setting up RAID+crypto+lvm by hand howto

Here is a walk through of how to setup a pair of disks with RAID+crypto+lvm

  • partition the disks, one partition for the whole device, starting at sector 2048 so all blocks are aligned
  • created the raid device with something like
    mdadm --create /dev/md3 --raid-devices=2 --level=raid1 --bitmap=/boot/md3_bitmap --bitmap-chunk=128M /dev/sdc1 /dev/sdd1
  • add the md device (md2 for the above example) to /etc/mdadm/mdadm.conf so that it will start on boot. use 
    mdadm -Es
    to get the UUIDs. NOTE: the labels have to match too, not just the UUIDs.
  • create the crypto device with something like (riseup likes serpent-xts-plain)
    pre-buster:
    cryptsetup luksFormat --hash sha256 --keyfile-size 512 --cipher serpent-xts-plain64:sha512 /dev/md2

    on buster:
    cryptsetup luksFormat --hash sha256 --keyfile-size 512 --cipher serpent-xts-plain64 /dev/md2

    bullseye and newer:
    cryptsetup luksFormat --hash sha256 --keyfile-size 512 --cipher serpent-xts-plain64 --pbkdf argon2id /dev/md2
  • start the crypto device with something like
    cryptsetup luksOpen /dev/md2 md2_crypt
  • add md2_crypt to /etc/crypttab so it will be started and you’ll be prompted for the passphrase on boot (use blkid to get the UUID of the crypted device (/dev/mdX, not /dev/mapper/mdX_crypt, that’s the lvm device)
  • create the LVM volume group with something like
    vgcreate vg_hostname1 /dev/mapper/md2_crypt

    or if you are adding pv to an existing vg
    vgextend vg_hostname1 /dev/mapper/md2_crypt
  • create logical volumes with something like
    lvcreate --size 5G --name foo vg_hostname1

    lvcreate --extents 100%VG --name bar vg_hostname1
  • create filesystems with
    mkfs.ext4 /dev/mapper/vg_hostname1-foo

    mkfs.ext4 /dev/mapper/vg_hostname1-bar
  • add them to fstab so they will be mounted on boot
  • start using the filesystems

Here’s how to setup encrypted swap

  • create the crypto
    cryptsetup -d /dev/urandom --cipher serpent-xts-plain create sdb2_crypt /dev/sdb2
  • create the swap
    mkswap -f /dev/mapper/sdb2_crypt
  • turn it on
    swapon -a
  • add it to /etc/crypttab, for example:
    sda2_crypt /dev/disk/by-id/scsi-SATA_WDC_WD1001FALS-_WD-WMATV0071724-part2 /dev/urandom cipher=serpent-xts-plain,size=256,swap
  • add it to /etc/fstab, for example:
    /dev/mapper/sda2_crypt		none	swap	sw		0	0
 
lbarks
2014-07-13

what do you all think is the best way to achieve full drive encryption for a headless server? a quick google indicates some folks build in SSH functionality into initramfs so they can SSH in and type in passowrd unix.stackexchange.com/questions/5017/s...

I could see keeping a key on a USB drive that contains the key, but what about when a machine needs reboot and the admin doesn’t have physical access?
 
   
taggart
2014-07-14

Other than the “ssh in the initramfs” thing, the standard solution is to get remote console access, usually serial console via terminal server, or remote management device like IPMI Serial-over-LAN.