Hi Wrangl3r,
> What is the correct process to initiate a hardware RAID rebuild to
> ensure the reconstructed disk writes encrypted data?
> [...]
> 1. activate degraded array (vendor tool)
> 2. cryptsetup luksOpen /dev/sdX sdX
> 3. mount /dev/mapper/sdX /mnt/tmp
> 4. insert new hard drive
> 5. rebuild begins
Given your steps, it looks like you are using a hardware RAID controller
and /dev/sdX is the "raid" device itself (not an individual RAID member).
The hardware controller will write the necessary data from the good
members to the new drive "by itself", without any interference from the
OS. It can only address the RAID drives and does not know about the LUKS
device mappings.
I guess the easiest way demonstrate only encrypted data will be stored
is simply not to unlock the encrypted volume during the RAID's rebuild.
So:
1. activate degraded array (vendor tool)
2. insert new hard drive
3. rebuild begins
4. wait for rebuild to finish
5. cryptsetup luksOpen /dev/sdX sdX
6. mount /dev/mapper/sdX /mnt/tmp
Things might be more complicated when using a software raid, but again,
the easiest solution would be just not to unlock the RAID encryption
during rebuild.
Whether you open the filesystem before, during or after the rebuild
should not matter. The RAID controller knows which blocks are good on
what device and will synchronize all data, even data that is written
while the rebuild is active.
Best regards,
-hannes
Am 2018-01-15 um 09:22 schrieb nouser:
I haven't seen this question answered before and it's not easy to search
the list archives.
I'm not aware of an IRC channel to ask such a simple question.
Steps performed: may be incorrect
My confusion is as follows.
LUKS data is encrypted at rest.
Once a LUKS container is unlocked and mounted that data is clear and
visible to the operating system and RAID controller. A hardware RAID
controller should not be aware of LUKS or encrypted data.
During the RAID rebuild I was monitoring CPU usage.
There were no CPU spikes typical with writing encrypted data.
I'm wondering if the RAID controller is writing unencrypted data from
the unlocked LUKS container.
Which leads to my original question.
1. What is the correct process to rebuild a hardware RAID array with
encrypted LUKS data?
2. Should the LUKS container be unlocked and filesystem mounted before
inserting a new hard drive to initiate a rebuild? Does it make a
difference either way? Will a bad method destroy or corrupt data?
3. What is the best method to verify the rebuilt disk was written with
encrypted data?
Thank you for your time and I apologize.
I couldn't find a clear answer.
Thank you,
Wrangl3r
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
