Here is a walk through of how to setup a pair of disks with RAID+crypto+lvm¶
- partition the disks, one partition for the whole device, starting at sector 2048 so all blocks are aligned
- created the raid device with something like
mdadm --create /dev/md3 --raid-devices=2 --level=raid1 --bitmap=/boot/md3_bitmap --bitmap-chunk=128M /dev/sdc1 /dev/sdd1
- add the md device (md2 for the above example) to /etc/mdadm/mdadm.conf so that it will start on boot. use
to get the UUIDs. NOTE: the labels have to match too, not just the UUIDs.
- create the crypto device with something like (riseup likes serpent-xts-plain)
cryptsetup luksFormat --hash sha256 --keyfile-size 512 --cipher serpent-xts-plain64:sha512 /dev/md2
- start the crypto device with something like
cryptsetup luksOpen /dev/md2 md2_crypt
- add md2_crypt to /etc/crypttab so it will be started and you’ll be prompted for the passphrase on boot (use blkid to get the UUID of the crypted device (/dev/mdX, not /dev/mapper/mdX_crypt, that’s the lvm device)
- create the LVM volume group with something like
vgcreate vg_hostname1 /dev/mapper/md2_crypt
- create logical volumes with something like
lvcreate --size 5G --name foo vg_hostname1
lvcreate --extents 100%VG --name bar vg_hostname1
- create filesystems with
- add them to fstab so they will be mounted on boot
- start using the filesystems
Here’s how to setup encrypted swap¶
- create the crypto
cryptsetup -d /dev/urandom --cipher serpent-xts-plain create sdb2_crypt /dev/sdb2
- create the swap
mkswap -f /dev/mapper/sdb2_crypt
- turn it on
- add it to /etc/crypttab, for example:
sda2_crypt /dev/disk/by-id/scsi-SATA_WDC_WD1001FALS-_WD-WMATV0071724-part2 /dev/urandom cipher=serpent-xts-plain,size=256,swap
- add it to /etc/fstab, for example:
/dev/mapper/sda2_crypt none swap sw 0 0
what do you all think is the best way to achieve full drive encryption for a headless server? a quick google indicates some folks build in SSH functionality into initramfs so they can SSH in and type in passowrd unix.stackexchange.com/questions/5017/s...
I could see keeping a key on a USB drive that contains the key, but what about when a machine needs reboot and the admin doesn’t have physical access?
Other than the “ssh in the initramfs” thing, the standard solution is to get remote console access, usually serial console via terminal server, or remote management device like IPMI Serial-over-LAN.