Ubuntu 12.04, mdadm mirror, encryption

Discussion in '*nix Software' started by ch33zw1z, Feb 5, 2013.

  1. ch33zw1z

    ch33zw1z Lifer

    Joined:
    Nov 4, 2004
    Messages:
    13,856
    Likes Received:
    7
    I'm setting up a RAID1 using mdadm, and was wondering what other people here may use for storage encryption...
     
  2. Jodell88

    Jodell88 Diamond Member

    Joined:
    Jan 29, 2007
    Messages:
    9,451
    Likes Received:
    27
  3. ch33zw1z

    ch33zw1z Lifer

    Joined:
    Nov 4, 2004
    Messages:
    13,856
    Likes Received:
    7
    Thanks, I check it out
     
  4. ch33zw1z

    ch33zw1z Lifer

    Joined:
    Nov 4, 2004
    Messages:
    13,856
    Likes Received:
    7
    So, This is what I've done so far:

    1. install mdadm and create RAID1, sync'd overnight:

    Code:
    geoff@geoff-P5K:~$ sudo mdadm --detail /dev/md0
    /dev/md0:
            Version : 1.2
      Creation Time : Tue Feb  5 20:13:33 2013
         Raid Level : raid1
         Array Size : 1953382208 (1862.89 GiB 2000.26 GB)
      Used Dev Size : 1953382208 (1862.89 GiB 2000.26 GB)
       Raid Devices : 2
      Total Devices : 2
        Persistence : Superblock is persistent
    
        Update Time : Wed Feb  6 10:18:22 2013
              State : clean 
     Active Devices : 2
    Working Devices : 2
     Failed Devices : 0
      Spare Devices : 0
    
               Name : geoff-P5K:0  (local to host geoff-P5K)
               UUID : 60efee9a:a26d5deb:646f600d:aa22472b
             Events : 19
    
        Number   Major   Minor   RaidDevice State
           0       8       17        0      active sync   /dev/sdb1
           1       8       33        1      active sync   /dev/sdc1
    Then created the encryption with cryptsetup and LUKS, and did a luks dump:

    Code:
    geoff@geoff-P5K:~$ sudo cryptsetup luksDump /dev/md0
    LUKS header information for /dev/md0
    
    Version:       	1
    Cipher name:   	aes
    Cipher mode:   	cbc-essiv:sha256
    Hash spec:     	sha1
    Payload offset:	4096
    MK bits:       	256
    MK digest:     	13 e6 e4 b1 6c 62 f3 29 c1 e7 52 e1 bf 19 de 07 b0 95 17 2f 
    MK salt:       	b4 be 44 4b ef 2e d5 02 e5 2a 69 ff 20 ea 33 e7 
                   	e2 8c 4c 88 77 aa b0 e2 d6 3f af 06 67 9e 65 ee 
    MK iterations: 	41125
    UUID:          	73c979c4-cba3-4ba0-b793-8bd3f4ee3814
    
    Key Slot 0: ENABLED
    	Iterations:         	164831
    	Salt:               	0d 3b 19 09 87 0e 74 f3 8d 87 7f 36 c5 72 61 9d 
    	                      	5d e0 f0 52 f9 18 0c 80 91 56 aa 4e 86 dc 47 f2 
    	Key material offset:	8
    	AF stripes:            	4000
    Key Slot 1: DISABLED
    Key Slot 2: DISABLED
    Key Slot 3: DISABLED
    Key Slot 4: DISABLED
    Key Slot 5: DISABLED
    Key Slot 6: DISABLED
    Key Slot 7: DISABLED
    Is there anything I'm missing? any suggestions for "hardening" the encryption?

    I will admit my passphrase is weak, only 16 characters, alpha-numeric, with no special characters...I may just change that before starting to use this RAID1...
     
  5. Nothinman

    Nothinman Elite Member

    Joined:
    Sep 14, 2001
    Messages:
    30,672
    Likes Received:
    0
    You're already using AES-256 which as far as I know has no currently exploitable holes and will take effectively infinite time to bruteforce. Your passphrase is the most important part of that equation because any tool worth using is just a fancy kind of bruteforce attack.
     
  6. ch33zw1z

    ch33zw1z Lifer

    Joined:
    Nov 4, 2004
    Messages:
    13,856
    Likes Received:
    7
    Just an update in the case that someone reads this thread and tries it out, I ran into this after my first reboot: http://ubuntuforums.org/showthread.php?t=1764861)

    I commented out the user name at the end of the mdadm.conf file and rebooted, back to md0. Last line of the .conf

    Code:
    # mdadm.conf
    #
    # Please refer to mdadm.conf(5) for information about this file.
    #
    
    # by default (built-in), scan all partitions (/proc/partitions) and all
    # containers for MD superblocks. alternatively, specify devices to scan, using
    # wildcards if desired.
    #DEVICE partitions containers
    
    # auto-create devices with Debian standard permissions
    CREATE owner=root group=disk mode=0660 auto=yes
    
    # automatically tag new arrays as belonging to the local system
    HOMEHOST <system>
    
    # instruct the monitoring daemon where to send mail alerts
    MAILADDR root
    
    # definitions of existing MD arrays
    
    # This file was auto-generated on Tue, 05 Feb 2013 19:52:48 -0500
    # by mkconf $Id$
    ARRAY /dev/md/0 metadata=1.2 UUID=60efee9a:a26d5deb:646f600d:aa22472b 
    #name=geoff-P5K:0
     
  7. ch33zw1z

    ch33zw1z Lifer

    Joined:
    Nov 4, 2004
    Messages:
    13,856
    Likes Received:
    7
    bump, So I want to migrate this to a new install of the same version of linux. I'm having a bit of trouble finding a procedure...

    Anyone have experience or advice moving a RAID1 + encryption to a new install? Only piece of hardware that will be changing is the OS drive.
     
Loading...