Ubuntu 12.04, mdadm mirror, encryption

ch33zw1z

Lifer
Nov 4, 2004
38,131
18,605
146
I'm setting up a RAID1 using mdadm, and was wondering what other people here may use for storage encryption...
 

ch33zw1z

Lifer
Nov 4, 2004
38,131
18,605
146
So, This is what I've done so far:

1. install mdadm and create RAID1, sync'd overnight:

Code:
geoff@geoff-P5K:~$ sudo mdadm --detail /dev/md0
/dev/md0:
        Version : 1.2
  Creation Time : Tue Feb  5 20:13:33 2013
     Raid Level : raid1
     Array Size : 1953382208 (1862.89 GiB 2000.26 GB)
  Used Dev Size : 1953382208 (1862.89 GiB 2000.26 GB)
   Raid Devices : 2
  Total Devices : 2
    Persistence : Superblock is persistent

    Update Time : Wed Feb  6 10:18:22 2013
          State : clean 
 Active Devices : 2
Working Devices : 2
 Failed Devices : 0
  Spare Devices : 0

           Name : geoff-P5K:0  (local to host geoff-P5K)
           UUID : 60efee9a:a26d5deb:646f600d:aa22472b
         Events : 19

    Number   Major   Minor   RaidDevice State
       0       8       17        0      active sync   /dev/sdb1
       1       8       33        1      active sync   /dev/sdc1

Then created the encryption with cryptsetup and LUKS, and did a luks dump:

Code:
geoff@geoff-P5K:~$ sudo cryptsetup luksDump /dev/md0
LUKS header information for /dev/md0

Version:       	1
Cipher name:   	aes
Cipher mode:   	cbc-essiv:sha256
Hash spec:     	sha1
Payload offset:	4096
MK bits:       	256
MK digest:     	13 e6 e4 b1 6c 62 f3 29 c1 e7 52 e1 bf 19 de 07 b0 95 17 2f 
MK salt:       	b4 be 44 4b ef 2e d5 02 e5 2a 69 ff 20 ea 33 e7 
               	e2 8c 4c 88 77 aa b0 e2 d6 3f af 06 67 9e 65 ee 
MK iterations: 	41125
UUID:          	73c979c4-cba3-4ba0-b793-8bd3f4ee3814

Key Slot 0: ENABLED
	Iterations:         	164831
	Salt:               	0d 3b 19 09 87 0e 74 f3 8d 87 7f 36 c5 72 61 9d 
	                      	5d e0 f0 52 f9 18 0c 80 91 56 aa 4e 86 dc 47 f2 
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Is there anything I'm missing? any suggestions for "hardening" the encryption?

I will admit my passphrase is weak, only 16 characters, alpha-numeric, with no special characters...I may just change that before starting to use this RAID1...
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
You're already using AES-256 which as far as I know has no currently exploitable holes and will take effectively infinite time to bruteforce. Your passphrase is the most important part of that equation because any tool worth using is just a fancy kind of bruteforce attack.
 

ch33zw1z

Lifer
Nov 4, 2004
38,131
18,605
146
Just an update in the case that someone reads this thread and tries it out, I ran into this after my first reboot: http://ubuntuforums.org/showthread.php?t=1764861)

I commented out the user name at the end of the mdadm.conf file and rebooted, back to md0. Last line of the .conf

Code:
# mdadm.conf
#
# Please refer to mdadm.conf(5) for information about this file.
#

# by default (built-in), scan all partitions (/proc/partitions) and all
# containers for MD superblocks. alternatively, specify devices to scan, using
# wildcards if desired.
#DEVICE partitions containers

# auto-create devices with Debian standard permissions
CREATE owner=root group=disk mode=0660 auto=yes

# automatically tag new arrays as belonging to the local system
HOMEHOST <system>

# instruct the monitoring daemon where to send mail alerts
MAILADDR root

# definitions of existing MD arrays

# This file was auto-generated on Tue, 05 Feb 2013 19:52:48 -0500
# by mkconf $Id$
ARRAY /dev/md/0 metadata=1.2 UUID=60efee9a:a26d5deb:646f600d:aa22472b 
#name=geoff-P5K:0
 

ch33zw1z

Lifer
Nov 4, 2004
38,131
18,605
146
bump, So I want to migrate this to a new install of the same version of linux. I'm having a bit of trouble finding a procedure...

Anyone have experience or advice moving a RAID1 + encryption to a new install? Only piece of hardware that will be changing is the OS drive.