setting up RAID+crypto+lvm by hand howto

Here is a walk through of how to setup a pair of disks with RAID+crypto+lvm

  • partition the disks, one partition for the whole device, starting at sector 2048 so all blocks are aligned
  • created the raid device with something like
    mdadm --create /dev/md3 --raid-devices=2 --level=raid1 --bitmap=/boot/md3_bitmap --bitmap-chunk=128M /dev/sdc1 /dev/sdd1
  • add the md device (md2 for the above example) to /etc/mdadm/mdadm.conf so that it will start on boot. use
    mdadm -Es
    to get the UUIDs. NOTE: the labels have to match too, not just the UUIDs.
  • create the crypto device with something like (riseup likes serpent-xts-plain)
    cryptsetup luksFormat --hash sha256 --keyfile-size 512 --cipher serpent-xts-plain64:sha512 /dev/md2

    on buster:
    cryptsetup luksFormat --hash sha256 --keyfile-size 512 --cipher serpent-xts-plain64 /dev/md2

    bullseye and newer:
    cryptsetup luksFormat --hash sha256 --keyfile-size 512 --cipher serpent-xts-plain64 --pbkdf argon2id /dev/md2
  • start the crypto device with something like
    cryptsetup luksOpen /dev/md2 md2_crypt
  • add md2_crypt to /etc/crypttab so it will be started and you’ll be prompted for the passphrase on boot (use blkid to get the UUID of the crypted device (/dev/mdX, not /dev/mapper/mdX_crypt, that’s the lvm device)
  • create the LVM volume group with something like
    vgcreate vg_hostname1 /dev/mapper/md2_crypt

    or if you are adding pv to an existing vg
    vgextend vg_hostname1 /dev/mapper/md2_crypt
  • create logical volumes with something like
    lvcreate --size 5G --name foo vg_hostname1

    lvcreate --extents 100%VG --name bar vg_hostname1
  • create filesystems with
    mkfs.ext4 /dev/mapper/vg_hostname1-foo

    mkfs.ext4 /dev/mapper/vg_hostname1-bar
  • add them to fstab so they will be mounted on boot
  • start using the filesystems

Here’s how to setup encrypted swap

  • create the crypto
    cryptsetup -d /dev/urandom --cipher serpent-xts-plain create sdb2_crypt /dev/sdb2
  • create the swap
    mkswap -f /dev/mapper/sdb2_crypt
  • turn it on
    swapon -a
  • add it to /etc/crypttab, for example:
    sda2_crypt /dev/disk/by-id/scsi-SATA_WDC_WD1001FALS-_WD-WMATV0071724-part2 /dev/urandom cipher=serpent-xts-plain,size=256,swap
  • add it to /etc/fstab, for example:
    /dev/mapper/sda2_crypt		none	swap	sw		0	0

what do you all think is the best way to achieve full drive encryption for a headless server? a quick google indicates some folks build in SSH functionality into initramfs so they can SSH in and type in passowrd

I could see keeping a key on a USB drive that contains the key, but what about when a machine needs reboot and the admin doesn’t have physical access?


Other than the “ssh in the initramfs” thing, the standard solution is to get remote console access, usually serial console via terminal server, or remote management device like IPMI Serial-over-LAN.