better for 
all.

Really, these are separate issuses, LUKS and RAID do not
magically interact behind your back.

Gr"usse,
Arno
 
> BTW: I always make a complete backup on a third external disk, I don't
> want to take any chances.
> 
> Cheers, 
> 
> Fabrice Bongartz 
> 
> 
> Von: "Mark Connor" <markc44@xxxxxxx> 
> An: "dm-crypt" <dm-crypt@xxxxxxxx> 
> Gesendet: Dienstag, 25. November 2014 11:03:17 
> Betreff:  LUKS safety on RAID 1 mirror 
> 
> Hello 
> 
> I currently have a deployment with luks (aes-cbc-256) on different 1TB, 500GB, 300GB etc. drives. All the drives use different keys and XFS filesystem on the top of luks. 
> I'm planning to replace this setup with 2X4TB disks in software raid1 (with mdraid) but I have my concerns. 
> 
> 1, If a sector goes bad on disk1 that normally shouldn't be replicated to disk2 but in case of luks I don't know what happens then. 
> 
> 2, I think it is more practical -when one is dealing with encryption- to keep many smaller partitions encrypted with separate keys, in case of partial disk failure (other parts of the disk can still be accessed). 
> Also all the partitions have their own separate luks headers... 
> 
> Unlike if I don't even create partition just put sda (4TB) sdb(4TB) into and md0 array and make luks on that one, if anything goes wrong with the header I lose all my data or if any part of the disks breaks. 
> 
> I know that ultimately raid is only protect against drive failures (not if files get corrupted or deleted) so have to have a separated snapshotted backup next to it. But would implementing raid1 in case of luks be an advantage or a disadvantage? 
> 
> Thanks 
> _______________________________________________ 
> dm-crypt mailing list 
> dm-crypt@xxxxxxxx 
> http://www.saout.de/mailman/listinfo/dm-crypt 

> _______________________________________________
> dm-crypt mailing list
> dm-crypt@xxxxxxxx
> http://www.saout.de/mailman/listinfo/dm-crypt


-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@xxxxxxxxxxx
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt




[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux