On Fri, Jan 08, 2010 at 12:13:14PM +0100, Sjors van der Pluijm wrote:
> Hi all,
>
> I have been using Debian for a few years now. For my new workstation I want to
> try something new. What I want to do:
> 1. Make a RAID1 using two SATA discs
> 2. Create one partition on the RAID
> 3. Encrypt that partition
> 4. Use LVM on the partition
>
> I can't find very much info on this setup and have some questions:
> 1. Is this a wise setup?
Be aware that RAID-1 in itself is no substitute for a backup
system.
That said, The order should be something like
physical devices partitioned identically, with a small-ish
boot (512M usually suffices) and the remaining space
dedicated to one large partition[1].
two software RAID devices
md0 - with the two small boot partitions as backing
md1 - with the large remaining partition as backing
Stick an ext3 filesystem on top of md0 and use it as /boot.
Then, format md1 as an LVM physical volume + plumb it into
a volume group.
Carve out a logical volume for /. I wouldn't bother
encrypting this myself, personally.
Carve out a logical volume for swap. I'd encrypt this with a
random key. mkswap the resulting block device.
Carve out a logical volume for your main user's $HOME. I'd
encrypt this with a passphrase of your choosing. I'd use
the LUKS settings as your encryption parameters, via device
mapper 'dm-crypt'. Stick an ext3 filesystem on top of the
resulting block device.
So, from bottom to top, the stacking order is
physical devices
DOS-style partition tables
MD RAID
LVM
dm-loop crypto where necessary
The reason for having the /boot outside of LVM is so that
bootloaders can read it OK. In the old days, grub would
read the kernel and initrd from one of the underlying
partitions (not understanding MD RAID itself) but that
worked fine, since all writing to the partitions was done
via the OS and thus through the MD RAID layer. Modern grubs
might be able to understand MD RAID, LVM, who knows what.
I would do all of the above steps using the debian-installer
if you are installing from scratch, with the exception of
your $HOME, which I would do by hand once the system was
installed. "luksformat" with the "-t ext3" option is a
useful shortcut for formatting a LVM logical volume with
dm-crypt and sticking a filesystem on top. I'd also use
"libpam-mount" to configure it to be unlocked with your
passphrase and mounted automatically on login.
Finally, unless you specify a seperate /tmp and encrypt that
(and/or /var/tmp too), I would create a ~/tmp and ensure you
have TMPDIR pointing at it, or some apps might store some
working files in a non-encrypted location. You will find
that not all apps honour TMPDIR, so be prepared to file some
bugs :))
> 3. Is it ok to have swap and /boot on an encrypted LVM?
swap yes, /boot no (your bootloader needs to read it. You
don't have anything confidential in your vmlinuz or
initramfs)
[1] For large hard drives, I create a medium-to-large
partition, rather than fill the disk. Just in case
I want to use some of the remaining space for a
non-Linux purpose. I can always create a new partition,
format it as an LVM physical volume and add it to my
existing volume group if I want the space in Linux after
all, further down the line.
--
Jon Dowland
Attachment:
signature.asc
Description: Digital signature