I haven't seen this question answered before and it's not easy to search the list archives.
I'm not aware of an IRC channel to ask such a simple question.
What is the correct process to initiate a hardware RAID rebuild to ensure the reconstructed disk writes encrypted data?
Steps performed: may be incorrect
1. activate degraded array (vendor tool)
2. cryptsetup luksOpen /dev/sdX sdX
3. mount /dev/mapper/sdX /mnt/tmp
4. insert new hard drive
5. rebuild begins
My confusion is as follows.
LUKS data is encrypted at rest.
Once a LUKS container is unlocked and mounted that data is clear and visible to the operating system and RAID controller. A hardware RAID controller should not be aware of LUKS or encrypted data.
During the RAID rebuild I was monitoring CPU usage.
There were no CPU spikes typical with writing encrypted data.
I'm wondering if the RAID controller is writing unencrypted data from the unlocked LUKS container.
Which leads to my original question.
1. What is the correct process to rebuild a hardware RAID array with encrypted LUKS data?
2. Should the LUKS container be unlocked and filesystem mounted before inserting a new hard drive to initiate a rebuild? Does it make a difference either way? Will a bad method destroy or corrupt data?
3. What is the best method to verify the rebuilt disk was written with encrypted data?
Thank you for your time and I apologize.
I couldn't find a clear answer.
Thank you,
Wrangl3r
I'm not aware of an IRC channel to ask such a simple question.
What is the correct process to initiate a hardware RAID rebuild to ensure the reconstructed disk writes encrypted data?
Steps performed: may be incorrect
1. activate degraded array (vendor tool)
2. cryptsetup luksOpen /dev/sdX sdX
3. mount /dev/mapper/sdX /mnt/tmp
4. insert new hard drive
5. rebuild begins
My confusion is as follows.
LUKS data is encrypted at rest.
Once a LUKS container is unlocked and mounted that data is clear and visible to the operating system and RAID controller. A hardware RAID controller should not be aware of LUKS or encrypted data.
During the RAID rebuild I was monitoring CPU usage.
There were no CPU spikes typical with writing encrypted data.
I'm wondering if the RAID controller is writing unencrypted data from the unlocked LUKS container.
Which leads to my original question.
1. What is the correct process to rebuild a hardware RAID array with encrypted LUKS data?
2. Should the LUKS container be unlocked and filesystem mounted before inserting a new hard drive to initiate a rebuild? Does it make a difference either way? Will a bad method destroy or corrupt data?
3. What is the best method to verify the rebuilt disk was written with encrypted data?
Thank you for your time and I apologize.
I couldn't find a clear answer.
Thank you,
Wrangl3r
_______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
