[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Multiple RAID or encrypted partitions

On Fri, Sep 08, 2006 at 10:43:08PM -0500, Owen Heisler wrote:
} On Sat, 2006-09-09 at 13:35 +1000, Paul Dwerryhouse wrote:
[...]
} Exactly what I was wondering.  Hopefully debian-installer will allow
} creation of multiple partitions in a single RAID array when Etch is
} released.  (Until then, I have some learning about mdadm to do)
} 
} > Might not necessarily work from the Debian installer though. Perhaps
} > you'll have to go into a shell window and do the above by hand...
} 
} Right.  And (from what little I've seen) mdadm is rather user-friendly,
} so that should help.

I missed the beginning of this discussion, but it sounds like you want the
security of encryption on top of the flexibility of a partitionable device
with the redundancy of RAID. So do I. In fact, I have it. It is worth
noting that I do *not* bother with root on RAID, though I do keep
/usr/local on it and I take backups of /etc with some regularity. (Yes, I
should back up everything regularly; one of these days I will set that up.)

I have a pair of 250GB Firewire drives. I am using the entire drives and
RAID devices, though I should probably have set up partitions slightly
smaller than the entire drive. They are joined in a RAID1, and I use
scsidev to give them specific device names to refer to in my mdadm.conf. I
use /etc/init.d/cryptdisks to create the encryption loop on top of the
assembled RAID device. The encryption loop device is formatted as an LVM
physical volume (PV), which belongs to a volume group (VG) which has some
eight logical volumes (LV) including /home, /usr/local, and
/var/lib/postgresql.

I have a script to manage assembling the RAID, starting the encryption,
activating LVM, and mounting the partitions. I can share this script if you
would like it. The process is manual and must be performed after booting,
not during. This has the advantage that I don't store the encryption
password on disk anywhere, and I can rebooted the machine remotely and ssh
in to mount the disks instead of having to be at the console to type the
password at boot. Many of the typical services (e.g. exim4) do not run at
init level 2, but the script changes to init level 3 after successfully
mounting everything. 

This has been working for me for several years (though I had been using a
RAID5 on SCSI and losetup instead of dm_crypt previously). I'm quite happy
with it.

--Greg
Reply to: