Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
btrfs raid1 with luks encryption
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
onndsd
n00b
n00b


Joined: 05 Jun 2010
Posts: 40

PostPosted: Tue Jul 28, 2015 3:48 pm    Post subject: btrfs raid1 with luks encryption Reply with quote

Hi.
I wish to have the following setup:

Code:

/dev/sda1: mdadm ___
                    \
                     |---> /dev/md0 (raid1) -> ext4 -> /boot
/dev/sdb1: mdadm ___/


/dev/sda2: mdadm ___
                    \
                     |---> /dev/md1 (raid1) -> luks -> swap
/dev/sdb2: mdadm ___/

/dev/sda3: luks ---> /dev/mapper/root   ---> btrfs raid 1 parition  ___
                                                                       \
                                                                        |---> btrfs raid1 ---> /
/dev/sdb3: luks ---> /dev/mapper/root2 ---> btrfs raid 1 partition  ___/


I couldn't find a way to specify two or more encrypted root partitions in "/etc/default/grub" with "crypt_root=" in order to get a password prompt for each of them upon boot or unlock them with a keyfile. Arch Linux supports this with minor changes to two files (https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Modifying_the_encrypt_hook_for_multiple_partitions). Is there a way to realise this on Gentoo Linux? I want to use the btrfs raid functionality in order to cope with badblocks. Afaik, btrfs handles them better than mdadm.

Best regards,
onndsd
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2970
Location: Germany

PostPosted: Tue Jul 28, 2015 5:28 pm    Post subject: Reply with quote

Using LUKS below RAID means encrypting everything twice.
Back to top
View user's profile Send private message
onndsd
n00b
n00b


Joined: 05 Jun 2010
Posts: 40

PostPosted: Tue Jul 28, 2015 6:35 pm    Post subject: Reply with quote

I have AES-NI and fault tolerance is more important for me than some loss of performance. If one block has gone bad, btrfs recovers by using the healthy block from the other hard drive upon read time. Afaik, mdadm doesn't store checksums on data and metadata like btrfs does (https://btrfs.wiki.kernel.org/index.php/FAQ#What_checksum_function_does_Btrfs_use.3F).
Back to top
View user's profile Send private message
trubicoid
n00b
n00b


Joined: 04 Aug 2009
Posts: 55

PostPosted: Mon Mar 28, 2016 6:51 pm    Post subject: Reply with quote

any news with this particular setup onndsd?
I think the easiest solution would be a custom script in initrd, which decrypts the two partitions.
Back to top
View user's profile Send private message
astroe
n00b
n00b


Joined: 12 Aug 2004
Posts: 13
Location: Bucharest, Romania

PostPosted: Tue Mar 29, 2016 7:38 am    Post subject: Reply with quote

I have a simpler setup, with just encrypted drives, no RAID. I have dmcrypt added to the boot runlevel. In /etc/conf.d/dmcrypt I specified which drive maps to which logical name and it asks for all the passwords during booting.
Back to top
View user's profile Send private message
onndsd
n00b
n00b


Joined: 05 Jun 2010
Posts: 40

PostPosted: Fri Apr 01, 2016 10:40 am    Post subject: Reply with quote

I couldn't find a solution. If you have both a SSD and HDD, you can use the SSD hardware encryption and LUKS on HDD. Then, mirror boot, root etc. over both drives. Unfortunately, btrfs doesn't support the "--write-mostly" option, known from mdadm. Or, you patch the bootup files like astroe.
Back to top
View user's profile Send private message
davidm
Guru
Guru


Joined: 26 Apr 2009
Posts: 557
Location: US

PostPosted: Sun Apr 03, 2016 8:30 pm    Post subject: Re: btrfs raid1 with luks encryption Reply with quote

onndsd wrote:

I couldn't find a way to specify two or more encrypted root partitions in "/etc/default/grub" with "crypt_root=" in order to get a password prompt for each of them upon boot or unlock them with a keyfile.


I know this is an old post but I know usually with grub I just specified one of the drives and then it figured out the rest. This was unencrypted. When I moved to LUKS in encryption I actually used a separate boot along with a separate / partition which was on ext4 (new hdd) so I can't say I have experience exactly with that however (with systemd) when I booted it would prompt me for the passwords to the other drives when I tried to mount the separate btrfs volume. Of course this happened beyond GRUB, probably because of the contents of my /etc/fstab and perhaps /etc/crypttab

I think anyone trying this is probably going to have to bite the bullet and do a separate /boot partition although you could probably encrypt that with LUKS as I believe grub2 can handle that -- only on one disk though and not over multiple volumes with LUKS.

Alternately before giving up you might try specifying one of the drives in the LUKS btrfs array to see if it can automatically figure it out based on that. I take it something like crypt_root=/dev/sda,/dev/sdb,dev/sdc won't work? You might try asking one of the Grub2 developers or perhaps doing a feature request if this is really unimplemented.

Hopefully this helps someone searching.
Back to top
View user's profile Send private message
rini17
n00b
n00b


Joined: 04 Jan 2006
Posts: 25
Location: Bratislava, Slovakia

PostPosted: Wed May 11, 2016 5:33 pm    Post subject: Reply with quote

I have similar setup (btrfs raid1 on LUKS devices with separate unencrypted /boot on ext4). Every boot I am currently mounting the encrypted devices by hand in initramfs shell (I drop into busybox shell, run cryptsetup luksOpen + btrfs dev scan, then resume normal startup). If you configure genkernel to include busybox, btrfs and luks support, all needed tools to do so will get installed there.

I have looked into genkernel initramfs scripts so that above can be done automatically but fixing these is not trivial, as the functions use global variables like CRYPT_ROOT :roll: They can't simply be called multiple times with multiple devices.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum