On Fri, Jan 08, 2010 at 03:23:13PM +0000, Jon Dowland wrote: > On Fri, Jan 08, 2010 at 12:13:14PM +0100, Sjors van der Pluijm wrote: > > Hi all, Hi I have a few laptops which I encrypt for work > > > > I have been using Debian for a few years now. For my new workstation I want to > > try something new. What I want to do: > > 1. Make a RAID1 using two SATA discs > > 2. Create one partition on the RAID > > 3. Encrypt that partition > > 4. Use LVM on the partition > > > > I can't find very much info on this setup and have some questions: > > 1. Is this a wise setup? > > Be aware that RAID-1 in itself is no substitute for a backup > system. > > That said, The order should be something like > > physical devices partitioned identically, with a small-ish > boot (512M usually suffices) and the remaining space > dedicated to one large partition[1]. I like my /boot to be around 1G up to about 2G - why because it is unencrypted you have easy access to it, so I like to have a toolkit of stuff here to help when things go wrong and with the size of drives today 1G is nothing big > > two software RAID devices > > md0 - with the two small boot partitions as backing > md1 - with the large remaining partition as backing > > Stick an ext3 filesystem on top of md0 and use it as /boot. Remember to grub-install (with grub2) to sda and to sdb (that should solve you failed boot attempt when 1 drive dies), a minor thing I would use ext2, no need for journaling, in fact most times I would say you could get away with loading it read only > > Then, format md1 as an LVM physical volume + plumb it into > a volume group. > > Carve out a logical volume for /. I wouldn't bother > encrypting this myself, personally. > > Carve out a logical volume for swap. I'd encrypt this with a > random key. mkswap the resulting block device. > > Carve out a logical volume for your main user's $HOME. I'd > encrypt this with a passphrase of your choosing. I'd use > the LUKS settings as your encryption parameters, via device > mapper 'dm-crypt'. Stick an ext3 filesystem on top of the > resulting block device. Depending on needs and usage I would create 1 big lvm lv use it a /root and 1 lvm lv for swap. If you think you are going to be doing a lot of work with files locally which are going to run into performance issues (rendering video/media) then carve out a lvm which you will not encrypt. But the first 2 ( root & swap) I would encrypt. > > So, from bottom to top, the stacking order is > > physical devices > DOS-style partition tables > MD RAID > LVM > dm-loop crypto where necessary > > The reason for having the /boot outside of LVM is so that > bootloaders can read it OK. In the old days, grub would > read the kernel and initrd from one of the underlying > partitions (not understanding MD RAID itself) but that > worked fine, since all writing to the partitions was done > via the OS and thus through the MD RAID layer. Modern grubs > might be able to understand MD RAID, LVM, who knows what. > > I would do all of the above steps using the debian-installer I have done this with the debian installer > if you are installing from scratch, with the exception of > your $HOME, which I would do by hand once the system was > installed. "luksformat" with the "-t ext3" option is a > useful shortcut for formatting a LVM logical volume with > dm-crypt and sticking a filesystem on top. I'd also use > "libpam-mount" to configure it to be unlocked with your > passphrase and mounted automatically on login. > > Finally, unless you specify a seperate /tmp and encrypt that > (and/or /var/tmp too), I would create a ~/tmp and ensure you > have TMPDIR pointing at it, or some apps might store some > working files in a non-encrypted location. You will find > that not all apps honour TMPDIR, so be prepared to file some > bugs :)) > > > 3. Is it ok to have swap and /boot on an encrypted LVM? > > swap yes, /boot no (your bootloader needs to read it. You > don't have anything confidential in your vmlinuz or > initramfs) > > [1] For large hard drives, I create a medium-to-large > partition, rather than fill the disk. Just in case > I want to use some of the remaining space for a > non-Linux purpose. I can always create a new partition, > format it as an LVM physical volume and add it to my > existing volume group if I want the space in Linux after > all, further down the line. > > -- "All up and down the different aspects of our society, we had meaningful discussions. Not only in the Cabinet Room, but prior to this and after this day, our secretaries, respective secretaries, will continue to interact to create the conditions necessary for prosperity to reign." - George W. Bush 05/19/2003 Washington, DC
Attachment:
signature.asc
Description: Digital signature