Monday, April 21, 2014

Encrypted Software RAID-5 on Debian Wheezy

This post will cover the creation of a software RAID-5 with Luks encryption on top in a pure practical way. For more detailed information about Linux Software RAID check out following links:




Create a same sized partition on every disk of type Non-FS (Id=da). Its important to create identic partitions on every disk to avoid future problems if a disk has to be replaced and the RAID has to be resynced.
Fdisk output of the RAID members after partitioning:

Device Boot         Start         End      Blocks   Id  System
/dev/sda1            2048  1953525167   976761560   da  Non-FS data
/dev/sdb1            2048  1953525167   976761560   da  Non-FS data
/dev/sdc1            2048  1953525167   976761560   da  Non-FS data
/dev/sdd1            2048  1953525167   976761560   da  Non-FS data
/dev/sde1            2048  1953525167   976761560   da  Non-FS data

Create the RAID

mdadm --create --verbose --level=5 --metadata=1.2 --raid-devices=4 /dev/md0 /dev/sd[abcd]1 \
--spare-devices=1 /dev/sde1
The RAID should now start syncing. You can check the proggress with
watch cat /proc/mdstat
If for some reason the sync doesn't start automatically, you can force is with the following command
mdadm --readwrite /dev/mdX
Where /dev/mdX is your RAID device. For example /dev/md0
Depending on your RAID size this process will take a couple of hours.
Save the RAID configuration
mdadm --detail --scan >> /etc/mdadm/mdadm.conf

Encrypt RAID

Create the LUKS container on the RAID device /dev/md0. I used aes-xts-plain64, there are others like aes-cbc-essiv (which is the default at the time of this writing). What is the better cipher depends on many factors and is out of the scope of this post.

cryptsetup luksFormat --cipher aes-xts-plain64 --hash sha512 /dev/md0

This will require a confirmation in upper case to go on and enter the desired passphrase.
Open the new LUKS container:

cryptsetup luksDump /dev/md0

This will create a new link under /dev/mapper named crypt-raid To get crypt setup on the encrypted device:

cryptsetup luksDump /dev/md0

This shows, among other data, the used algorithm, key hash and used key slots

Create File System

Before you can mount the encrypted RAID device you have to create a file system on it. In this case I will go eith ext4:

mkfs.ext4 /dev/mapper/crypt-raid

Mount Device

Before the crypt device can be mounted it has to be unlocked:

cryptsetup luksOpen /dev/md0 crypt-raid

This maps the crypt device under /dev/mapper/crypt-raid
Now the device can be mounted as usual:

mount /dev/mapper/crypt-raid [mount point]


On Boot Mount

In order to get the encrypted device unlocked and mounted on boot, it has to be added to both the /etc/crypttab and the /etc/fstab files as follows:

crypt-raid /dev/md0 none luks
/dev/mapper/crypt-raid /mnt/raid ext4 defaults 0 0

This will block the boot process until you provide the required passphrase which can be a problem if you are running a headless server. One solution is to provide a key file on an external USB stick or only use the fstab entry (no crypttab entry) with the noauto option and manually mount the device via ssh.