[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


On Fri, Jan 08, 2010 at 12:13:14PM +0100, Sjors van der Pluijm wrote:
> Hi all,
> I have been using Debian for a few years now. For my new workstation I want to 
> try something new. What I want to do:
> 1. Make a RAID1 using two SATA discs
> 2. Create one partition on the RAID
> 3. Encrypt that partition
> 4. Use LVM on the partition
> I can't find very much info on this setup and have some questions:
> 1. Is this a wise setup?

Be aware that RAID-1 in itself is no substitute for a backup

That said, The order should be something like

physical devices partitioned identically, with a small-ish
boot (512M usually suffices) and the remaining space
dedicated to one large partition[1].

two software RAID devices

    md0 - with the two small boot partitions as backing
    md1 - with the large remaining partition as backing

Stick an ext3 filesystem on top of md0 and use it as /boot.

Then, format md1 as an LVM physical volume + plumb it into
a volume group. 

Carve out a logical volume for /. I wouldn't bother
encrypting this myself, personally.

Carve out a logical volume for swap. I'd encrypt this with a
random key. mkswap the resulting block device.

Carve out a logical volume for your main user's $HOME. I'd
encrypt this with a passphrase of your choosing.  I'd use
the LUKS settings as your encryption parameters, via device
mapper 'dm-crypt'. Stick an ext3 filesystem on top of the
resulting block device.

So, from bottom to top, the stacking order is

    physical devices
    DOS-style partition tables
    dm-loop crypto where necessary

The reason for having the /boot outside of LVM is so that
bootloaders can read it OK.  In the old days, grub would
read the kernel and initrd from one of the underlying
partitions (not understanding MD RAID itself) but that
worked fine, since all writing to the partitions was done
via the OS and thus through the MD RAID layer. Modern grubs
might be able to understand MD RAID, LVM, who knows what.

I would do all of the above steps using the debian-installer
if you are installing from scratch, with the exception of
your $HOME, which I would do by hand once the system was
installed. "luksformat" with the "-t ext3" option is a
useful shortcut for formatting a LVM logical volume with
dm-crypt and sticking a filesystem on top. I'd also use
"libpam-mount" to configure it to be unlocked with your
passphrase and mounted automatically on login.

Finally, unless you specify a seperate /tmp and encrypt that
(and/or /var/tmp too), I would create a ~/tmp and ensure you
have TMPDIR pointing at it, or some apps might store some
working files in a non-encrypted location. You will find
that not all apps honour TMPDIR, so be prepared to file some
bugs :))

> 3. Is it ok to have swap and /boot on an encrypted LVM?

swap yes, /boot no (your bootloader needs to read it. You
don't have anything confidential in your vmlinuz or

[1] For large hard drives, I create a medium-to-large
    partition, rather than fill the disk. Just in case
    I want to use some of the remaining space for a
    non-Linux purpose. I can always create a new partition,
    format it as an LVM physical volume and add it to my
    existing volume group if I want the space in Linux after
    all, further down the line.

Jon Dowland

Attachment: signature.asc
Description: Digital signature

Reply to: